Sourcefire 3D System Administrator Guide

Version 4.9.1

Intellectual Property Notices, Disclaimers, and Terms of Use Applicable to the User Documentation. The legal notices, disclaimers, terms of use, and other information contained herein (the “terms”) apply only to Sourcefire, Inc. appliance discussed in the Documentation (“Documentation”) and your use of it. The terms do not apply to or govern the use of Sourcefire's web site or Sourcefire's appliance discussed in the Documentation. Sourcefire appliances are available for purchase and subject to a separate license containing very different terms of use. Terms Of Use and Copyright and Trademark Notices The copyright in the Documentation is owned by Sourcefire, Inc., and is protected by copyright pursuant to US copyright law, international conventions, and other laws. You may use, print out, save on a retrieval system, and otherwise copy and distribute the documentation solely for non-commercial use, provided that (i) you do not modify the documentation in any way and (ii) you always include Sourcefire's copyright, trademark, and other notices, as well as a link to, or print out of, the full contents of this page and its terms. No part of the documentation may be used in a compilation or otherwise incorporated into another work, or be used to create derivative works, without the express prior written permission of Sourcefire, Inc. Sourcefire, Inc. reserves the right to change the Terms at any time, and your continued use of the Documentation shall be deemed an acceptance of those terms. Sourcefire, the Sourcefire logo, Snort, the Snort logo, 3D Sensor, Intrusion Sensor, Intrusion Agent, Realtime Network Awareness, RNA Sensor, Defense Center, Master Defense Center, Success Pack, and 3D System, are trademarks or registered trademarks of Sourcefire, Inc. All other trademarks are property of their respective owners. © 2004 - 2010 Sourcefire, Inc. All rights reserved. Liability Disclaimers THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. SOURCEFIRE, INC. MAY CHANGE THE DOCUMENTATION FROM THE TIME TO TIME. SOURCEFIRE, INC. MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND/OR ANY APPLIANCE OR INFORMATION. SOURCEFIRE, INC. PROVIDES THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND ANY APPLIANCE OR INFORMATION “AS IS” AND SOURCEFIRE, INC. DISCLAIMS ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE OR THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN ANY WAY RELATED TO THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND/OR ANY SOFTWARE OR INFORMATION, NO MATTER HOW CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS ACTIVITY, OR ANY OTHER THEORY OF LIABILITY, EVEN IF SOURCEFIRE, INC. IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. The Documentation may contain “links” to sites on the Internet that are not created by, or under the control of Sourcefire, Inc. Sourcefire, Inc. provides such links solely for your convenience, and assumes no responsibility for the availability or content of such other sites. 2010-Jul-12 13:56

Table of Contents

Chapter 1:

Introduction to the Sourcefire 3D System............................. 14
Components of the Sourcefire 3D System......................................................... Real-time Network Awareness (RNA).................................................... Intrusion Prevention System (IPS) ......................................................... Real-time User Awareness (RUA) .......................................................... PEP Traffic Management ....................................................................... Defense Centers.................................................................................... Master Defense Centers ....................................................................... Intrusion Agents..................................................................................... RNA for Red Hat Linux........................................................................... RNA and IPS for Crossbeam Systems................................................... eStreamer .............................................................................................. 15 15 16 17 17 17 19 19 20 20 20

Logging into the Appliance ................................................................................. 21 Logging into the Appliance to Set Up an Account .............................................. 23 Logging Out of the Appliance ............................................................................. 24 Last Successful Login......................................................................................... 25 Specifying Your User Preferences ...................................................................... Changing Your Password ....................................................................... Configuring Event View Settings ........................................................... Setting Your Default Time Zone ............................................................. Specifying Your Home Page................................................................... Specifying Your Default Dashboard........................................................ 25 25 27 34 35 35

Using the Context Menu .................................................................................... 36 Documentation Resources ................................................................................. 37

Version 4.9.1

Sourcefire 3D System Administrator Guide

3

Table of Contents

Documentation Conventions .............................................................................. 38 Platform Requirements Conventions ..................................................... 38 Access Requirements Conventions ....................................................... 39 IP Address Conventions...................................................................................... 41

Chapter 2:

Performing the Initial Setup .................................................... 43
Setting Up 3D Sensors ....................................................................................... 44 Setting up Defense Centers ............................................................................... 47 Communication Ports ......................................................................................... 50 What’s Next? ...................................................................................................... Administrator User Tasks....................................................................... Maintenance User Tasks........................................................................ Policy & Response Administrator User Tasks ........................................ RNA Event Analyst User Tasks .............................................................. Intrusion Event Analyst User Tasks........................................................ 52 53 54 55 56 57

Chapter 3:

Using Dashboards..................................................................... 59
Understanding Dashboard Widgets.................................................................... 60 Understanding Widget Availability ......................................................... 61 Understanding Widget Preferences ...................................................... 64 Understanding the Predefined Widgets ............................................................. Understanding the Appliance Information Widget................................. Understanding the Appliance Status Widget......................................... Understanding the Compliance Events Widget..................................... Understanding the Current Interface Status Widget ............................. Understanding the Current Sessions Widget ........................................ Understanding the Custom Analysis Widget......................................... Understanding the Disk Usage Widget ................................................. Understanding the Interface Traffic Widget ........................................... Understanding the Intrusion Events Widget.......................................... Understanding the Network Compliance Widget .................................. Understanding the Product Licensing Widget ....................................... Understanding the Product Updates Widget......................................... Understanding the RSS Feed Widget .................................................... Understanding the System Load Widget............................................... Understanding the System Time Widget .............................................. Understanding the White List Events Widget ....................................... Working with Dashboards .................................................................................. Creating a Custom Dashboard............................................................... Viewing Dashboards .............................................................................. Modifying Dashboards........................................................................... Deleting a Dashboard ............................................................................ 65 66 67 67 68 69 69 80 81 81 82 84 85 86 87 87 88 89 89 91 93 97

Version 4.9.1

Sourcefire 3D System Administrator Guide

4

Table of Contents

Chapter 4:

Using the Defense Center........................................................ 99
Management Concepts .................................................................................... 100 The Benefits of Managing Your Sensors.............................................. 100 What Can Be Managed by a Defense Center? .................................... 101 Understanding Software Sensors ........................................................ 105 Beyond Policies and Events .................................................................. 111 Using Redundant Defense Centers ..................................................... 112 Working in NAT Environments.......................................................................... 112 Working with Sensors ...................................................................................... 113 Understanding the Sensors Page ........................................................ 115 Adding Sensors to the Defense Center ................................................ 117 Deleting Sensors ................................................................................. 121 Resetting Management of a Sensor .................................................... 122 Managing a 3Dx800 Sensor................................................................. 125 Adding Intrusion Agents ...................................................................... 130 Sensor Attributes - Intrusion Agent Page............................................. 130 Managing Sensor Groups ................................................................................. Creating Sensor Groups....................................................................... Editing Sensor Groups ......................................................................... Deleting Sensor Groups....................................................................... Editing a Managed Sensor’s System Settings .................................................. Viewing a Sensor’s Information Page .................................................. Stopping and Restarting a Managed Sensor ....................................... Managing Communication on a Managed Sensor............................... Setting the Time on a Managed Sensor .............................................. 131 131 132 133 133 135 137 138 139

Managing a Clustered Pair ................................................................................ 140 Establishing a Clustered Pair ............................................................... 142 Separating a Clustered Pair.................................................................. 144 Configuring High Availability ............................................................................. Using High Availability.......................................................................... Guidelines for Implementing High Availability ..................................... Setting Up High Availability .................................................................. Monitoring the High Availability Status ................................................ Disabling High Availability and Unregistering Sensors......................... Pausing Communication between Paired Defense Centers ................ Restarting Communication between Paired Defense Centers ............ 145 145 149 150 152 153 154 154

Chapter 5:

Using the Master Defense Center........................................ 156
Understanding Event Aggregation.................................................................... Aggregating Intrusion Events............................................................... Aggregating Compliance Events.......................................................... Limitations on Event Aggregation........................................................ 157 158 158 159

Version 4.9.1

Sourcefire 3D System Administrator Guide

5

Table of Contents

Understanding Global Policy Management....................................................... Managing Global Intrusion Policies ...................................................... Using RNA Detection Policies on a Master Defense Center ............... Using Health Policies on a Master Defense Center............................. Using System Policies on a Master Defense Center ........................... Master Defense Center Policy Management Limitations .................... Adding and Deleting Defense Centers ............................................................. Adding a Master Defense Center ........................................................ Adding a Defense Center..................................................................... Deleting a Defense Center .................................................................. Resetting Management of a Defense Center ...................................... Editing Settings for a Managed Defense Center .............................................. Viewing the Defense Center Information Page ................................... Editing the Event Filter Configuration .................................................. Editing or Disabling Remote Management Communications .............. Managing the Health Blacklist ............................................................. Managing High Availability Defense Centers ....................................... Managing Appliance Groups............................................................................. Creating Appliance Groups .................................................................. Editing Appliance Groups..................................................................... Deleting Appliance Groups .................................................................. Editing Master Defense Center System Settings ............................................. Listing Master Defense Center Information ........................................ Viewing a Master Defense Center License ......................................... Configuring Network Settings.............................................................. Shutting Down and Restarting the System.......................................... Configuring Remote Management Networking................................... Setting System Time............................................................................ Blacklisting Health Policies...................................................................

161 161 162 162 162 163 164 165 168 171 171 175 175 176 178 178 178 179 180 180 181 181 182 182 182 182 183 183 184

Using the Appliances Page ............................................................................... 173

Chapter 6:

Using Detection Engines and Interface Sets...................... 185
Understanding Detection Engines .................................................................... 186 Understanding Detection Resources and 3D Sensor Models ............. 189 Understanding Default Detection Engines .......................................... 191 Managing Detection Engines............................................................................ Creating a Detection Engine ................................................................ Editing a Detection Engine .................................................................. Deleting a Detection Engine ................................................................ Using Detection Engine Groups ....................................................................... Creating Detection Engine Groups ...................................................... Editing Detection Engine Groups......................................................... Deleting Detection Engine Groups ...................................................... 193 193 194 197 197 197 198 199

Version 4.9.1

Sourcefire 3D System Administrator Guide

6

Table of Contents

Using Variables within Detection Engines ........................................................ Assigning Values to System Default Variables in Detection Engines... Creating New Variables for Detection Engines .................................... Deleting and Resetting Variables ......................................................... Configuring Custom Variables in Detection Engines ........................... Using Portscan-Only Detection Engines .............................................. Using Interface Sets ......................................................................................... Understanding Interface Set Configuration Options............................ Creating an Interface Set ..................................................................... Creating an Inline Interface Set ........................................................... Editing an Interface Set ....................................................................... Deleting an Interface Set ..................................................................... Using Interface Set Groups .............................................................................. Creating Interface Set Groups ............................................................. Editing Interface Set Groups................................................................ Deleting Interface Set Groups .............................................................

199 200 202 203 204 205 207 207 213 216 221 223 223 224 224 225

Inline Fail Open Interface Set Commands ........................................................ 225 Removing Bypass Mode on Inline Fail Open Fiber Interfaces ............. 225 Forcing an Inline Fail Open Interface Set into Bypass Mode ............... 226 Using Clustered 3D Sensors............................................................................. Using Detection Engines on Clustered 3D Sensors ............................ Understanding Interface Sets on Clustered 3D Sensors ..................... Managing Information from a Clustered 3D Sensor ............................ 227 228 229 230

Chapter 7:

Working with Event Reports.................................................. 232
Working with Event Reports............................................................................. 234 Working with Report Profiles............................................................................ 234 Generating Reports from Event Views ............................................................. 235 Managing Generated Reports........................................................................... Viewing Generated Reports................................................................. Downloading Generated Reports......................................................... Deleting Generated Reports ................................................................ Moving Reports to a Remote Storage Location................................... Running Remote Reports .................................................................... Understanding Report Profiles.......................................................................... Understanding the Predefined Report Profiles .................................... Modifying a Predefined Report Profile................................................. Creating a Report Profile...................................................................... 237 238 238 239 239 240 241 242 246 246

Working with Report Information ..................................................................... 248 Using Report Types.............................................................................. 250 Defining Report Information ................................................................ 254

Version 4.9.1

Sourcefire 3D System Administrator Guide

7

Table of Contents

Working with Report Sections .......................................................................... Using Summary Reports...................................................................... Including an Image File ........................................................................ Defining the Report Sections............................................................... Using a Report Profile ....................................................................................... Generating a Report using a Report Profile ......................................... Editing Report Profiles ......................................................................... Deleting Report Profiles.......................................................................

255 255 257 258 260 261 263 263

Working with Report Options ........................................................................... 258

Chapter 8:

Managing Users ...................................................................... 264
Understanding Sourcefire User Authentication ................................................ Understanding Internal Authentication ................................................ Understanding External Authentication ............................................... Understanding User Privileges ............................................................ Managing Authentication Objects .................................................................... Understanding LDAP Authentication ................................................... Creating LDAP Authentication Objects ................................................ LDAP Authentication Object Examples ............................................... Editing LDAP Authentication Objects .................................................. Understanding RADIUS Authentication ............................................... Creating RADIUS Authentication Objects............................................ RADIUS Authentication Object Examples ........................................... Editing RADIUS Authentication Objects .............................................. Deleting Authentication Objects .......................................................... Managing User Accounts ................................................................................. Viewing User Accounts........................................................................ Adding New User Accounts................................................................. Managing Externally Authenticated User Accounts............................. Managing User Password Settings...................................................... Configuring User Roles........................................................................ Modifying User Privileges and Options ............................................... Modifying Restricted Event Analyst Access Properties....................... Modifying User Passwords.................................................................. Deleting User Accounts ....................................................................... User Account Privileges....................................................................... 264 266 266 267 269 269 269 281 286 287 287 295 298 298 299 299 300 302 303 304 306 307 311 312 312

Chapter 9:

Managing System Policies .................................................... 320
Creating a System Policy .................................................................................. 321 Editing a System Policy..................................................................................... 323 Applying a System Policy .................................................................................. 324 Deleting System Policies .................................................................................. 325

Version 4.9.1

Sourcefire 3D System Administrator Guide

8

Table of Contents

Configuring the Parts of Your System Policy..................................................... Configuring the Access List for Your Appliance ................................... Configuring Audit Log Settings ............................................................ Configuring Authentication Profiles ..................................................... Configuring Dashboard Settings .......................................................... Configuring Database Event Limits ..................................................... Configuring Detection Policy Preferences ........................................... Configuring DNS Cache Properties...................................................... Configuring a Mail Relay Host and Notification Address ..................... Configuring Intrusion Policy Preferences ............................................. Specifying a Different Language .......................................................... Adding a Custom Login Banner ........................................................... Configuring RNA Settings .................................................................... Configuring RNA Subnet Detection Settings ....................................... Configuring RUA Settings .................................................................... Synchronizing Time .............................................................................. Mapping Vulnerabilities for Services....................................................

325 325 327 329 331 332 336 337 338 339 340 341 342 349 352 354 358

Chapter 10:

Configuring System Settings ................................................. 360
Viewing and Modifying the Appliance Information ........................................... 362 Understanding Licenses ................................................................................... Understanding Feature Licenses ......................................................... Verifying Your Product License ............................................................ Managing Your Feature Licenses ......................................................... 364 366 368 370

Configuring Network Settings........................................................................... 377 Editing Network Interface Configurations......................................................... 380 Shutting Down and Restarting the System....................................................... 382 Configuring the Communication Channel ......................................................... 383 Setting Up the Management Virtual Network...................................... 384 Editing the Management Virtual Network............................................ 385 Configuring Remote Access to the Defense Center ........................................ 386 Setting the Time Manually ................................................................................ 389 Blacklisting Health Modules.............................................................................. 391 Specifying NetFlow-Enabled Devices ............................................................... 392 Managing Remote Storage............................................................................... Using Local Storage ............................................................................. Using NFS for Remote Storage ........................................................... Using SSH for Remote Storage ........................................................... Using SMB for Remote Storage .......................................................... 393 393 394 395 396

Version 4.9.1

Sourcefire 3D System Administrator Guide

9

Table of Contents

Chapter 11:

Updating System Software.................................................... 398
Installing Software Updates.............................................................................. Updating a Defense Center or Master Defense Center ...................... Updating Managed Sensors ................................................................ Updating Unmanaged 3D Sensors ...................................................... 400 402 404 406

Uninstalling Software Updates ......................................................................... 409 Updating the Vulnerability Database................................................................. 410

Chapter 12:

Using Backup and Restore .................................................... 413
Creating Backup Files ....................................................................................... 414 Creating Backup Profiles ................................................................................... 418 Performing Sensor Backup with the Defense Center ....................................... 419 Uploading Backups from a Local Host .............................................................. 420 Restoring the Appliance from a Backup File ..................................................... 421

Chapter 13:

Scheduling Tasks .................................................................... 425
Configuring a Recurring Task ............................................................................ 426 Automating Backup Jobs .................................................................................. 428 Automating Software Updates ......................................................................... Automating Software Downloads ........................................................ Automating Software Pushes .............................................................. Automating Software Installs............................................................... Automating Vulnerability Database Updates .................................................... Automating VDB Update Downloads................................................... Automating VDB Update Pushes......................................................... Automating VDB Update Installs ......................................................... 430 431 433 435 437 438 440 442

Automating SEU Imports.................................................................................. 444 Automating Intrusion Policy Applications.......................................................... 446 Automating Reports.......................................................................................... 448 Automating Nessus Scans................................................................................ 450 Preparing Your System to Run a Nessus Scan..................................... 450 Scheduling a Nessus Scan................................................................... 451 Synchronizing Nessus Plugins .......................................................................... 452 Automating Nmap Scans .................................................................................. 454 Preparing Your System for an Nmap Scan ........................................... 454 Scheduling an Nmap Scan ................................................................... 455 Automating Recommended Rule State Generation.......................................... 456

Version 4.9.1

Sourcefire 3D System Administrator Guide

10

Table of Contents

Viewing Tasks ................................................................................................... 458 Using the Calendar .............................................................................. 459 Using the Task List............................................................................... 460 Editing Scheduled Tasks ................................................................................... 461 Deleting Scheduled Tasks ................................................................................. 461 Deleting a Recurring Task .................................................................... 462 Deleting a One-Time Task.................................................................... 462

Chapter 14:

Monitoring the System ........................................................... 463
Viewing Host Statistics..................................................................................... 464 Monitoring System Status and Disk Space Usage ........................................... 468 Viewing System Process Status ....................................................................... 468 Understanding Running Processes................................................................... 471 Understanding System Daemons ........................................................ 471 Understanding Executables and System Utilities ................................ 473 Viewing IPS Performance Statistics.................................................................. 476 Generating IPS Performance Statistics Graphs ................................... 476 Saving IPS Performance Statistics Graphs .......................................... 478 Viewing RNA Performance Statistics................................................................ 478 Generating RNA Performance Statistics Graphs ................................. 479 Saving RNA Performance Statistics Graphs ........................................ 481

Chapter 15:

Using Health Monitoring ........................................................ 482
Understanding Health Monitoring .................................................................... Understanding Health Policies ............................................................. Understanding Health Modules ........................................................... Understanding Health Monitoring Configuration ................................. Configuring Health Policies ............................................................................... Predefined Health Policies ................................................................... Creating Health Policies ....................................................................... Applying Health Policies....................................................................... Editing Health Policies ......................................................................... Deleting Health Policies ....................................................................... 483 484 485 489 489 490 497 528 530 533

Using the Health Monitor Blacklist ................................................................... 534 Blacklisting Health Policies or Appliances ............................................ 535 Blacklisting a Health Policy Module ..................................................... 537

Version 4.9.1

Sourcefire 3D System Administrator Guide

11

Table of Contents

Configuring Health Monitor Alerts .................................................................... Preparing to Create a Health Alert ....................................................... Creating Health Monitor Alerts ............................................................ Interpreting Health Monitor Alerts....................................................... Editing Health Monitor Alerts .............................................................. Deleting Health Monitor Alerts ............................................................

539 540 540 542 543 544

Chapter 16:

Reviewing Health Status........................................................ 545
Using the Health Monitor ................................................................................. 545 Interpreting Health Monitor Status ...................................................... 547 Using Appliance Health Monitors ..................................................................... Interpreting Appliance Health Monitor Status ..................................... Viewing Alerts by Status...................................................................... Running All Modules for an Appliance ................................................. Running a Specific Health Module....................................................... Generating Health Module Alert Graphs.............................................. Generating Appliance Troubleshooting Files........................................ Working with Health Events ............................................................................. Understanding Health Event Views ..................................................... Viewing Health Events......................................................................... Understanding the Health Events Table............................................... Searching for Health Events................................................................. 547 549 549 550 551 553 554 555 556 556 561 563

Chapter 17:

Auditing the System................................................................ 566
Managing Audit Records .................................................................................. Viewing Audit Records......................................................................... Suppressing Audit Records.................................................................. Understanding the Audit Log Table...................................................... Searching Audit Records...................................................................... 566 567 570 574 575

Viewing the System Log ................................................................................... 578 Filtering System Log Messages .......................................................... 579 Using Four-Digit Year Formats on the 3D3800 ..................................... 581

Version 4.9.1

Sourcefire 3D System Administrator Guide

12

.......................... Exporting a Custom Table .............9......... Exporting Multiple Objects ..................................... 598 Viewing the Status of Long-Running Tasks ....................................................................................................................... 593 Appendix B: Appendix C: Purging the RNA and RUA Databases............................................................................................................................. Exporting a Dashboard........................................................................................................................... Exporting a Custom Workflow......... 629 Version 4................................................................................................................................................................................................................................................. Exporting an Intrusion Policy............................... 583 Exporting Objects ............................ Exporting a User-Defined RNA Detector..................................................... 584 584 585 585 586 586 588 588 588 589 590 Importing Objects ............................................1 Sourcefire 3D System Administrator Guide 13 ....................................................................................... Exporting an RNA Detection Policy. 603 Index ..................... Exporting a PEP Policy ................................................................................... Exporting a Health Policy ...............Table of Contents Appendix A: Importing and Exporting Objects ................. Exporting a System Policy...................... 600 Viewing the Task Queue ........ 600 Managing the Task Queue ................................................. 602 Glossary ..........................................................................................................................................................................

• • • Components of the Sourcefire 3D System on page 15 provides descriptions of each of the components that may be in your Sourcefire 3D System. dashboard. Logging into the Appliance to Set Up an Account on page 23 explains how to set up an association between a external user account and a set of credentials on the appliance. time zone. Sourcefire 3D System has the tools you need to: • • • discover the changing assets and vulnerabilities on your network determine the types of attacks against your network and the impact they have to your business processes defend your network in real time The topics that follow introduce you to the Sourcefire 3D System and describe some of the key components that contribute to its value as a part of any security strategy for your network. Logging into the Appliance on page 21 explains how to access the web interface on your appliance and log in using one of the user accounts.1 Sourcefire 3D System Administrator Guide 14 . account password. and event viewing preferences. Specifying Your User Preferences on page 25 explains how to configure the preferences that are tied to a single user account. Using the Context Menu on page 36 explains how to display a context-specific menu of shortcuts on certain pages in the web interface. Logging Out of the Appliance on page 24 explains how to log out of the web interface. • • • Version 4.9. such as the home page.Introduction to the Sourcefire 3D System Chapter 1 Administrator Guide tn The Sourcefire 3D System™ provides you with real-time network intelligence for real-time network defense.

RNA monitors traffic on your network. • • • • • • • • • Real-time Network Awareness (RNA) on page 15 Intrusion Prevention System (IPS) on page 16 Real-time User Awareness (RUA) on page 17 Defense Centers on page 17 Master Defense Centers on page 19 Intrusion Agents on page 19 RNA for Red Hat Linux on page 20 RNA and IPS for Crossbeam Systems on page 20 eStreamer on page 20 Real-time Network Awareness (RNA) Sourcefire Real-time Network Awareness (also called RNA) is one of the components of the Sourcefire 3D System that you can use on your 3D Sensor. compliance white lists. Components of the Sourcefire 3D System The topics that follow introduce you to the Sourcefire 3D System and describe some of the key components that contribute to its value as a part of any security strategy for your network.9.1 Sourcefire 3D System Administrator Guide 15 . IP Address Conventions on page 41 explains how the Sourcefire 3D System treats IP address ranges specified using Classless Inter-Domain Routing (CIDR) notation. listening to the network segments you specify. You must use a Defense Center to manage a 3D Sensor if it is running RNA. it compiles the following information: • • • the number and types of network devices running on your network the operating systems running on monitored network devices the active services and open ports on monitored network devices Version 4.Introduction to the Sourcefire 3D System Components of the Sourcefire 3D System Chapter 1 • • • Documentation Resources on page 37 explains where to locate specific information about using the Defense Center. As RNA passively observes traffic. You can set up compliance policies. Documentation Conventions on page 38 explains typeface conventions used throughout the guide to convey specific types of information visually. and traffic profiles to protect your company’s infrastructure by monitoring network traffic for unusual patterns or behavior and automatically responding as needed. using information from detected packets to build a comprehensive map of the devices on the network.

You can push vulnerability database (VDB) and software updates from the Defense Center as well. the client application and URL involved in the session You can access event views and graphs to analyze this collected data. RNA assigns vulnerabilities to the host based on the operating system vendor and version detected for the host. it generates an intrusion event. decoders. event and flow data. the sensors transmit events and sensor statistics to the Defense Center where you can view the aggregated data and gain a greater understanding of the attacks against your network assets. For more information. the type of exploit. When a 3D Sensor identifies a possible intrusion. services. or confidentiality of hosts on the network. you can examine the packets that traverse your network for malicious activity. and contextual information about the source of the attack and its target. see What Can Be Managed by a Defense Center? on page 101. 3D Sensors that are licensed to use IPS include a set of intrusion rules developed by the Sourcefire Vulnerability Research Team (VRT). and sensor statistics to the Defense Center so you can see a consolidated view of events. and protocols.1 Sourcefire 3D System Administrator Guide 16 . system. In addition. You can also create custom intrusion rules tuned to your environment. The Defense Center can also push health.9. RNA builds a host profile for each host it detects. time.The Defense Center can also push health. Each 3D Sensor uses rules. and assigned host attributes. Intrusion Prevention System (IPS) The Sourcefire Intrusion Prevention System (also called IPS) is one of the components of the Sourcefire 3D System that you can run on the 3D Sensor. IPS allows you to monitor your network for attacks that might affect the availability. as well as the service and protocol used and. and preprocessors to look for the broad range of exploits that attackers have developed. integrity. which is a record of the date. if applicable. You can push software Version 4. You can access host profiles by browsing the network map or through one of the workflows Sourcefire provides to aid your analysis. You can choose to enable rules that would detect the attacks you think most likely to occur on your network. By placing 3D Sensors on key network segments. and intrusion policies to your sensors. and RNA detection policies to your sensors. In a Sourcefire 3D System deployment that includes 3D Sensors with IPS and a Defense Center. For packet-based events. 3D Sensors with IPS run preprocessors against detected network traffic to normalize traffic and detect malicious packets. system.Introduction to the Sourcefire 3D System Components of the Sourcefire 3D System Chapter 1 • • the vulnerabilities and exploits to which monitored network devices may be susceptible flow data. which are records of active sessions involving monitored network devices including the frequency and size of the session. a copy of the packet or packets that triggered the event is also recorded. 3D Sensors running RNA transmit the network map. containing host details such as detected operating system.

and 3D Sensor 9800 models (usually referred to a the 3Dc800 sensors) do not have a web interface. Real-time User Awareness (RUA) The Real-time User-Awareness component (also called RUA) allows you to create policies and response rules that are user-based. Note that if you do manage your 3D Sensors with a Defense Center. If you have software sensors or Intrusion Agents on your network. Defense Centers The Defense Center provides a centralized management interface and database repository for the Sourcefire 3D System. Note that a 3D Sensor running Version 4. You can analyze and respond to events from all your sensors consistently by doing the analysis through an interface where you can see all the data collected by the managed sensors.Introduction to the Sourcefire 3D System Components of the Sourcefire 3D System Chapter 1 updates from the Defense Center to sensors as well. 3D Sensor 6800. you can also use a local web interface to create intrusion policies and review the resulting intrusion events. You can also push policies created on the Defense Center and software updates to managed sensors. analyze. Sourcefire recommends that you use only the Defense Center’s web interface to interact with the sensor and its data. you can configure your 3D Sensor to drop or replace packets that you know to be harmful.1 Sourcefire 3D System Administrator Guide 17 . see What Can Be Managed by a Defense Center? on page 101. PEP traffic management enhances the sensor’s efficiency by allowing you to pre-select traffic to cut through or to drop instead of analyzing. The network protocol used by your organization to provide user authentication largely determines the amount of data and efficiency of RUA. If your 3D Sensor is running IPS. You must manage these models with a Defense Center. PEP Traffic Management PEP is a technology based on the hardware capabilities of the 3D9900 Sensors. If you deploy your 3D Sensor inline on your network and create what is called an inline detection engine. See Using Sourcefire RUA in the Analyst Guide for more information about RUA. As a result.9. PEP allows you to create rules to block. RUA enables you to implement and enforce policies specific to individuals. IMPORTANT! The Sourcefire 3D Sensor 3800. you must use the Defense Center to manage them. or other user characteristics. departments. or send traffic directly through the 3D9900 with no further inspection. You can apply these policies and rules across the Sourcefire 3D System. For more information.

and network intelligence with user identity information so that you can identify the source of policy breaches. IMPORTANT! You cannot use DC500s in high availability configurations.1 million default and 10 million maximum RNA Flows . You can rack mount a DC1000 and collect data from a large number of 3D Sensors. If you deploy Real-time User-Awareness (RUA). Key DC500 database limits are: • • • Intrusion Events . Version 4.1 Sourcefire 3D System Administrator Guide 18 .5 million maximum RNA Flows . Key DC1000 database quantities are: • • • Intrusion Events . or network vulnerabilities. the Defense Center correlates intrusion events from IPS with host vulnerabilities from RNA and assigns impact flags to the intrusion events. The DC500 receives data at an aggregate rate of up to 100 intrusion events or 900 flow events per second.Introduction to the Sourcefire 3D System Components of the Sourcefire 3D System Chapter 1 the IPS component includes its own local web interface. DC500 You can use the DC500 model of the Defense Center in managed services environments to collect data from up to three 3D Sensors. You can use either DC1000s or DC3000s in high availability configurations. Impact correlation lets you focus in on attacks most likely to damage high priority hosts. the Defense Center correlates threat. attacks.2 million default and 10 million maximum DC1000 You can use DC1000 Defense Centers in most environments.9.500 thousand default and 2. you must manage the sensor with a Defense Center. You can configure a DC3000 as a Master Defense Center during the initial setup. DC500s also have an RNA host limit of 1000. endpoint. but if you want to use RNA on the sensor.2 million default and 10 million maximum DC3000 You can use DC3000 Defense Centers in high-demand environments.1 million default and 10 million maximum RNA Flow Summaries . If you use your Defense Center to manage 3D Sensors that run RNA and IPS (either on the same sensor or different sensors that monitor the same network segments).1 million default and 10 million maximum RNA Flow Summaries . A DC3000 allows you to use higher database quantities.

The Master Defense Center can also aggregate events related to the health of the Defense Centers it is managing.1 million default and 100 million maximum RNA Flow Summaries .1 Sourcefire 3D System Administrator Guide 19 . You can then analyze the events detected by Snort alongside your other data. compliance events.Introduction to the Sourcefire 3D System Components of the Sourcefire 3D System Chapter 1 Key DC3000 database quantities are: • • • Intrusion Events . you can do analysis and reporting on those events. the Defense Center Version 4.9. you can view the current status of the Defense Centers across your enterprise from a single web interface. For more information. You cannot use a Virtual Defense Center in high availability configurations or as a Master Defense Center. In this way.2 million default and 10 million maximum Master Defense Centers The Sourcefire Master Defense Center is a key component in the Sourcefire 3D System. If the network map on the Defense Center has entries for the target host in a given event. see the Sourcefire 3D System Virtual Defense Center and 3D Sensor Installation Guide. Although you cannot manage policies or rules for an Intrusion Agent from the Defense Center.1 million default and 10 million maximum RNA Flows . See Using the Master Defense Center on page 156 for more information about managing your Defense Centers with a Master Defense Center. You can use the Master Defense Center to aggregate and analyze intrusion events. you can install an Intrusion Agent to forward intrusion events to a Defense Center. You can manage up to 25 physical and Virtual 3D Sensors with a Virtual Defense Center.2 million default and 100 million maximum Virtual Defense Center Virtual Defense Centers are hosted on VMware’s ESX/ESXi or Xen virtual machines.1 million default and 10 million maximum RNA Flow Summaries . and white list events from up to ten Defense Centers within your Sourcefire 3D System deployment. Key Virtual Defense Center database quantities are: • • • Intrusion Events .1 million default and 100 million maximum RNA Flows . Intrusion Agents If you have an existing installation of Snort®.

If. See the Sourcefire RNA Software on Red Hat Linux Configuration Guide for more information. RNA and IPS data received by a Defense Center from a Crossbeam-based software sensors is treated in a similar way to data received from a 3D Sensor.9. you could write a program to retrieve host criticality or vulnerability data from the Defense Center and add that information to your display. you display network host data within one of your network management applications. Separate installation and configuration guides are available for the 3D Sensor Software for X-Series. but allows you to request specific data from a Defense Center.Introduction to the Sourcefire 3D System Components of the Sourcefire 3D System Chapter 1 assigns impact flags to the events. IMPORTANT! When using Intrusion Agents registered to Defense Centers configured for high availability and managed by a Master Defense Center. for example. Version 4. RNA data received by a Defense Center from the server is treated in a similar way to RNA data received from a 3D Sensor that is running RNA. RNA and IPS for Crossbeam Systems The Sourcefire 3D System currently supports software-only versions of RNA and IPS for Crossbeam Systems X-Series security switches. eStreamer integration requires custom programming. register all Intrusion Agents to the primary Defense Center. you must use a Defense Center to manage it.1 Sourcefire 3D System Administrator Guide 20 . You can continue to manually tune Snort rules and preprocessors with the Intrusion Agent in place. IMPORTANT! Because the 3D Sensor Software for X-Series does not have a web interface. eStreamer You can access event data within your own applications through the eStreamer Application Programming Interface (API). RNA for Red Hat Linux The Sourcefire 3D System currently supports a software-only version of the RNA component on your server hardware running Red Hat Enterprise Linux 5 (RHEL5) or CentOS 5. See the eStreamer Integration Guide for more information. IMPORTANT! You must have a Defense Center in your Sourcefire 3D System deployment to use RNA for Red Hat Linux.

If this occurs. RNA for Red Hat Linux. there is a limited web interface that you can use to perform the initial appliance setup and to register the sensor with a Defense Center. If your 3D Sensor is not licensed for IPS.5. you are presented with a more complete web interface that you can use to perform additional configuration and event analysis.0 Microsoft Internet Explorer 8. If you are the first user to log into the appliance after it is installed. make sure you allow the script to continue until it finishes.Introduction to the Sourcefire 3D System Logging into the Appliance Chapter 1 Logging into the Appliance Requires: Any The Defense Center and many 3D Sensor models have a web-based interface that you can use to perform administrative.x Required Enabled Options and Settings JavaScript cookies Secure Sockets Layer (SSL) v3 JavaScript cookies Secure Sockets Layer (SSL) v3 128-bit encryption Active scripting security setting JavaScript cookies Secure Sockets Layer (SSL) v3 128-bit encryption Active scripting security setting Compatibility View Microsoft Internet Explorer 7 .1 Sourcefire 3D System Administrator Guide 21 . The initial setup process is described in Setting Up 3D Sensors on page 44. Intrusion Agents. The current version of the web interface supports the browsers listed in the following table. you must log in using the admin user account.0 TIP! Some processes that take a significant amount of time may cause your web browser to display a message that a script has become unresponsive. and Virtual 3D Sensors) do not have a web interface. Browser Requirements Browser Firefox 3. and analysis tasks. You must use the Defense Center’s web interface to manage these sensors. management. Version 4. If your 3D Sensor is licensed for IPS.9. Note that 3Dx800 and software sensors (Crossbeam-based software sensors. You can access the web interface by logging into the appliance using a web browser.

append the token to your SecurID pin and use that as your password to log in. you and other users should use those accounts to log into the appliance. you should use this account. If your organization uses SecurID® tokens when logging in. To log into the appliance: Access: Any 1.1 Sourcefire 3D System Administrator Guide 22 . append the SecurID token to the end of your SecurID pin and use that as your password when you log in. 2. the procedures for logging into and out of the appliance remain the same. the user who performed the installation created a single administrative user account and password.9. You must have already generated your SecurID pin before you can log into the Sourcefire 3D System. IMPORTANT! Because the Defense Center and the 3D Sensor audit user activity based on user accounts. where hostname corresponds to the host name of the appliance.5 hours of inactivity. Your session automatically logs you out after 3. Version 4. However. type your user name and password. the features that you can access are controlled by the privileges granted to your user account. type 1111222222. The first time you log into the appliance. if your pin is 1111 and the SecurID token is 222222.Introduction to the Sourcefire 3D System Logging into the Appliance Chapter 1 After you log into the appliance. you should make sure that users log into the system with the correct account. For example. IMPORTANT! If your company uses SecurID. The Login page appears. unless you are viewing a page (such as an unpaused dashboard) that periodically communicates with the web server on the appliance. After you create other user accounts as described in Adding New User Accounts on page 300. Direct your browser to https://hostname/. When the appliance was installed. In the Username and Password fields.

the links on the default home page include options that span the range of user account privileges. If an account is externally authenticated and by default receives no access privileges. Shell access is controlled entirely through the shell access filter or PAM login attribute set for an LDAP server or the shell access list on a RADIUS server. periods (. Shell users should log in using usernames with all lowercase letters. The permissions for that local user record can then be modified. Instead. use the Defense Center’s web interface to manage policies and view events. the first time you log into the Defense Center or 3D Sensor using your external user credentials. you can log in but cannot access any functionality. See Specifying Your Home Page on page 35 for more information. You can either select a different option from the available menus or click Back in your browser window. However. You (or your system administrator) can then change the permissions to grant the appropriate access to user functionality. the appliance associates those credentials with a set of permissions by creating a local user record. unless they are granted through group or list membership. externally authenticated users can log into the appliance using their external account credentials without any additional configuration by the system administrator. IMPORTANT! The 3Dx800 sensor models do not have a web interface.Introduction to the Sourcefire 3D System Logging into the Appliance to Set Up an Account Chapter 1 3. append the token to your SecurID pin and use that as your password to log in. type 1111222222. This activity has been logged.1 Sourcefire 3D System Administrator Guide 23 . LDAP usernames can include underscores (_). if your pin is 1111 and the SecurID token is 222222. Note that when a shell access user logs into the appliance. Click Login. If you click a link that requires different privileges from those granted to your account. it does not create a local user account.). then that page is displayed instead. If the default role for external user accounts is set to a specific access role. If your organization uses SecurID tokens when logging in. the following warning message is displayed: You are attempting to view an unauthorized page. Version 4. For example.9. The default start page appears. Logging into the Appliance to Set Up an Account Requires: Any Some user accounts may be authenticated through an external authentication server. and hyphens (-) but otherwise only alphanumeric characters are supported. If this is the case. If you selected a new home page for your user account. The menus and menu options that are available to you at the top of the page are based on the privileges for your user account.

2. the Login page re-appears. IMPORTANT! If your company uses SecurID. contact your system administrator and ask them to modify your account privileges or login as a user with Administrator access and modify the privileges for the account. • If no default access role is selected.1 Sourcefire 3D System Administrator Guide 24 . If you do not have access. See Specifying Your Home Page on page 35 for more information. For more information. even if you are only stepping away from your web browser for a short period of time. The Login page appears. Version 4.Introduction to the Sourcefire 3D System Logging Out of the Appliance Chapter 1 To create an externally authenticated account on the appliance: Access: Any 1. However. Logging Out of the Appliance Requires: Any Make sure you log out of the appliance. 3. the default start page appears. The page that appears depends on the default access role for external authentication: • If a default access role is selected in the authentication object or the system policy. then that page is displayed instead. The menus and menu options that are available to you at the top of the page are based on the privileges for your user account. the links on the default home page include options that span the range of user account privileges. Click Login. append the SecurID token to your SecurID pin and use that as your password when you log in. the following warning message is displayed: You are attempting to view an unauthorized page. where hostname corresponds to the host name of the appliance. with the following error message: Unable to authorize access. This activity has been logged. You can either select a different option from the available menus or click Back in your browser window. Logging out ends your web session and ensures that no one can use the appliance with your credentials.9. If you selected a new home page for your user account. type your user name and password. In the Username and Password fields. see Modifying User Privileges and Options on page 306. If you click a link that requires different privileges from those granted to your account. Direct your browser to https://hostname. please contact the system administrator. 4. If you continue to have difficulty accessing this device.

this is the first page you see upon logging into the appliance. Setting Your Default Time Zone on page 34 explains how to set the time zone for your user account and describes how that affects the time stamp on the events that you view. see Changing an Expired Password on page 26.1 Sourcefire 3D System Administrator Guide 25 . You can change your password at any time. After setting this value. time zone settings. you may have to change your password periodically. Version 4. To log out of the appliance: Access: Any Click Logout on the toolbar. • • Changing Your Password Requires: Any All user accounts are protected with a password. Configuring Event View Settings on page 27 describes how the event preferences affect what you see as you view events. See the following sections for more information: • • • Changing Your Password on page 25 explains how to change the password for your user account. and home page preferences. Specifying Your Default Dashboard on page 35 explains how to choose which of the dashboards you want to use as your default dashboard. Specifying Your User Preferences Requires: Any Users can specify certain preferences for their user account. Last Successful Login Requires: Any The first time you visit the appliance home page during a web session.Introduction to the Sourcefire 3D System Last Successful Login Chapter 1 Note that your session automatically logs you out after 3. month. unless you are viewing a page (such as an unpaused dashboard) that periodically communicates with the web server on the appliance. Specifying Your Home Page on page 35 explains how to use one of the existing pages as your default home page.9. including passwords. event viewing preferences. date and year of your last login the appliance-local time of your last login in 24-hour notation host and domain name last used to access the appliance. You can see the following information about that user account last login: • • • day of the week.5 hours of inactivity. you can view information about the last login session for the appliance. and depending on the settings for your user account.

If you have zero warning days left. type your new password. The Change Password page appears. 4.Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 Note that if password strength-checking is enabled. 2. If your password has exired. Click Change Password. The User Preferences page appears. you cannot change your password through the web interface. Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters.9. Also. type your current password and click Change. the Password Expiration Warning page appears. Click Change. A success message appears on the page when your new password is accepted by the system. passwords must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. you must change your password. passwords must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. To change your password: Access: Any 1.1 Sourcefire 3D System Administrator Guide 26 . Version 4. IMPORTANT! If you are an LDAP or a RADIUS user. 3. In the toolbar. In the Current Password field. your password can expire. Changing an Expired Password Requires: DC/MDC or 3D Sensor Depending on the settings for your user account. To respond to the password expiration warning: Access: Any You have two choices: • Click Change Password to change your password now. Note that the password expiration time period is set when your account is created and cannot be changed. 5. Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters • Click Skip to change your password later. if password strength-checking is enabled. click Preferences. In the New Password and Confirm fields.

4. Configure the basic characteristics of event views. see Default Workflows on page 32. Configure the default time window or windows. Your changes are implemented. 3. Version 4. see Event Preferences on page 27. click Preferences. For more information. 5.1 Sourcefire 3D System Administrator Guide 27 . In the toolbar. For more information. Configure default workflows. Event Preferences Use the Event Preferences section of the Event View Settings page to configure basic characteristics of event views in the Sourcefire 3D System.Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 Configuring Event View Settings Requires: Any Use the Event View Settings page to configure characteristics of event views in the Sourcefire 3D System. For more information.9. 6. Click Event View Settings. The Event View Settings page appears. 2. see Default Time Windows on page 29. The User Preferences page appears. Click Save. To configure event preferences: Access: Any 1.

For more information on the packet view. the appliance displays a collapsed version of the packet view.expand only the Packet Bytes subsection • All . For example. you must confirm that you want to delete all the events that meet the current constraints (including events not displayed on the current page) before the appliance will delete them from the database. you can always manually expand the sections in the packet view to view detailed information about a captured packet.collapse all subsections of the Packet Information section of the packet view • Packet Text . Note that an event view can be slow to display if it contains a large number of IP addresses and you have enabled this option. Any IPS or DC/MDC + IPS IPS or DC/MDC Requires Any Version 4. Note also that for this setting to take effect. allows the appliance to display host names instead of IP addresses in event views. see Using the Packet View in the Analyst Guide.Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 The Event Preferences table describes the settings you can configure. Expand Packet View Allows you to configure how the packet view for intrusion events appears. By default.1 Sourcefire 3D System Administrator Guide 28 . Resolve IP Addresses Whenever possible. Rows Per Page Controls how many rows of events per page you want to appear in drill-down pages and table views.expand all sections Regardless of the default setting. see Configuring Network Settings on page 377. you must have a DNS server configured in the system settings. Event Preferences Setting Confirm ‘All’ Actions Description Controls whether the appliance forces you to confirm actions that affect all events in an event view.9. if this setting is enabled and you click Delete All on an event view.expand only the Packet Text subsection • Packet Bytes . • None .

Sets the refresh interval for event summary pages such as the Intrusion Event Statistics and RNA Statistics pages. The following graphic shows the Defense Center version of the page. • Ask .a single link that deactivates the standard text rule in all the locally defined custom intrusion policies • Current Policy .Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 Event Preferences (Continued) Setting Refresh Interval Description Sets the refresh interval for event views.links for each of these options To see these links on the packet view. When you log out and then log back in. you can always manually change the time window for individual event views during your event analysis. Entering zero disables the refresh option. sometimes called the time range. Note that this interval does not apply to dashboards. Note that you cannot deactivate rules in the default policies. • All Policies . Entering zero disables the refresh option. Note that this interval does not apply to dashboards. in minutes. Requires Any Statistics Refresh Interval IPS or DC/MDC Deactivate Rules IPS or DC/MDC + IPS Default Time Windows Requires: Any The time window.9. Note that regardless of the default time window setting. imposes a time constraint on the events in any event view. your user account must have either Administrator access or both Intrusion Event Analyst and Policy & Response Administrator access. Use the Default Time Windows section of the Event View Settings page to control the default behavior of the time window.a single link that deactivates the standard text rule in only the currently applied intrusion policy. Also keep in mind that time window settings are valid for only the current session. time windows are reset to the Version 4. Controls which links appear on the packet view for intrusion events generated by standard text rules.1 Sourcefire 3D System Administrator Guide 29 .

one for each of these types of events. the time window “slides” so that you see only the events for the range you configured (in this example. There are three types of time window: • • static. vulnerabilities. • • You can only set time windows for event types your user account can access. flow data. You can either use Multiple time windows. which displays all the events generated from a specific start time to the present. • Requires: IPS or DC/MDC The Events Time Window sets a single default time window for (depending on the appliance) intrusion events. RNA event analysts. as time moves forward. which displays all the events generated from a specific start time (for example.1 Sourcefire 3D System Administrator Guide 30 . client applications. Requires: Any The Audit Log Time Window sets the default time window for the audit log. compliance events. or you can use a Single time window that applies to all events. If you use a single time window. see Setting Event Time Constraints in the Analyst Guide. the time window expands and new events are added to the event view sliding. host attributes. one day ago) to the present. RUA events. Administrators and maintenance users can set audit log time windows. There are three types of events for which you can set the default time window. Note that because not all event views can be constrained by time. services. the SEU import log. and IPS event analysts can set health monitoring time windows. for the last day) • Version 4. Requires: DC/MDC The Health Monitoring Time Window sets the default time window for health events. as time moves forward. Administrators. For more information. which displays all the events generated from a specific start time to a specific end time expanding. the settings for the three types of time window disappear and a new Global Time Window setting appears. time window settings have no effect on event views that display RNA hosts.Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 defaults you configured on this page. or white list violations. remediation status events. and event views for custom tables that can be constrained by time. RNA events. RUA users.9. All user types can set event time windows. maintenance users. white list events.

to the present. Show the Last Static/Expanding This setting allows you to configure either a static or expanding default time window of the length you specify. 1 hour ago) to the present. For static time windows (enable the Use End Time check box). 1 hour ago). the time window expands to the present time. to the time when you first viewed the events. 1 hour ago). For expanding time windows (disable the Use End Time check box).9. 1970 (UTC) to 3:14:07 AM on January 19. As you change event views.1 Sourcefire 3D System Administrator Guide 31 .Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 The Time Window Settings table explains the kinds of default time windows you can configure. As you change event views. As you change event views. Version 4. The appliance displays all the events generated from a specific start time (for example. IMPORTANT! The maximum time range for all time windows is from midnight on January 1. 2038 (UTC). Time Window Settings Setting Show the Last Sliding Description This setting allows you to configure a sliding default time window of the length you specify. the appliance displays all the events generated from a specific start time (for example. the time window “slides” so that you always see events from the last hour. the time window stays fixed so that you see only the events that occured during the static time window. the appliance displays all the events generated from a specific start time (for example.

each of which presents intrusion event data in a different way. Note that if your analysis continues for over 1 week before you log out. this time window can be more than 24 hours.1 Sourcefire 3D System Administrator Guide 32 . The appliance is configured with a default workflow for each event type. As you change event views. the appliance displays all the events generated from midnight to the time when you first viewed the events. the appliance displays all the events generated from midnight to the present.Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 Time Window Settings (Continued) Setting Current Day Static/Expanding Description This setting allows you to configure either a static or expanding default time window for the current day. the Events by Priority and Classification workflow is the default for intrusion events. based on the time zone setting for your current session. For static time windows (enable the Use End Time check box). you can choose between ten different intrusion event workflows. As you change event views. For each event type. the appliance displays all the events generated from midnight to the time when you first viewed the events. the time window stays fixed so that you see only the events that occured during the static time window. As you change event views. the time window expands to the present time. For example. based on the time zone setting for your current session. For example. depending on the type of analysis you are performing. Current Week Static/Expanding This setting allows you to configure either a static or expanding default time window for the current week. the appliance displays the Events by Priority and Classification workflow. This means whenever you view intrusion events (including reviewed intrusion events). this time window can be more than 1 week.9. the time window stays fixed so that you see only the events that occured during the static time window. For static time windows (enable the Use End Time check box). Version 4. Default Workflows Requires: Any A workflow is a series of pages displaying data that analysts use to evaluate events. the time window expands to the present time. The current week begins at midnight on the previous Sunday. As you change event views. For expanding time windows (disable the Use End Time check box). the appliance ships with at least one predefined workflow. For expanding time windows (disable the Use End Time check box). the appliance displays all the events generated from midnight Sunday to the present. The current day begins at midnight. Note that if your analysis continues for over 24 hours before you log out.

on the Defense Center. The following graphic shows the Defense Center version of the Default Workflows section.Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 You can.9. For example. but also on your user role. As another example. Version 4. you can only configure the default workflow for the audit log. change the default workflow for each event type using the Default Workflows sections of the Event View Settings page. intrusion event analysts cannot set default RNA workflows. on a 3D Sensor without an IPS license. For general information on workflows. however. see Understanding and Using Workflows in the Analyst Guide. Keep in mind that the default workflows you are able to configure depend not only on the appliance you are using.1 Sourcefire 3D System Administrator Guide 33 .

select America. South America. Version 4. it applies only to your user account and is in effect until you make further changes to the time zone. or Canada. Click Save.1 Sourcefire 3D System Administrator Guide 34 . For more information about time synchronization between the Defense Center and the sensors. if you want to use Eastern Standard Time. select the continent or area that contains the time zone you want to use. WARNING! The Time Zone function assumes that the default system clock is set to UTC time. 4. The time zone is set. you must change it back to UTC time in order to view accurate local time on the appliance. 2. click Preferences. For example. you would select New York after selecting America in the first time zone box. From the box on the left.9. When you configure a time zone. From the box on the right.Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 Setting Your Default Time Zone Requires: Any You can change the time zone used to display events from the standard UTC time that the appliance uses. 3. The Time Zone Preference page appears. if you want to use a time zone standard to North America. select the zone (city name) that corresponds with the time zone you want to use. For example. If you have changed the system clock on the appliance to use a local time zone. Click Time Zone Settings. 5. The User Preferences page appears. To change your time zone: Access: Any 1. see Synchronizing Time on page 354. In the toolbar.

except for user accounts with Restricted Event Analyst access. Select the page you want to use as your home page from the Opening Screen drop-down list.9. 4. Restricted Event Analyst full or read-only access. Click Home Page.1 Sourcefire 3D System Administrator Guide 35 . Click Save. That is. To specify your home page: Access: Any 1. or Administrator access. click Preferences. If you do not have a default dashboard defined. who use the Welcome page. The default dashboard appears when you select Analysis & Reporting > Event Summary > Dashboards. see Using Dashboards on page 59. Specifying Your Default Dashboard Requires: Any You can specify one of the dashboards on the appliance as the default dashboard. 2. the Dashboard List page appears. The User Preferences page appears. 3. In the toolbar. The default home page is the dashboard (Analysis & Reporting > Event Summary > Dashboards). In the toolbar. Version 4. The User Preferences page appears.Introduction to the Sourcefire 3D System Specifying Your User Preferences Chapter 1 Specifying Your Home Page Requires: Any You can specify a page within the web interface as your home page for the appliance. user accounts with Policy & Response Administrator access have different options from accounts with Intrusion or RNA Event Analyst full or read-only access. Your home page preference is saved. The Home Page page appears. click Preferences. For general information on dashboards. To specify your default dashboard: Access: Any 1. Maintenance access. IMPORTANT! User accounts with Restricted Event Analyst access cannot use the dashboard and therefore cannot specify a default dashboard. The options in the drop-down list are based on the access privileges for your user account.

To access the context menu: Access: Any 1. Using the Context Menu Requires: Any For your convenience. You can also view the rule documentation and edit the rule. certain pages in the web interface support a pop-up context menu that you can use as a shortcut for accessing other features in the Sourcefire 3D System. You can then select a dashboard to view. hover your pointer over one of the hotspots. suppressing. For example. and thresholding the rule.1 Sourcefire 3D System Administrator Guide 36 . the context menu provides you with the option to view the event in a separate browser window. • • Event pages (drill-down pages and table views) contain hotspots over each event. Note that if you try to access the context menu for a web page or location that doesn’t support the Sourcefire-specific menu. if you access the context menu while viewing an intrusion event that was triggered by an intrusion rule. the contents of the menu depend on the context where you access it. However. A “Right-click for menu” message appears. the Dashboard List page appears.Introduction to the Sourcefire 3D System Using the Context Menu Chapter 1 2. if you access the menu while viewing an RNA event. As the name implies. The Rule Editor page for intrusion rules contains a hotspot over each intrusion rule. the normal context menu for your browser appears.9. Click Dashboard Settings. 4. On one of the hotspot-enabled pages in the web interface. Version 4. The Dashboard Settings page appears. Select the dashboard you want to use as your default from the Default Dashboard drop-down list. Click Save. Your default dashboard preference is saved. disabling. you have a range of options that includes enabling. when you select Analysis & Reporting > Event Summary > Dashboards. You can access the context menu on the following pages. If you select None. 3.

system management. The CD also contains copies of various API guides and supplementary material. scheduling tasks. the following menu appears if you right-click over an intrusion event. but in an easy-to-print format.Introduction to the Sourcefire 3D System Documentation Resources Chapter 1 2. The online help includes information about the tasks you can complete on the web interface. A pop-up context menu appears with options that are appropriate for the hotspot.1 Sourcefire 3D System Administrator Guide 37 . Defense Centers. You can access the most up-to-date versions of the documentation on the Sourcefire Support web site (https://support. and IPS and RNA analysis. Documentation Resources The Sourcefire 3D System documentation set includes online help and PDF files. RNA Event Analysts. The Documentation CD also contains copies of the Defense Center Installation Guide and the 3D Sensor Installation Guide.sourcefire. RUA.com/). In this guide you will find information about managing Master Defense Centers. including procedural and conceptual information about user management. configuring system settings and system policies. A new browser window opens based on the option you selected. and monitoring the health of your appliances. Right-click your pointing device. The Analyst Guide contains information for Intrusion Event Analysts. You can reach the online help in two ways: • • by clicking the context-sensitive help links on each page by selecting Operations > Help > Online. and 3D Sensors. 3. managing user accounts. The Administrator Guide contains information specifically for administrators and maintenance users. analyzing RNA. and Policy & Response Administrators.9. which includes information about installing the appliance as well as hardware specifications and safety information. and using event reports. The Documentation CD contains a PDF version of the Sourcefire 3D System Administrator Guide and the Sourcefire 3D System Analyst Guide. which together include the same content as the online help. For example. Version 4. In this guide you will find information about managing RNA and IPS policies. Select one of the options by left-clicking the name of the option. and intrusion data.

1 Sourcefire 3D System Administrator Guide 38 . or DC3000 appliance used as a Defense Center Version 4. Refer to Access Requirements Conventions on page 39 for the meaning of the Access statement at the beginning of each procedure. All platform information is formatted with an orange typeface.9.Introduction to the Sourcefire 3D System Documentation Conventions Chapter 1 Documentation Conventions This documentation includes information about which Sourcefire 3D System components are required for each feature and which user roles have permission to complete each procedure. Platform Requirements Conventions The Requires statement at the beginning of each section in this documentation indicates the combination of appliance platform and licenses you need to use the feature described in the section. Refer to Platform Requirements Conventions on page 38 for the meaning of the Requires statement at the beginning of each section. DC1000. Platform requirement information for specific aspects of a feature is provided where needed. The following table defines the abbreviations used to indicate each different platform requirement: Platform and Licensing Requirement Abbreviations Requires Acronym 3D Sensor Indicates One of the following Series 1 or Series 2 sensors: • 3D500 • 3D1000 • 3D2000 • 3D2100 • 3D2500 • 3D3500 • 3D4500 • 3D6500 • 3D9900 This acronym on its own indicates that the task in question can be performed on any of these sensors even if an IPS license is not applied on the sensor and the sensor is not managed. Virtual Defense Center. Any DC Any appliance with any combination of licenses A DC500.

9. The following table defines the abbreviations used to indicate each different platform requirement: Access Requirement Abbreviations Requires Acronym Admin Any Any Analyst Any except Restricted Indicates User must have the Administrator role User can have any role User can have any analyst role User can have any role except Restricted Analyst or Restricted Analyst (Read Only) Version 4. All access information is formatted with a green typeface. you can change an expired password on a Defense Center or Master Defense Center or on a 3D Sensor. so the Changing an Expired Password topic has a Requires statement of DC/MDC or 3D Sensor. Access Requirements Conventions The Access statement at the beginning of each procedure in this documentation indicates the access role required to use the feature described in the section. In contrast. to manage a Defense Center with a Master Defense Center. you need both a Defense Center and a Master Defense Center.1 Sourcefire 3D System Administrator Guide 39 . so the Adding a Master Defense Center topic has a Requires statement of MDC + DC.Introduction to the Sourcefire 3D System Documentation Conventions Chapter 1 Platform and Licensing Requirement Abbreviations (Continued) Requires Acronym DC/MDC IPS RNA RUA Indicates A DC3000 appliance used as a Defense Center or a Master Defense Center A 3D Sensor licensed with the IPS technology An RNA license An RUA license An or conjunction indicates that the task or feature is available on either of the indicated platforms. For example. A “+” conjunction indicates that the platforms are required in combination.

1 Sourcefire 3D System Administrator Guide 40 . You must have the Administrator role or have the Policy & Response Administrator role in combination with the Intrusion Event Analyst role or the Restricted Event Analyst role with Intrusion Events Data set to Show All Data or to show a specific search to access the packet view and set thresholding for a rule Version 4. A “+” conjunction indicates that the platforms are required in combination.Introduction to the Sourcefire 3D System Documentation Conventions Chapter 1 Access Requirement Abbreviations (Continued) Requires Acronym Any Analyst except Restricted Any IPS Indicates User can have any analyst role except Restricted Analyst or Restricted Analyst (Read Only) User must have the Intrusion Event Analyst role or Intrusion Event Analyst (Read Only) role or the Restricted Event Analyst role or Restricted Event Analyst (Read Only) role with rights to that function User must have the Intrusion Event Analyst role or Restricted Event Analyst role with rights to that function User must have the Intrusion Event Analyst (Read Only) role or Restricted Event Analyst (Read Only) role with rights to that function User must have the Maintenance role User must have the Policy & Response Administrator role User must have the RNA Event Analyst or RNA Event Analyst (Read Only) or Restricted Event Analyst or Restricted Event Analyst (Read Only) with rights to that function User must have the RNA Event Analyst role or Restricted Event Analyst role with rights to that function User must have the RNA Event Analyst (Read Only) role or Restricted Event Analyst (Read Only) role with rights to that function IPS IPS-RO Maint P&R Admin Any RNA RNA RNA-RO A “/” conjunction indicates that the task or feature is available to users with one or more of the indicated platforms. The Access setting for the procedure in the Working with the Hosts Network Map topic is Any RNA/Admin. a user must have the RNA Event Analyst or RNA Event Analyst (Read Only) role or the Restricted Event Analyst or Restricted Event Analyst (Read Only) role with RNA Hosts Data set to Show All Data or to show a specific search.9. For example. Rule thresholding in the packet view provides an example of required combined access roles. to view the Hosts network map.

For example. the Sourcefire 3D System uses 10. if you type 10.255 Subnet Mask 255.3/8.0.240.255. but the web interface continues to display 10.777 . IP Address Conventions Requires: Any You can use Classless Inter-Domain Routing (CIDR) notation to define IP address ranges in many places in the Sourcefire 3D System.0/8.0 Number of IP Addresses 16. without changing your user input.0 172.0.0 10.255 192.0 192.0.255.0.0.31.0/8 172.0.0.2.0. CIDR Notation Syntax Examples CIDR Block 10.0.536 When you use CIDR notation to specify a range of IP addresses. and standard text rules PEP CIDR notation uses a network IP address combined with a bit mask to define the IP addresses in the specified range.216 1. including but not limited to the following: • • • • • • • • RNA detection policies custom topologies auto-assigned networks for user-defined host attributes traffic profiles compliance rules and white lists active scan targets intrusion policies.048.2.3/8.0.0. variables. For example.9.255 172.0/12 192.0.16. the Access setting for the procedure in the Setting Threshold Options within the Packet View topic is IPS + P&R Admin/Admin. As a result.1 Sourcefire 3D System Administrator Guide 41 .576 65.0 255. the following table lists the private IPv4 address spaces in CIDR notation. Version 4.255.1.Introduction to the Sourcefire 3D System IP Address Conventions Chapter 1 from the packet view. the Sourcefire 3D System uses only the masked portion of the network IP address you specified.168.0.1.168.168.0 255.255.255.0.16.0/16 IP Addresses in CIDR Block 10.

the Sourcefire 3D System does not require it.1 Sourcefire 3D System Administrator Guide 42 . Version 4. although Sourcefire recommends the standard method of using a network IP address on the bit boundary when using CIDR notation.Introduction to the Sourcefire 3D System IP Address Conventions Chapter 1 In other words.9.

you may have a Series 1 3D Sensor. Setting up Defense Centers on page 47 explains how to complete the setup process for Defense Centers. called Series 2 sensors. See the following sections for more information: • • • Setting Up 3D Sensors on page 44 explains how to complete the setup process for Series 2 3D Sensors. Version 4.1 Sourcefire 3D System Administrator Guide 43 . see the Sourcefire 3D System Virtual Defense Center and 3D Sensor Installation Guide. you are presented with a series of start-up pages. What’s Next? on page 52 provides detailed lists of the next tasks to be performed by each type of user.Performing the Initial Setup Chapter 2 Administrator Guide After installing your Defense Center or 3D Sensor as described in the Installation Guide and logging into the web interface for the first time. provide a rapid set up feature and a status page.9. To perform the initial setup of a Virtual 3D Sensor. Note that if you purchased your sensor prior to 2008. Newer models of the 3D Sensor. Consult your original documentation or contact Sourcefire Support for information about performing the initial setup on those sensor models.

Avoid using words that appear in a dictionary. Sourcefire strongly recommends that your password is at least eight alphanumeric characters of mixed case and includes at least one numeric character. These sensors include the following models: • • • • • • • • • 3D500 3D1000 3D2000 3D2100 3D2500 3D3500 3D4500 3D6500 3D9900 You can view illustrations of each model in the 3D Sensor Installation Guide to determine your sensor model. TIP! The initial change to the admin user password changes the root password for the shell account.9. Version 4. enter a new password for the admin user account and for the root password for the shell account. To complete the initial setup: Access: Admin 1.1 Sourcefire 3D System Administrator Guide 44 . and logging into the 3D Sensor’s web interface (as described in the 3D Sensor Installation Guide).Performing the Initial Setup Setting Up 3D Sensors Chapter 2 Setting Up 3D Sensors Requires: 3D Sensor Newer models of the 3D Sensor (that is. Series 2 sensors) provide a simple web form to collect information about your network environment and how you intend to deploy the sensor. Use the command line interface on the appliance for subsequent changes to the root password. If the initial setup is interrupted or if a second user logs in while it is underway. The same password is used for both accounts. After physically installing the 3D Sensor. the results can be unpredictable. Defense Centers use the setup process in Setting up Defense Centers on page 47. WARNING! Prepare for the initial setup and complete it promptly after you begin. setting up the IP address for the management interface. in the New Password and Confirm fields. Under Change Password. the Install page appears so that you can continue the setup process.

its hostname. indicate whether you want to manage the 3D Sensor with a Defense Center. enter the settings that you want to use for the management IP address. Optionally. You have two options: • • If you deployed the sensor as an inline IPS using paired sensing interfaces. Refer to Working in NAT Environments on page 112 and Adding Sensors to the Defense Center on page 117 for more information. this step is unnecessary as the current software will synchronize automatically.9. Version 4. netmask. under Time Settings. specify how you want to deploy the 3D Sensor. Under Remote Management. if you specify a DNS server. You can use the IP address of the Defense Center or. indicate how you want to set the time for the 3D Sensor. 3. Note that if you are managing the sensor with a Defense Center and the Defense Center itself is set up as an NTP server. Note that if you use an NTP server to set the time. select Inline with Failopen Mode. You can set the time manually or via network time protocol (NTP) from an NTP server. Under Network Settings. the IP address. 5. If you deployed the sensor as a passive IDS on your network. resulting in unexpected network behavior. select Passive Mode.Performing the Initial Setup Setting Up 3D Sensors Chapter 2 2. Under Detection Mode. defer Defense Center management until after you complete the initial setup.1 Sourcefire 3D System Administrator Guide 45 . The registration key is a single-use. WARNING! If you select Inline with Failopen Mode when the sensor is deployed passively. user-created string that you will also use from within the Defense Center’s web interface when you complete the sensor registration process. if your Defense Center is running current software and your sensors are running earlier software. you may cause your network to be bridged. 4. you must also specify the primary and secondary DNS servers. you can specify the Defense Center as the sensor’s NTP server. and gateway fields are pre-populated with your settings. IMPORTANT! If both your Defense Center and your sensors are running current software. If your sensor and Defense Center are separated by a network address translation (NAT) device. Note that if you used the configure-network script before logging into the web interface.

For detailed information on adding new rules to custom policies in the default state or in the disabled rule state.9. To add a product license. Select the state for adding new rules to intrusion policies as disabled or in the predefined default state. Follow the on-screen instructions to generate an email containing the license file and paste it into the License field. You will automatically create an RNA detection engine without a policy. switch to a host that can and navigate to the keyserver web page. You have two options: • To use only the RNA or RUA functionality without IPS. and click Add/Verify. enter the license key in the license key field. select Update Now. To queue an immediate update from the Sourcefire support site. check the Enable Recurring SEU Imports check box to configure automatic SEU imports and specify the update frequency. To obtain a product license. Skip to step 8.sourcefire. The activation key was previously emailed to the contact person identified on your support contract. Under License Settings. You control licensing for RNA or RUA through the Defense Center managing the sensor. you do not need to add a product license. Note that you will be prompted for the license key and an activation key. 7. • To use IPS functionality (either by itself or with RNA or RUA functionality). you must add a product license to the 3D Sensor.com/. refer to Using Recurring SEU Imports in the Analyst Guide. click the link to navigate to https:// keyserver. You can also instruct the system to reapply intrusion policies after the SEU import completes. Version 4. indicate whether you want to add a product license to the 3D Sensor.Performing the Initial Setup Setting Up 3D Sensors Chapter 2 6.1 Sourcefire 3D System Administrator Guide 46 . Under Recurring SEU Imports. If your current host cannot access the Internet.

You will see no intrusion events until it completes. TIP! Applying a default policy to detection engines can take several minutes. Under End User License Agreement. WARNING! Prepare for the initial setup and complete it promptly after you begin. Version 4. the results can be unpredictable.1 Sourcefire 3D System Administrator Guide 47 . See Using Dashboards on page 59 for more information. the Install page appears so that you can continue the setup process. which indicates the appliance is now operational.9. You can check the task progress at Operations > Monitoring > Task Status.Performing the Initial Setup Setting up Defense Centers Chapter 2 8. TIP! If you used the option to connect through the management port to perform the initial setup. and logging into the Defense Center’s web interface (as described in the Defense Center Installation Guide). A dashboard page appears after you log back in. See What’s Next? on page 52 for some suggestions about how to proceed after you complete these initial startup pages. select the check box and click Apply. Defense Centers and Master Defense Centers provide a simple web form to collect information about your network environment and how you intend to deploy the appliance. The appliance logs you out. setting up the IP address for the management interface. remember to connect the cable to the protected management network. Setting up Defense Centers Requires: DC/MDC The first time you log in to the web interface. read the agreement carefully. If the initial setup is interrupted or if a second user logs in while it is underway. The 3D Sensor is configured according to your selections. If you agree to abide by its provisions. After physically installing the Defense Center.

4. defer remote management until after you complete the initial setup. Under Network Settings. Version 4. netmask. Defense Center capabilities are not a subset of a Master Defense Center. and not 3D Sensors.1 Sourcefire 3D System Administrator Guide 48 .9. The same password is used for both accounts. Note that if you used the configure-network script before logging into the web interface. its hostname. See Working in NAT Environments on page 112 and Adding a Master Defense Center on page 165 for more information. Use the command line interface on the appliance for subsequent changes to the root password. Under Change Password. the IP address. in the New Password and Confirm fields. see Master Defense Center and Defense Center Functional Comparison on page 159.Performing the Initial Setup Setting up Defense Centers Chapter 2 To complete the initial setup: Access: Admin 1. IMPORTANT! If your Defense Center and Master Defense Center are separated by a network address translation (NAT) device. Sourcefire strongly recommends that your password is at least eight alphanumeric characters of mixed case and includes at least one numeric character. IMPORTANT! A Master Defense Center can manage only Defense Centers. The registration key is a single-use. enter a new password for the admin user account and the root password shell account. Skip to step 5. If you are installing a DC3000. If you select the Master Defense Center mode. Under Remote Management. For more information on the differences between the features provided by a Master Defense Center and a Defense Center. 3. under Operational Mode. Avoid using words that appear in a dictionary. enter the settings that you want to use for the management IP address. the Remote Management section becomes unnecessary and is hidden from the form. user-created string that you will also need to use when you register the Defense Center through the Master Defense Center’s web interface. if you specify a DNS server. You can use the IP address of the Master Defense Center or. 2. and gateway fields are pre-populated with your settings. indicate whether you want to manage the Defense Center with a Master Defense Center. TIP! The initial change to the admin user password changes the root password for the shell account. you can set the appliance to operate as a Defense Center or a Master Defense Center.

IMPORTANT! If your Defense Center and Master Defense Center are separated by a network address translation (NAT) device. Click Add to register each newly listed 3D Sensors with this Defense Center.9. Refer to Working in NAT Environments on page 112 and Adding Sensors to the Defense Center on page 117 for more information. defer remote management until after you complete the initial setup. If your 3D Sensor and Defense Center are separated by a network address translation (NAT) device. IMPORTANT! If your Defense Center. indicate how you want to set the time for the Defense Center. IMPORTANT! Use this function only if you have previously installed 3D Sensors that are pending registration with this Defense Center. The registration key is the single-use. if you specify a DNS server. under Sensor Registration. You can set the time manually or via network time protocol (NTP) from an NTP server. The registration key is the single-use. 6. its hostname. You can use the IP address of the 3D Sensor or. you must also specify the primary and secondary DNS servers. the Defense Center Registration portion of the form is visible. If you are installing a DC3000 and your operational mode is Master Defense Center.1 Sourcefire 3D System Administrator Guide 49 . On Defense Centers. user-created string used in the 3D Sensor’s web interface when you configured remote management for the sensor.Performing the Initial Setup Setting up Defense Centers Chapter 2 5. user-created string you used in the Defense Center’s web interface when you configured remote management. you can specify the Master Defense Center as the Defense Center’s NTP server. Note that if you use an NTP server to set the time. See Working in NAT Environments on page 112 and Adding a Defense Center on page 168 for more information. this step is unnecessary as the current software will synchronize automatically. 7. Master Defense Center and all sensors are running current software. Use these fields only to register Defense Centers where you have already configured remote management by this Master Defense Center. Under Time Settings. its hostname. if you specify a DNS server. You can use the IP address of the Defense Center or. you should defer remote management until after you complete the initial setup. Note that if you are managing the Defense Center with a Master Defense Center and the Master Defense Center itself is set up as an NTP server. indicate whether you want to apply default policies. Version 4.

The activation key was previously emailed to the contact person identified on your support contract. For detailed information on adding new rules to custom policies in the default state or in the disabled rule state see Using Recurring SEU Imports in the Analyst Guide.com/. 9. Under License Settings. select the check box and click Apply.9.The appliance logs you out.1 Sourcefire 3D System Administrator Guide 50 .Performing the Initial Setup Communication Ports Chapter 2 8. select Update Now. Select the state for adding new rules to intrusion policies as disabled or in the predefined default state.sourcefire.If you agree to abide by its provisions. The Defense Center or Master Defense Center is configured according to your selections. click the link to navigate to https:// keyserver. Under End User License Agreement. remember to connect the cable to the protected management network. Follow the on-screen instructions to generate an email containing the license file and paste it into the License field. Communication Ports The Sourcefire 3D System requires the use of specific ports to communicate internally and externally. See Using Dashboards on page 59 for more information. and to enable Version 4. 10. To queue an immediate update from the Sourcefire support site. Under Recurring SEU Imports. check the Enable Recurring SEU Import check box to configure automatic SEU imports and specify the update frequency. which indicates the appliance is operational. To obtain a product license. TIP! If you used the option to connect through the management port to perform the initial setup. See What’s Next? on page 52 for some suggestions about how to proceed after you complete these initial startup pages. You can also instruct the system to reapply intrusion policies after the SEU import completes. A dashboard page appears after you log back in. Note that you will be prompted for the license key and an activation key. switch to a host that can and navigate to the keyserver web page. If your current host cannot access the Internet. add a product license and any required feature licenses to the Defense Center. between Defense Centers and sensors. read the agreement carefully.

Required Open Ports Ports 20. Open this port when you connect to a remote web server through the RSS widget. Refer to the Required Open Ports table for more information on functions and their associated ports. 636 443 514 1241 1660 1812 and 1813 3306 8301 Description ftp ssh/ssl telnet smtp dns dhcp http snmp ldap https syslog Nessus Nmap FreeRADIUS RUA Agent Intrustion Agent Note that you must open both ports to ensure that FreeRADIUS functions correctly. 21 22 23 25 53 67 68 .1 Sourcefire 3D System Administrator Guide 51 . Open this port for communicatiosn between the Defense Center and RUA Agents. Open this port for communications between the Defense Center and Intrusion Agents. 80 162 389.9. Open this port only if you are using a remote syslog server.Performing the Initial Setup Communication Ports Chapter 2 certain functionality within the network deployment. Notes Version 4.

or Requires: RUA. 4. Intrusion Event Analyst user.Performing the Initial Setup What’s Next? Chapter 2 Required Open Ports (Continued) Ports 8302 8305 18183 Description eStreamer Management Virtual Network OPSEC SAM Open this port for communications between the Defense Center and v. For deployments that include a Defense Center. which are based on the user account privileges required for the task. or RUA. See Managing Users on page 264 for more information about user roles. tasks that require a Defense Center are preceded with Requires: DC. Maintenance user.9. RNA. For standalone 3D Sensor deployments (that is.8. IMPORTANT! Tasks that must be completed on specific hardware or software platforms are indicated by special text: For example. Maintenance User Tasks on page 54 explain some of the steps in the process that Maintenance users can perform after Administrator users finish their required tasks.1 Sourcefire 3D System Administrator Guide 52 . or RNA Event Analyst user) and what appliance you are using. Notes What’s Next? Requires: Any After you complete the initial setup for the Sourcefire 3D System. a user with Administrator access must perform the first steps. the task is preceded with Requires: IPS. Policy & Response Administrator user. Review the tasks in the following sections. deployments that do not include a Defense Center and do not use RNA). if your Defense Center or 3D Sensor must be licensed for IPS. Policy & Response Administrator User Tasks on page 55 describe some of the policies and custom rules that Policy & Response Administrator users can create and apply so that analyst users receive useful data for their analyses. you can perform much of the process on the Defense Center itself. • • Version 4. Requires: RNA.x 3D Sensors. • Administrator User Tasks on page 53 describe the steps that you must complete before Policy & Response Administrator users and analyst users can begin their tasks. your next steps depend on the role assigned to your user account (Administrator user. Similarly.

Tasks essential to initial setup are listed below. See Configuring Remote Access to the Defense Center on page 386 for information about setting up management links between your sensors and the Defense Center. the sensors you add to the primary Defense Center are automatically added to the secondary Defense Center. TIP! After you set up management. Administrator User Tasks Requires: Any Administrator users have a superset of tasks. If you want to manage your 3D Sensors with a Defense Center but did not enable remote management as part of the initial setup on the sensor. Intrusion Event Analyst User Tasks on page 57 describe the features that Intrusion Event Analyst users can use to learn about the kinds of attacks that are launched against assets on your network. set up high availability as explained in Configuring High Availability on page 145. you should set it up now.1 Sourcefire 3D System Administrator Guide 53 . Requires: DC If you want to authenticate users using an external authentication server.Performing the Initial Setup What’s Next? Chapter 2 • • RNA Event Analyst User Tasks on page 56 describe the features that RNA Event Analyst users can use to learn about the assets on your network. but you cannot use high availability mode directly on the Master Defense Center itself. 2. 3. Version 4. You must complete the steps outlined in Working with Sensors on page 113 on the Defense Center and on the sensors to complete the process. Requires: DC If you are deploying two Defense Centers in high availability mode.9. Sourcefire recommends that you use the Defense Center’s web interface rather than the sensor’s web interface to manage the sensor and view the events that it generates. you must create an authentication object for that server as described in Creating LDAP Authentication Objects on page 269. TIP! You can use high availabilty mode on Defense Centers which are managed by a Master Defense Center. The first steps for the Administrator user are as follows: Access: Admin 1. In most network environments.

See Using Detection Engines and Interface Sets on page 185 for more information about examining traffic on multiple network segments with a single sensor. you should configure one that meets the needs of your network and security environment. See Importing SEUs and Rule Files in the Analyst Guide and Updating System Software on page 398 for more information. 5. If you did not already set up a system policy as part of the initial setup. Note that a Maintenance user can also set up health policies. To take advantage of the multiple detection engine feature. By default. See Managing Users on page 264 for more information. you must modify the default detection engine. The next section. See Using Health Monitoring on page 482 for more information. vulnerability database updates. 8. Requires: DC Set up health monitoring policies and apply them to your managed sensors and to the Defense Center itself. 6. Maintenance User Tasks Requires: Any After a user with Administrator privileges performs the initial configuration as described in Setting Up 3D Sensors on page 44. a Maintenance user or an Administrator user can perform the following tasks: Version 4.Performing the Initial Setup What’s Next? Chapter 2 4. 7. each 3D Sensor has a single detection engine that encompasses all of the available sensing interfaces (or all of the available fast-packetenabled interfaces) on the sensor. and Security Enhancement Updates (SEUs) and apply them to your Defense Center where required.9. you need to enable it in a system policy on the Defense Center and apply that policy to any appliances where users will authenticate to the external server.1 Sourcefire 3D System Administrator Guide 54 . so it is much better to have an account for each user rather than allowing multiple users to access the appliance from one or two accounts. Create new user accounts that match the roles you want to assign to your users. The health monitoring feature includes a range of modules that you can enable or disable based on the needs of your network environment. Apply any available software patches or vulnerability database updates to managed sensors where required. if you want to use external authentication. You can also create different policies on your Defense Center and apply them to the managed sensors where it is appropriate. describes the steps that a user with Maintenance access can perform. Maintenance User Tasks. The auditing feature records events based on the user account name. Patches and updates are available on the Sourcefire Support site. See Managing System Policies on page 320 for more information. Check for any available software patches. Note that.

2. Policy & Response Administrator User Tasks. See Configuring Compliance Policies and Rules in the Analyst Guide. Version 4. describes the steps that a user with Policy & Response Administrator access can perform. you can set up and apply health policies on your managed sensors and the Defense Center. See Using Health Monitoring on page 482 for more information. responses. a Policy & Response Administrator user or an Administrator user can perform the following tasks: To continue the initial setup. Requires: IPS Create and apply intrusion policies to the IPS-related detection engines on your 3D Sensor. Requires: IPS Part of the process for creating an intrusion policy includes enabling the appropriate intrusion rules and fine-tuning the preprocessors and packet decoders to match your network traffic. 3.9. The next section.1 Sourcefire 3D System Administrator Guide 55 . Develop a backup and restore plan.Performing the Initial Setup What’s Next? Chapter 2 To continue the initial setup. Maintenance users can: Access: Maint/Admin 1. Note that you can also schedule regular backups of your appliance. Set up scheduled tasks for any jobs that you want to perform on a regular basis. including blocking a suspect host at the firewall or router. For more information on . see Configuring Responses for Compliance Policies in the Analyst Guide. sending a notification by email or SNMP or simply generating a syslog alert. See Using Backup and Restore on page 413 for details about backing up configurations as well as event data. Requires: RNA Set up compliance policies to determine when prohibited activity occurs on your network. 3. See Managing Intrusion Rules in the Analyst Guide and Using Advanced Settings in an Intrusion Policy in the Analyst Guide for more in-depth information about configuring intrusion policies. 2. See Using Basic Settings in an Intrusion Policy in the Analyst Guide for more information. Policy & Response Administrator users can: Access: P&R Admin/ Admin 1. See Scheduling Tasks on page 425 for more information. you can specify that the Defense Center automatically respond to it in one of several ways. Requires: RNA If a compliance policy violation occurs. Policy & Response Administrator User Tasks Requires: Any After a user with Administrator privileges performs the initial configuration as described in Setting Up 3D Sensors on page 44. 4. including anomalous network traffic patterns. Requires: DC If a user with Administrator privileges has not configured health monitoring. Compliance policies can contain rules based on nearly any kind of network activity that your 3D Sensor can detect.

or Restricted Event Analyst access can perform. To continue the initial setup. Requires: IPS As you gain more experience with the intrusion rules provided by Sourcefire. Intrusion Event Analyst (Read-Only). Restricted Event Analyst users can perform most of these tasks. but their event views are limited to specific IP address ranges. consider setting up automated notifications (that can be sent to the syslog. which can provide you with a high-level view of the activity and events taking place on your network. See Using Host Profiles in the nAnalyst Guide for more information. RNA Event Analyst User Tasks and Intrusion Event Analyst User Tasks. an RNA Event Analyst user or an Administrator user can perform the tasks listed below. The network map provides you with an overview of your network and is a good tool for locating rogue access points. which is an expandable tree view of all the hosts and services reported by RNA. RNA Event Analyst users can: Access: Any RNA/ Admin 1. Requires: IPS To ensure that your intrusion event analysts are informed as soon as possible regarding attacks against your most valuable network assets. 3. you can also send SAM-based responses to the firewall.9. you may want to write your own rules to meet the unique needs of your network. via email. use the host profile feature to learn more about them. The next sections. unknown hosts. RNA Event Analyst (Read Only) users can perform any of these tasks. RNA Event Analyst User Tasks Requires: Any After a user with Administrator privileges performs the initial configuration as described in Setting Up 3D Sensors on page 44. 2. Requires: RNA Review the information in the network map. You can also use the host profile to set host criticality and to learn about the vulnerabilities reported for the operating system and services running on each host. See Viewing RNA Event Statistics in the Analyst Guide for more information. See Understanding and Writing Intrusion Rules in the Analyst Guide and Rule-Writing Examples and Tips in the Analyst Guide to learn more about using the rule editor to write your own intrusion rules. or via SNMP) if a specific intrusion rule is triggered. Similarly. and services that are prohibited by your security policies. RNA Event Analyst (Read-Only). describe the steps that a user with Intrusion Event Analyst. RNA Event Analyst. If your network environment includes an OPSEC-compliant firewall. See Configuring External Responses to Intrusion Events in the Analyst Guide for more information. 6.1 Sourcefire 3D System Administrator Guide 56 . Requires: RNA If you locate unknown hosts on the network map. The policies and rules that you create as a Policy & Response Administrator user determine the kinds of events that are seen by the RNA Event Analyst and Intrusion Event Analyst users on your appliance. Begin by reviewing the summary statistics. Version 4.Performing the Initial Setup What’s Next? Chapter 2 5. See Using the Network Map in the Analyst Guide for more information.

Note that flow data is collected by your sensors only if the flow data option is enabled in the RNA detection policy. Requires: RNA Use the RNA event workflows to review the activity that has occurred on your network over time. investigate. See Scheduling Tasks on page 425. You can use the scheduler to automate reporting. an Intrusion Event Analyst user or an Administrator user can perform the tasks listed below.9. you may want to create your own workflows. You can also use the extensive search capability to define and save your own search criteria that you can use as part of your regular analysis. client applications. See Understanding and Using Workflows in the Analyst Guide for more information. See Working with RNA Events in the Analyst Guide for more information. 5. and host attributes. Use the report designer to create CSV. See Working with Flow Data and Traffic Profiles in the Analyst Guide for more information. For example. You can automatically email a report when it is complete. or PDF-based event and incident reports. but their event views are limited to specific IP address ranges. Use any of the predefined workflows to view. As you grow more experienced with the Sourcefire 3D System. 7. Note that the kinds of RNA events that are logged to the database are determined by the system policy on the managing Defense Center. Most of these can be performed by Restricted Event Analyst users also. services. See Working with Event Reports on page 232 for more information.Performing the Initial Setup What’s Next? Chapter 2 4. Requires: RNA Use flow data and traffic profiles to gain a different kind of insight into the activity on your network. and act on the events generated by your sensors.1 Sourcefire 3D System Administrator Guide 57 . Version 4. 6. You can review information for network hosts. then determine which might be behaving abnormally. and you can create and save report profiles to use later. Intrusion Event Analyst User Tasks Requires: Any After a user with Administrator privileges performs the initial configuration as described in Setting Up 3D Sensors on page 44. HTML. you can review the information collected by RNA’s traffic monitoring features and identify hightraffic hosts. vulnerabilities.

4. 2. Events with high impact are more likely to indicate that an attack is targeted against a vulnerable host on your network. Use any of the predefined workflows to view. See Working with Event Reports on page 232 for more information. Requires: IPS Use the incident handling feature to collect information about your investigation of possible intrusions on your network. and the appliance automatically records the amount of time you have the incident open. 5. intrusion events are correlated with any available RNA data to generate an impact flag. You can also add intrusion event data that you believe might be important to your investigation of the incident. Requires: IPS Use the intrusion event views to determine which hosts on your network are the targets of attacks and the types of attacks that are attempted against them. and act on the events generated by your sensors. you may want to create your own workflows. See Handling Incidents in the Analyst Guide for more information. HTML. which can provide you with a high-level view of the activity and events taking place on your network. You can automatically email a report when it is complete. Version 4. 3.Performing the Initial Setup What’s Next? Chapter 2 To continue the initial setup. See Scheduling Tasks on page 425. You can use an incident to record details about your investigation. As you grow more experienced with the Sourcefire 3D System.1 Sourcefire 3D System Administrator Guide 58 . See Understanding and Using Workflows in the Analyst Guide for more information. Requires: RNA Note that on the Defense Center. Intrusion Event Analyst users can: Access: Any IPS/ Admin 1. Begin by reviewing the summary statistics.9. See Viewing Intrusion Event Statistics in the Analyst Guide for more information. investigate. Note that the events that you see are limited by the options that are enabled in the intrusion policy that is applied to your sensors. See Using Impact Flags to Evaluate Events in the Analyst Guide for more information. You can use the scheduler to automate reporting. and you can create and save report profiles to use later. See Working with Intrusion Events in the Analyst Guide for more information. or PDF-based event and incident reports. Use the report designer to create CSV.

and its remote manager. named Default Dashboard. Defense Center. current version of the Sourcefire 3D System software running on the appliance. the default dashboard differs depending on whether you are using a Master Defense Center. the Appliance Information widget tells you the appliance name. as well as information about the status and overall health of the appliances in your deployment. Each type of appliance is delivered with a default dashboard.1 Sourcefire 3D System Administrator Guide 59 . model. You can change the time range to reflect a period as short as the last hour or as long as the last year. or 3D Sensor. This dashboard provides the casual user with basic event and system status information for your Sourcefire 3D System deployment. For example.Administrator Guide Sourcefire 3D System dashboards provide you with at-a-glance views of current system status. Widgets are small. The Sourcefire 3D System is delivered with several predefined widgets. self-contained components that provide insight into different aspects of the Sourcefire 3D System. Version 4.9. each of which can display one or more widgets in a three-column layout.Using Dashboards Chapter 3 . Each dashboard has a time range that constrains its widgets. including data about the events collected and generated by the Sourcefire 3D System. Each dashboard has one or more tabs. Note that because not all widgets are useful for all types of appliances.

each of which can display one or more widgets in a three-column layout. In addition to the default dashboard. For more information. and system status data. the home page for your appliance displays the default dashboard. see the following sections: • • • Understanding Dashboard Widgets on page 60 Understanding the Predefined Widgets on page 65 Working with Dashboards on page 89 Understanding Dashboard Widgets Requires: Any Each dashboard has one or more tabs. the Defense Center is delivered with two other predefined dashboards: • The Flow Summary dashboard uses flow data to create tables and charts of the activity on your monitored network. compliance.9. The Sourcefire 3D System is delivered with several predefined dashboard widgets. RNA.1 Sourcefire 3D System Administrator Guide 60 . see Viewing Dashboards on page 91. Note that Restricted Event Analysts use the Flow Summary page instead of the Flow Summary Dashboard. and includes multiple widgets that summarize collected IPS. modify the predefined dashboards. For more information. see Viewing the Flow Summary Page in the Analyst Guide for more information. or create a custom dashboard to suit your needs.Using Dashboards Understanding Dashboard Widgets Chapter 3 By default. each of which provides insight into a Version 4. You can also set a custom dashboard as your default dashboard. You can share custom dashboards among all users of an appliance. see Understanding Flow Data in the Analyst Guide. TIP! If you change the home page. You can use the predefined dashboards. you can access dashboards by selecting Analysis & Reporting > Event Summary > Dashboards. for more information on flow summary data. although you can configure your appliance to display a different default home page. or you can create a custom dashboard solely for your own use. including pages that are not dashboard pages. • The Detailed Dashboard provides advanced users with detailed information about your Sourcefire 3D System deployment.

if you import a dashboard created either on a different kind of appliance or by a user with different access privileges. The dashboard widgets that you can view depend on the type of appliance you are using and on your user role. RUA events. Widgets are grouped into three categories: • • • Analysis & Reporting widgets display data about the events collected and generated by the Sourcefire 3D System. An unauthorized widget is one that you cannot view because you do not have the necessary account privileges. add and remove widgets from tabs. the widget displays an error message. while the Compliance Events widget is available only on the Defense Center for users with Administrator. Although you cannot add an unauthorized or invalid widget to a dashboard. see: • • • • Understanding Widget Availability on page 61 Understanding Widget Preferences on page 64 Understanding the Predefined Widgets on page 65 Working with Dashboards on page 89 Understanding Widget Availability Requires: Any The Sourcefire 3D System is delivered with several predefined dashboard widgets. In addition. Also note that widgets cannot display data to which an appliance has no access. The dashboard widgets that you can view depend on the type of appliance you are using and on your user role: • • An invalid widget is one that you cannot view because you are using the wrong type of appliance.9. These widgets are disabled and display error messages that indicate the reason why you cannot view them. Currently the only widget in this category displays an RSS feed. If you import a dashboard onto a Master Defense Center that contains a Custom Analysis widget configured to display one of those data types. Version 4. as well as rearrange the widgets on a tab. RNA events. For example. Operations widgets display information about the status and overall health of the Sourcefire 3D System. or RNA Event Analyst account privileges. Miscellaneous widgets display neither event data nor operations data. You can minimize and maximize widgets. and so on. For more information. For example. Intrusion Event Analyst. the Master Defense Center cannot access flow data. that dashboard may contain unauthorized or invalid widgets.1 Sourcefire 3D System Administrator Guide 61 .Using Dashboards Understanding Dashboard Widgets Chapter 3 different aspect of the Sourcefire 3D System. the Appliance Information widget is available on all appliances for all user roles. each dashboard has a set of preferences that determines its behavior.

An X indicates that the appliance can display the widget. Sourcefire Appliances and Dashboard Widget Availability Widget Appliance Information Appliance Status Compliance Events Current Interface Status Current Sessions Custom Analysis Disk Usage Interface Traffic Intrusion Events Network Compliance Product Licensing Product Updates RSS Feed X X Master Defense Center X X X X X X X X X Defense Center X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 3D Sensor with IPS (and RNA) X 3D Sensor with RNA (only) X Version 4. You can delete or minimize unauthorized and invalid widgets. The Sourcefire Appliances and Dashboard Widget Availability table lists the valid widgets for each appliance. see Minimizing and Maximizing Widgets on page 97 and Deleting Widgets on page 97. For more information.Using Dashboards Understanding Dashboard Widgets Chapter 3 Similarly. For example. keeping in mind that modifying a widget on a shared dashboard modifies it for all users of the appliance. but on Defense Centers and Master Defense Centers the widget displays only the status of the management interface.1 Sourcefire 3D System Administrator Guide 62 . the content of a widget can differ depending on the type of appliance you are using. Note than any content generated in table format can be sorted by clicking on the table column header. as well as widgets that display no data. the Current Interface Status widget on a 3D Sensor displays the status of its sensing interfaces.9.

An X indicates the user can view the widget. IMPORTANT! dashboards. User accounts with Restricted Event Analyst access cannot use User Roles and Dashboard Widget Availability Widget Appliance Information Appliance Status Compliance Events Current Interface Status Current Sessions Custom Analysis Disk Usage Interface Traffic Intrusion Events Network Compliance Product Licensing Administrator X X X X X X X X X X X X X X X X X X X X X X X X X Maintenance X X P&R Admin X IPS Analyst X X X X RNA Analyst X X X X Version 4.9.Using Dashboards Understanding Dashboard Widgets Chapter 3 Sourcefire Appliances and Dashboard Widget Availability (Continued) Widget System Load System Time White List Events Master Defense Center X X X Defense Center X X X 3D Sensor with IPS (and RNA) X X 3D Sensor with RNA (only) X X The User Roles and Dashboard Widget Availability table lists the user account privileges required to view each widget.1 Sourcefire 3D System Administrator Guide 63 .

You can only configure the update frequency for this widget. To modify a widget’s preferences: Access: Any except Restricted 1. For example. the following graphic shows the preferences for the Custom Analysis widget. Version 4. click the show preferences icon ( ). Widget preferences can also be more complex.9.1 Sourcefire 3D System Administrator Guide 64 . which displays the current status of the network interfaces for the appliance. For example. the following graphic shows the preferences for the Current Interface Status widget.Using Dashboards Understanding Dashboard Widgets Chapter 3 User Roles and Dashboard Widget Availability (Continued) Widget Product Updates RSS Feed System Load System Time White List Events Administrator X X X X X Maintenance X X X X P&R Admin X X X X X X X X X X X X IPS Analyst RNA Analyst Understanding Widget Preferences Requires: Any Each widget has a set of preferences that determines its behavior. The preferences section for that widget appears. Widget preferences can be simple. On the title bar of the widget whose preferences you want to change. which is a highly customizable widget that allows you to display detailed information on the events collected and generated by the Sourcefire 3D System.

can provide you with at-a-glance views of current system status. For more information. see Understanding the Predefined Widgets on page 65. ) to hide the Understanding the Predefined Widgets Requires: Any The Sourcefire 3D System is delivered with several predefined widgets that. as well as information about the status and overall health of the appliances in your deployment. see the following sections: • • • • • • • • • • • • • • • • Understanding the Appliance Information Widget on page 66 Understanding the Appliance Status Widget on page 67 Understanding the Compliance Events Widget on page 67 Understanding the Current Interface Status Widget on page 68 Understanding the Current Sessions Widget on page 69 Understanding the Custom Analysis Widget on page 69 Understanding the Disk Usage Widget on page 80 Understanding the Interface Traffic Widget on page 81 Understanding the Intrusion Events Widget on page 81 Understanding the Network Compliance Widget on page 82 Understanding the Product Licensing Widget on page 84 Understanding the Product Updates Widget on page 85 Understanding the RSS Feed Widget on page 86 Understanding the System Load Widget on page 87 Understanding the System Time Widget on page 87 Understanding the White List Events Widget on page 88 IMPORTANT! The dashboard widgets you can view depend on the type of appliance you are using and on your user role. For detailed information on the widgets delivered with the Sourcefire 3D System.9. click the hide preferences icon ( preferences section. On the widget title bar.Using Dashboards Understanding the Predefined Widgets Chapter 3 2. see Understanding Widget Availability on page 61. when used on dashboards. Your changes take effect immediately. 3. including data about the events collected and generated by the Sourcefire 3D System.1 Sourcefire 3D System Administrator Guide 65 . Make changes as needed. For information on the preferences you can specify for individual widgets. Version 4.

For more information. the preferences also control how often the widget updates. and Sourcefire 3D System software and operating system versions of the peer Defense Center.1 Sourcefire 3D System Administrator Guide 66 . model. management interface IP address. Snort. Version 4. rule pack. and vulnerability database (VDB) installed on the appliance for managed appliances. module pack.Using Dashboards Understanding the Predefined Widgets Chapter 3 Understanding the Appliance Information Widget Requires: Any The Appliance Information widget provides a snapshot of the appliance. see Understanding Widget Preferences on page 64. and model of the appliance the versions of the Sourcefire 3D System software. The widget provides: • • the name. as well as how recently the Defense Centers made contact • • You can configure the widget to display more or less information by modifying the widget preferences to display a simple or an advanced view. the name and status of the communications link with the managing appliance for Defense Centers in a high availability pair. SEU.9. operating system. the name.

Using Dashboards Understanding the Predefined Widgets Chapter 3 Understanding the Appliance Status Widget Requires: DC/MDC The Appliance Status widget indicates the health of the appliance and of any appliances it is managing.9. you must manually apply a health policy or their status appears as Disabled. The preferences also control how often the widget updates. You can click a section on the pie chart or one of the numbers on the appliance status table to go to the Health Monitor page and view the compiled health status of the appliance and of any appliances it is managing. Note that because the Defense Center does not automatically apply a health policy to managed sensors. over the dashboard time range. For more information. Version 4.1 Sourcefire 3D System Administrator Guide 67 . You can configure the widget to display appliance status as a pie chart or in a table by modifying the widget preferences. see Using the Health Monitor on page 545. Understanding the Compliance Events Widget Requires: DC/MDC The Compliance Events widget shows the average events per second by priority. see Understanding Widget Preferences on page 64. For more information.

For more information. passive. In either case. the events are constrained by the dashboard time range. see Understanding Widget Preferences on page 64. and unused. accessing compliance events via the dashboard changes the events (or global) time window for the appliance. or 10Mb half duplex) of the interface Version 4. see Viewing Compliance Events in the Analyst Guide. The preferences also control how often the widget updates. as well as to select a linear (incremental) or logarithmic (factor of ten) scale. For more information on compliance events. Note that only 3D Sensors have interface types other than the management interface. represented by a green ball (up) or a gray ball (down) the link mode (for example. including events that do not have a priority. You can click a graph to view compliance events of a specific priority. the widget provides: • • • the name of the interface the link state of the interface. or click the All graph to view all compliance events. regardless of priority. 100Mb full duplex.9. For each interface. Understanding the Current Interface Status Widget Requires: Any The Current Interface Status widget shows the status of the network interfaces for the appliance. inline.Using Dashboards Understanding the Predefined Widgets Chapter 3 You can configure the widget to display compliance events of different priorities by modifying the widget preferences. grouped by type: management. Select Show All to display an additional graph for all compliance events.1 Sourcefire 3D System Administrator Guide 68 . Select one or more Priorities check boxes to display separate graphs for events of specific priorities.

The Custom Analysis widget is delivered with several presets. For more information. Understanding the Custom Analysis Widget Requires: Any The Custom Analysis widget is a highly customizable widget that allows you to display detailed information on the events collected and generated by the Sourcefire 3D System. as well as the aggregation method that configures how the widget groups the data it displays. you must select which table and individual field you want to display. For more information. see Using Host Profiles in the nAnalyst Guide (Defense Center with RNA only) click any IP address or access time to view the audit log constrained by that IP address and by the time that the user associated with that IP address logged on to the web interface. is marked with a user icon and is rendered in bold type. you can: • • click any user name to manage user accounts on the User Management page. and the last time each user accessed a page on the appliance (based on the local time for the appliance). that is.Using Dashboards Understanding the Predefined Widgets Chapter 3 • • the type of interface. On the Current Sessions widget. When you configure the widget preferences. that is. copper or fiber the amount of data received (Rx) and transmitted (Tx) by the interface The widget preferences control how often the widget updates.9. Version 4.1 Sourcefire 3D System Administrator Guide 69 . the IP address of the machine where the session originated. You can use these presets or you can create a custom configuration. see Understanding Widget Preferences on page 64. The presets serve as examples and can provide quick access to information about your deployment. see Viewing Audit Records on page 567 • The widget preferences control how often the widget updates. the user currently viewing the widget. Understanding the Current Sessions Widget Requires: Any The Current Sessions widget shows which users are logged into the appliance. which are groups of configurations that are predefined by Sourcefire. The user that represents you. see Understanding Widget Preferences on page 64. see Managing User Accounts on page 299 click the host icon ( ) next to any IP address to view the host profile for that computer.

and so on). you can configure the Custom Analysis widget to display which operating systems are running on the hosts in your organization by configuring the widget to display OS data from the RNA Hosts table.Using Dashboards Understanding the Predefined Widgets Chapter 3 For example. Aggregating this data by Count tells you how many hosts are running each operating system.9. For example. Optionally. aggregating by Unique OS tells you how many unique versions of each operating system are running on the same hosts (for example. Mac OS X. Microsoft Windows. you can further constrain the widget using a saved search. On the other hand. constraining the first example (operating systems Version 4. how many unique versions of Linux. either one of the predefined searches delivered with your appliance or a custom search that you created. if you are using Sourcefire RNA as part of your deployment.1 Sourcefire 3D System Administrator Guide 70 .

1 Sourcefire 3D System Administrator Guide 71 . an upwards-pointing icon indicates ascending order. hover your pointer over the Last updated notice in the bottom left corner of the widget. The down-arrow icon ( ) indicates that the event has moved down in the standings since the last time the widget updated. To determine when the dashboard will update next. A downward-pointing icon indicates descending order.Using Dashboards Understanding the Predefined Widgets Chapter 3 aggregated by Count) using the Local Systems search tells you how many hosts within one hop of your 3D Sensors are running each operating system. To change the sort order. The up-arrow icon ( ) indicates that the event has moved up in the standings since the last time the widget updated. the widget can display one of three icons to indicate any additions or movement from the most recent results: • • The new event icon ( ) signifies that the event is new to the results. The direction icon ( ) indicates and controls the sort order of the display. click the icon. the widget updates once a week. such as one that displays the total number of intrusion events generated in your deployment over Version 4. you can configure the Custom Analysis widget to display a line graph. The colored bars in the widget background show the relative number of occurrences of each event. Next to each event. If you want information on events or other collected data over time. A number indicating how many places the event has moved up appears next to the icon. • The widget displays the last time it updated. if you set the dashboard time range to a year. A number indicating how many places the event has moved down appears next to the icon. the widget updates every five minutes. you should read the bars from right to left. You can change the color of the bars as well as the number of rows that the widget displays. You can also configure the widget to display the most frequently occurring events or the least frequently occurring events. if you set the dashboard time range to an hour. On the other hand. For example.9. based on the local time of the appliance. The widget updates with a frequency that depends on the dashboard time range.

you can invoke event views (that is. workflows) that provide detailed information about the events displayed in the widget. a line graph). you can choose the time zone that the widget uses as well as the color of the line. you should remove the widget. For graphs over time. A different set of preferences appears depending on whether you configure the widget to show relative occurrences of events (that is. or you configure the widget to show a graph over time (that is. To configure a Custom Analysis widget.9.1 Sourcefire 3D System Administrator Guide 72 . Version 4. For more information. the Custom Analysis widget has preferences that determines its behavior. If the widget continues to stay red over time. a red-shaded Custom Analysis widget indicates that its use is harming system performance. Finally. Custom Analysis widgets can place a drain on an appliance’s resources. see the following sections: • • • Configuring the Custom Analysis Widget on page 72 Viewing Associated Events from the Custom Analysis Widget on page 78 Custom Analysis Widget Limitations on page 79 Configuring the Custom Analysis Widget Requires: Any As with all widgets. show the preferences as described in Understanding Widget Preferences on page 64. you can choose a custom title for the widget. From Custom Analysis widgets. a bar graph).Using Dashboards Understanding the Predefined Widgets Chapter 3 time. IMPORTANT! Depending on how they are configured.

If you do not specify a title. You can use these presets or you can create a custom configuration. which are groups of configurations that are predefined by Sourcefire. select any value except Time from the Field drop-down list... as shown in the following graphic..1 Sourcefire 3D System Administrator Guide 73 . The following table describes the various preferences you can set in the Custom Analysis widget.. For a detailed list of presets. select Time from the Field drop-down list. as shown in the following graphic. The presets serve as examples and can provide quick access to information about your deployment. Title To control. the appliance uses the configured event type as the widget title. Preset the preset for the widget. The Custom Analysis widget is delivered with several presets. see the Custom Analysis Widget Presets table on page 75. the title of the widget. To configure the widget to show a line graph.Using Dashboards Understanding the Predefined Widgets Chapter 3 To configure the widget to show a bar graph. Custom Analysis Widget Preferences Use this preference. Version 4.9.

select Time. although some presets use predefined searches. Search the saved search you want to use to further constrain the data that the widget displays. Table Field To control. in increments of five.. the specific field of the event type you want to display. TIP! To display a graph over time. which time zone you want to use to display results. Aggregate the aggregation method for the widget. Defense Center predefined dashboard uses Version 4. Show Movers Time Zone whether you want to display the icons that indicate additions or movement from the most recent results. The aggregation method configures how the widget groups the data it displays. It also indicates which... the number of results rows you want to display. Show Results whether you want to display the most frequently occurring events (Top) or the least frequently occurring events (Bottom).9. if any. the table of events which contains the event data the widget displays. Color the color of the bars in the widget background that show the relative number of occurrences of each result. the default aggregation criterion is Count. You can display from 10 to 25 result rows. For most event types. The following table describes the available presets for the Custom Analysis widget..1 Sourcefire 3D System Administrator Guide 74 .Using Dashboards Understanding the Predefined Widgets Chapter 3 Custom Analysis Widget Preferences (Continued) Use this preference. The time zone appears whenever you select a time-based field. You do not have to specify a search.

based on the number of detected flows. Displays the most active ports on your monitored network. Displays counts for the most frequently occurring intrusion events. Displays the most active services on your monitored network. where the packet was not dropped as part of the event. Displays the most frequently occurring types of intrusion events. (The predefined dashboards on the Master Defense Center and 3D Sensor do not include Custom Analysis widgets. Displays the most active hosts on your monitored network. based on the number of flows where the host initiated the session.Using Dashboards Understanding the Predefined Widgets Chapter 3 each preset. by application type. Custom Analysis Widget Presets Preset All Intrusion Events Description Displays a graph of the total number of intrusion events on your monitored network over the dashboard time range. Displays the most active hosts on your monitored network. where the packet was dropped. based on the number of detected flows. Displays the most active client applications on your monitored network. Predefined Dashboards Default Dashboard Detailed Dashboard Detailed Dashboard Requires IPS or DC/MDC + IPS All Intrusion Events (Not Dropped) IPS or DC/MDC + IPS Client Applications Detailed Dashboard DC + RNA Dropped Intrusion Events Default Dashboard IPS or DC/MDC + IPS Flows by Initiator IP Flow Summary DC + RNA Flows by Port Flow Summary DC + RNA Flows by Responder IP Flow Summary DC + RNA Flows by Service Flow Summary DC + RNA Version 4. based on the number of flows where the host was the responder in the session.1 Sourcefire 3D System Administrator Guide 75 .9. by classification.) . by classification.

based on event classification.1 Sourcefire 3D System Administrator Guide 76 . over the dashboard time range. based on the number of hosts on the network running services made by that vendor. Displays the most active hosts on your monitored network.Using Dashboards Understanding the Predefined Widgets Chapter 3 Custom Analysis Widget Presets (Continued) Preset Flows over Time Description Displays a graph of the total number of flows on your monitored network. Displays the most active hosts on your monitored network.9. based on the number of intrusion events where the host was the targeted host in the flow that caused the event. Displays the most common operating system. Displays a count of intrusion event requiring analysis. based on frequency of intrusion events. Predefined Dashboards Flow Summary Requires DC + RNA Intrusion Events Requiring Analysis Intrusion Events by Hour Intrusion Events to High Criticality Hosts Detailed Dashboard DC/MDC + IPS + RNA IPS or DC/MDC + IPS DC/MDC + IPS + RNA none Detailed Dashboard Operating Systems Detailed Dashboard DC + RNA Services Detailed Dashboard DC + RNA Top Attackers Default Dashboard IPS or DC/MDC + IPS Top Targets Default Dashboard IPS or DC/MDC + IPS Version 4. based on the number of hosts running each operating system within your network. Displays the most frequently occurring types of intrusion events. Displays the most active hours of the day. based on the number of intrusion events where the host was the attacking host in the flow that caused the event. based on the number of intrusion events occurring on high criticality hosts. Displays the most common RNA service vendors.

9. Displays a graph of the total kilobytes of data transmitted on your monitored network over the dashboard time range. based on the number of kilobytes per second of data received by the hosts. Displays the most active RUA users on your monitored network. based on the number of kilobytes per second of data transmitted via the port. Displays the most active hosts on your monitored network. based on the total number of kilobytes of data received by the hosts where those users are logged in. Predefined Dashboards Detailed Dashboard Flow Summary Requires DC + RNA Traffic by Initiator User Detailed Dashboard DC + RNA + RUA Traffic by Port Flow Summary DC + RNA Traffic by Responder IP Detailed Dashboard Flow Summary DC + RNA Traffic by Service Detailed Dashboard Flow Summary DC + RNA Traffic over Time Detailed Dashboard Flow Summary DC + RNA Version 4.Using Dashboards Understanding the Predefined Widgets Chapter 3 Custom Analysis Widget Presets (Continued) Preset Traffic by Initiator IP Description Displays the most active hosts on your monitored network. based on the number of kilobytes per second of data transmitted by the hosts.1 Sourcefire 3D System Administrator Guide 77 . Displays the most active responder ports on your monitored network. based on the number of kilobytes per second of data transmitted by the service. Displays the most active services on your monitored network.

Using Dashboards Understanding the Predefined Widgets Chapter 3 Custom Analysis Widget Presets (Continued) Preset Unique Intrusion Events by Destination IP Unique Intrusion Events by Impact White List Violations Description Displays the most active targeted hosts.9. if you configure a single time window and then access any type of event from the Custom Analysis widget. constrained by the dashboard time range. For example. the events appear in the default workflow for that event type. For more information on time windows. and the health monitoring time window changes to the dashboard time range. see Default Time Windows on page 29 and Specifying Time Constraints in Searches in the Analyst Guide. and the global time window changes to the dashboard time range. Displays the number of unique intrusion event types associated with each impact flag level. by violation count? Predefined Dashboards none Requires IPS or DC/MDC + IPS none DC/MDC + IPS + RNA DC + RNA Detailed Dashboard Viewing Associated Events from the Custom Analysis Widget Requires: Any Depending on the kind of data that a Custom Analysis widget is configured to display. the events appear in the default health events workflow. When you invoke an event view from the dashbaord. a workflow) that provides detailed information about the events displayed in the widget. if you configure multiple time windows on your Defense Center and then access health events from a Custom Analysis widget. the events appear in the default workflow for that event type. This also changes the appropriate time window for the appliance. you can invoke an event view (that is. based on the number of unique intrusion events per targeted host. Displays the hosts with the most white list violations. Version 4.1 Sourcefire 3D System Administrator Guide 78 . As another example. depending on how many time windows you have configured and on what type of event you are trying to view.

as well as by that event. On widgets configured to show flow data over time. click the View All icon in the lower right corner of the widget to view all associated events. Similarly. depending on how you configured the widget: • On widgets configured to show relative occurrences of events (that is. remember that not all appliances have access to data of all event types. For example. bar graphs). You can also click the View All icon in the lower right corner of the widget to view all associated events. if you are using a dashboard imported from another appliance. click any event to view associated events constrained by the widget preferences. If you are configuring the widget on a shared dashboard. Intrusion Event Analysts cannot view RNA events. constrained by the widget preferences.9. remember that not all users can view data of all event types.Using Dashboards Understanding the Predefined Widgets Chapter 3 To view associated events from the Custom Analysis Widget: Access: Any except Restricted You have two options. For Version 4. constrained by the widget preferences.1 Sourcefire 3D System Administrator Guide 79 . • For information on working with specific event types. see the following sections: • • • • • • • • • • • • • • • • • Viewing Audit Records on page 567 Viewing Intrusion Events in the Analyst Guide Viewing RNA Network Discovery and Host Input Events in the Analyst Guide Viewing Hosts in the Analyst Guide Viewing Host Attributes in the Analyst Guide Viewing Services in the Analyst Guide Viewing Client Applications in the Analyst Guide Viewing Vulnerabilities in the Analyst Guide Viewing Flow Data in the Analyst Guide Viewing RUA Users in the Analyst Guide Viewing RUA Events in the Analyst Guide Viewing Compliance Events in the Analyst Guide Viewing White List Events in the Analyst Guide Viewing White List Violations in the Analyst Guide Viewing the SEU Import Log in the Analyst Guide Working with Active Scan Results in the Analyst Guide Understanding Custom Tables in the Analyst Guide Custom Analysis Widget Limitations Requires: Any There are some important points to keep in mind when using the Custom Analysis widget. depending on the user’s account privileges.

or even delete the widget. as well as whether it displays the current disk usage or collected disk usage statistics over the dashboard time range. Remember that only you can access searches that you have saved as private.Using Dashboards Understanding the Predefined Widgets Chapter 3 example. This affects your view of the widget as well. If you want to make sure that this does not happen. or you can show these plus the /boot partition usage by modifying the widget preferences. For more information.9.1 Sourcefire 3D System Administrator Guide 80 . If you configure the widget on a shared dashboard and constrain its events using a private search. see Configuring Dashboard Settings on page 331. If your dashboard includes a Custom Analysis widget that displays data that you cannot see. save the dashboard as private. save the dashboard as private. The widget preferences also control how often the widget updates. You enable or disable the Custom Analysis widget from the Dashboard settings in your system policy. It also shows the capacity of each partition. the Master Defense Center does not store flow data. If you want to make sure that this does not happen. the widget resets to not using the search when another user logs in. Note. For more information. You can configure the widget to display just the root (/) and /volume partition usage. however. the widget indicates that you are unauthorized to view the data. that you (and any other users who share the dashboard) can modify the preferences of the widget to display data that you can see. see Understanding Widget Preferences on page 64. Understanding the Disk Usage Widget Requires: Any The Disk Usage widget indicates the percentage of space used on each partition of the appliance’s hard drive. Version 4.

On 3D Sensors. Note that for managed 3D Sensors. For more information. Note that only 3D Sensors have interfaces other than the management interface.1 Sourcefire 3D System Administrator Guide 81 . The widget preferences control how often the widget updates. Understanding the Intrusion Events Widget Requires: IPS or DC/ MDC + IPS The Intrusion Events widget shows the rate of intrusion events that occurred over the dashboard time range. you can configure the widget to display intrusion events of different impacts by modifying the widget preferences. you must enable local event storage or the widget will not have any data to display. On the 3D Sensor.9. On the 3D Sensor. you cannot configure the widget to display Version 4. the preferences also control whether the widget displays the traffic rate for unused interfaces (by default. the widget can display statistics for dropped intrusion events. all intrusion events. see Understanding Widget Preferences on page 64. this includes statistics on intrusion events of different impacts. On the Defense Center and Master Defense Center. On the Defense Center and Master Defense Center.Using Dashboards Understanding the Predefined Widgets Chapter 3 Understanding the Interface Traffic Widget Requires: Any The Interface Traffic widget shows the rate of traffic received (Rx) and transmitted (Tx) on the appliance’s interfaces over the dashboard time range. or both. the widget only displays the traffic rate for interfaces that belong to an interface set).

By default. Understanding the Network Compliance Widget Requires: DC The Network Compliance widget summarizes your hosts’ compliance with the compliance white lists you configured (see Using RNA as a Compliance Tool in the Analyst Guide). select All to display an additional graph for all intrusion events. you can: • • • Requires: DC/MDC click a graph corresponding to a specific impact to view intrusion events of that impact click the graph corresponding to dropped events to view dropped events click the All graph to view all intrusion events Note that the resulting event view is constrained by the dashboard time range. In the widget preferences. regardless of impact or rule state. see Using Impact Flags to Evaluate Events in the Analyst Guide select Show to choose Events per second or Total events select Vertical Scale to choose Linear (incremental) or Logarithmic (factor of ten) scale • • The preferences also control how often the widget updates. The following graphic shows the Defense Center version of the widget preferences. For more information on intrusion events.9. For more information. On either appliance. you can display dropped events. accessing intrusion events via the dashboard changes the events (or global) time window for the appliance. On the Intrusion Events widget. see Understanding Widget Preferences on page 64. the widget displays a pie chart that shows the Version 4. you can: • Requires: DC/MDC select one or more Event Flags check boxes to display separate graphs for events of specific impacts.Using Dashboards Understanding the Predefined Widgets Chapter 3 intrusion events by impact.1 Sourcefire 3D System Administrator Guide 82 . see Viewing Intrusion Events in the Analyst Guide.

9. To bring these hosts into compliance. The Network Compliance style (the default) displays a pie chart that shows the number of hosts that are compliant. You can configure the widget to display network compliance either for all white lists. or for a specific white list. For more information. which lists the hosts that violate at least one white list. non-compliant. and that have not been evaluated.Using Dashboards Understanding the Predefined Widgets Chapter 3 number of hosts that are compliant. for all compliance white lists that you have created. and that have not been evaluated. including white lists that are no longer in active compliance policies. non-compliant. by modifying the widget preferences. You can also use the widget preferences to specify which of three different styles you want to use to display network compliance.1 Sourcefire 3D System Administrator Guide 83 . Note that if you choose to display network compliance for all white lists. see Viewing White List Violations in the Analyst Guide. Version 4. delete the unused white lists. the widget considers a host to be non-compliant if it is not compliant with any of the white lists on the Defense Center. You can click the pie chart to view the host violation count.

It also indicates the number of items (such as hosts or users) licensed and the number of remaining licensed items allowed. see Understanding Widget Preferences on page 64. The top section of the widget displays all of the feature licenses installed on the Defense Center. if you have two feature licenses for RNA Hosts. For more information. Understanding the Product Licensing Widget Requires: DC The Product Licensing widget shows the feature licenses currently installed on the Defense Center. non-compliant. while the Temporary Licenses section displays only temporary and expired licenses.Using Dashboards Understanding the Predefined Widgets Chapter 3 The Network Compliance over Time (%) style displays a stacked area graph showing the relative proportion of hosts that are compliant. over the dashboard time range. You can check the Show Not Evaluated box to hide events which have not been evaluated. non-compliant.9. one of which is a permanent license and Version 4. and that have not yet been evaluated. The Network Compliance over Time style displays a line graph that shows the number of hosts that are compliant. including temporary licenses.1 Sourcefire 3D System Administrator Guide 84 . For example. over the dashboard time range. and that have not yet been evaluated. The preferences control how often the widget updates.

the Defense Center version of the widget provides you with similar links so you can update the software on your managed sensors.9. Version 4. and VDB) currently installed on the appliance as well as information on available updates that you have downloaded. while the Temporary Licenses section displays an RNA Hosts feature license with 750 hosts. the widget uses scheduled tasks to determine the latest version. The bars in the widget background show the percentage of each type of license that is being used. you should read the bars from right to left. by modifying the widget preferences. For more information. Note that the widget displays Unknown as the latest version of the software unless you have configured a scheduled task to download. For more information. You can configure the widget to hide the latest versions by modifying the widget preferences.Using Dashboards Understanding the Predefined Widgets Chapter 3 allows 750 hosts. The preferences also control how often the widget updates. but not yet installed. and another that is temporary and allows an additional 750 hosts. the top section of the widget displays an RNA Hosts feature license with 1500 licensed hosts. You can click any of the license types to go to the License page of the System Settings and add or delete feature licenses. SEU. see Understanding Widget Preferences on page 64. for that software. The widget also provides you with links to pages where you can update the software. For more information. push. Note that you cannot update the VDB on a sensor or a Master Defense Center. Expired licenses are marked with a strikethrough. You can configure the widget to display either the features that are currently licensed. or install software updates. The preferences also control how often the widget updates. For more information. or all the features that you can license.1 Sourcefire 3D System Administrator Guide 85 . see Managing Your Feature Licenses on page 370. see Understanding Widget Preferences on page 64. see Scheduling Tasks on page 425. Understanding the Product Updates Widget Requires: Any The Product Updates widget provides you with a summary of the software (Sourcefire 3D System software.

the widget shows a feed of Sourcefire company news.9. SEU. or VDB. Version 4. as well as whether you want to show descriptions of the stories along with the headlines. By default. When you configure the widget. keep in mind that not all RSS feeds use descriptions.1 Sourcefire 3D System Administrator Guide 86 . or VDB by clicking either the latest version or the Unknown link in the Latest column.Using Dashboards Understanding the Predefined Widgets Chapter 3 On the Product Updates widget. Feeds update every 24 hours (although you can manually update the feed) and the widget displays the last time the feed was updated based on the local time of the appliance. see Updating System Software on page 398 and Importing SEUs and Rule Files in the Analyst Guide create a scheduled task to download the latest version of the Sourcefire 3D System software. or you can create a custom connection to any other RSS feed by specifying its URL in the widget preferences. Keep in mind that the appliance must have access to the Sourcefire web site (for the two preconfigured feeds) or to any custom feed you configure. you can also choose how many stories from the feed you want to show in the widget. You can also configure the widget to display a preconfigured feed of Sourcefire security news. see Scheduling Tasks on page 425 • Understanding the RSS Feed Widget Requires: Any The RSS Feed widget adds an RSS feed to a dashboard. SEU. you can: • manually update an appliance by clicking the current version of the Sourcefire 3D System software.

Understanding the System Time Widget Requires: Any The System Time widget shows the local system time. see Understanding Widget Preferences on page 64. For more information. For more information. and system load (also called the load average. The preferences also control how often the widget synchronizes with the appliance’s clock. The preferences also control how often the widget updates.9. measured by the number of processes waiting to execute) on the appliance. You can configure the widget to hide the boot time by modifying the widget preferences. Version 4. You can configure the widget to show or hide the load average by modifying the widget preferences. memory (RAM) usage.1 Sourcefire 3D System Administrator Guide 87 . both currently and over the dashboard time range.Using Dashboards Understanding the Predefined Widgets Chapter 3 On the RSS Feed widget. and boot time for the appliance. you can: • • • click one of the stories in the feed to view the story click the more link to go to the feed’s web site click the update icon ( ) to manually update the feed Understanding the System Load Widget Requires: Any The System Load widget shows the CPU usage (for each CPU). uptime. see Understanding Widget Preferences on page 64.

Using Dashboards Understanding the Predefined Widgets Chapter 3 Understanding the White List Events Widget Requires: DC/MDC The White List Events widget shows the average events per second by priority. In the widget preferences. You can configure the widget to display white list events of different priorities by modifying the widget preferences. regardless of priority select Vertical Scale to choose Linear (incremental) or Logarithmic (factor of ten) scale The preferences also control how often the widget updates. you can: • • • select one or more Priorities check boxes to display separate graphs for events of specific priorities. the events are constrained by the dashboard time range.9. or click the All graph to view all white list events. including events that do not have a priority select Show All to display an additional graph for all white list events. For more information. see Understanding Widget Preferences on page 64. Version 4. In either case.1 Sourcefire 3D System Administrator Guide 88 . see Viewing White List Events in the Analyst Guide. accessing white list events via the dashboard changes the events (or global) time window for the Defense Center. over the dashboard time range. For more information on white list events. You can click a graph to view white list events of a specific priority.

and delete dashboards. This can be useful. the page indicates the owner (that is. Refreshing the entire dashboard allows you to see any preference or layout changes that were made to a shared dashboard by another user. you can only see your own private dashboards. including the Sourcefire default dashboard. see: • • • • • Creating a Custom Dashboard on page 89 Viewing Dashboards on page 91 Modifying Dashboards on page 93 Deleting a Dashboard on page 97 Exporting a Dashboard on page 585 Creating a Custom Dashboard Requires: Any When you create a new dashboard. For each dashboard. individual widgets update according to their preferences.1 Sourcefire 3D System Administrator Guide 89 . see Specifying Your Default Dashboard on page 35. in a network operations center (NOC) where a dashboard is displayed at all times. unless you have Admin access. Then. you cannot view or modify private dashboards created by other users. For more information on working with dashboards. the dashboard in the NOC automatically refreshes at the interval you specify and displays your changes without you having to manually refresh the dashboard in the NOC. or that you made to a private dashboard on another computer. Version 4. If you want to make changes to the dashboard. You must also specify (or disable) the tab change and page refresh intervals. or on any user-defined dashboard. for more information. Note that. These settings determine how often the dashboard cycles through its tabs and how often the entire dashboard page refreshes. you can modify this copy to suit your needs. view. for example. you can create a blank new dashboard by choosing not to base your dashboard on any pre-existing dashboards. since the last time the dashboard refreshed. export. the page indicates which dashboard is the default. Finally.Using Dashboards Working with Dashboards Chapter 3 Working with Dashboards Requires: Any You manage dashboards on the Dashboard List page (see Viewing Dashboards on page 91).9. You can create. You specify the default dashboard in your user preferences. you can make the changes at a local computer. the user who created it) and whether a dashboard is private. Optionally. modify. This makes a copy of the pre-existing dashboard. Note that you do not need to refresh the entire dashboard to see data updates. you can choose to base it on any pre-existing dashboard.

regardless of role. You can then edit the imported dashboard to suit your needs. If you have a default dashboard defined. Optionally. Type a name and optional description for the dashboard. 3. you can export a dashboard from another appliance and then import it onto your appliance.9. the Dashboard List page appears. you can choose to associate the new dashboard with your user account by saving it as a private dashboard. You should also keep in mind that any user. Select Analysis & Reporting > Event Summary > Dashboards. disabled widgets. users with fewer permissions viewing a dashboard created by a user with more permissions may not be able to use all of the widgets on the dashboard. all other users of the appliance can view it. 4.1 Sourcefire 3D System Administrator Guide 90 . Use the Copy Dashboard drop-down list to select the dashboard on which you want to base the new dashboard. TIP! Instead of creating a new dashboard. it appears. The New Dashboard page appears. 2. see Importing and Exporting Objects on page 583. for example. To create a new dashboard: Access: Any except Restricted 1. a dashboard created on the Defense Center and imported onto a 3D Sensor or Master Defense Center may display some invalid. click New Dashboard. Although the unauthorized widgets still appear on the dashboard. You can select any predefined or user-defined dashboard. select None (the default) to create a blank dashboard. If you choose not to save the dashboard as private. Version 4. In either case. If you want to make sure that only you can modify a particular dashboard. they are disabled.Using Dashboards Working with Dashboards Chapter 3 Finally. For more information. save it as private. If you do not have a default dashboard defined. can modify shared dashboards. Keep in mind that because not all user roles have access to all dashboard widgets. Note that the dashboard widgets you can view depend on the type of appliance you are using and on your user role.

9. the dashboard time range has no effect on the Appliance Information widget. enter 0 in the Refresh Page Every field. select the Save As Private check box to associate the dashboard with your user account and to prevent other users from viewing and modifying the dashboard. For more information. Viewing Dashboards Requires: Any By default. Note that this setting is separate from the update interval available on many individual widgets. In the Change Tabs Every field. Unless you pause the dashboard or your dashboard has only one tab. the home page shows the Dashboard List page. including pages that are not dashboard pages. the home page for your appliance displays the default dashboard. click Dashboards from the Dashboard toolbar. In the Refresh Page Every field. specify (in minutes) how often the dashboard should change tabs. If you do not have a default dashboard defined. enter 0 in the Change Tabs Every field. which provides Version 4. 8. You can also change the default dashboard. Click Save. Note that not all widgets can be constrained by time. see Specifying Your Home Page on page 35 and Specifying Your Default Dashboard on page 35. TIP! You can configure your appliance to display a different default home page. if you based it on a pre-existing dashboard. widgets will update according to their individual preferences even if you disable the Refresh Page Every setting. Your dashboard is created and appears in the web interface. see Modifying Dashboards on page 93. This value must be greater than the Change Tabs Every setting. the widgets that can be constrained by time automatically update to reflect the new time range. You can now tailor it to suit your needs by adding tabs and widgets (and. 6. For example. by rearranging and deleting widgets). To view the details of all available dashboards. Optionally.Using Dashboards Working with Dashboards Chapter 3 5. this setting will refresh the entire dashboard at the interval you specify. Unless you pause the dashboard. although refreshing the dashboard page resets the update interval on individual widgets. When you change the time range. specify (in minutes) how often the current dashboard tab should refresh with new data. where you can choose a dashboard to view.1 Sourcefire 3D System Administrator Guide 91 . 7. To disable tab cycling. this setting advances your view to the next tab at the interval you specify. For more information. You can change the time range to reflect a period as short as the last hour (the default) or as long as the last year. To disable the periodic page refresh. Each dashboard has a time range that constrains its widgets.

regardless of the Cycle Tabs Every setting in the dashboard properties. changing the time range to a long period may not be useful for widgets like the Custom Analysis widget. unless the dashboard is paused. The dashboard you selected appears. Click View next to the dashboard you want to view. depending on whether you have a default dashboard defined: • • If you have a default dashboard defined. If you do not have a default dashboard defined. To view a different dashboard. Pausing a dashboard has the following effects: • • • • Individual widgets stop updating. Dashboard pages stop refreshing. the Dashboard List page appears.9. You have two options. choose a dashboard time range. Changing the time range has no effect. you can unpause the dashboard. IMPORTANT! Although your session normally logs you out after 3. regardless of any Update Every widget preference. regardless of the Refresh Page Every setting in the dashboard properties. model. To view a dashboard: Access: Any except Restricted Select Analysis & Reporting > Event Summary > Dashboards. all appropriate widgets on the page update to reflect the new time range.Using Dashboards Working with Dashboards Chapter 3 information the includes the appliance name. and current version of the Sourcefire 3D System software. When you are finished with your analysis. Dashboard tabs stop cycling. You can also pause a dashboard. Unpausing the dashboard causes all the appropriate widgets on the page to update to reflect the current time range. it appears. Keep in mind that for enterprise deployments of the Sourcefire 3D System.1 Sourcefire 3D System Administrator Guide 92 . Unless the dashboard is paused. depending on how often newer events replace older events. dashboard tabs resume cycling and the dashboard page resumes refreshing according to the settings you specified in the dashboard properties. In addition. use the Dashboards menu on the toolbar. Version 4.5 hours of inactivity. this will not happen while you are viewing a dashboard. which allows you to examine the data provided by the widgets without the display changing and interrupting your analysis. To change the dashboard time range: Access: Any except Restricted From the Show the Last drop-down list.

To unpause the dashboard: Access: Any except Restricted On the time range control of a paused dashboard. You can minimize and maximize widgets. see the following sections • • • • • • • • Changing Dashboard Properties on page 93 Adding Tabs on page 94 Deleting Tabs on page 95 Renaming Tabs on page 95 Adding Widgets on page 95 Rearranging Widgets on page 97 Minimizing and Maximizing Widgets on page 97 Deleting Widgets on page 97 Changing Dashboard Properties Requires: Any Use the following procedure to change the basic dashboard properties. You can also change the basic dashboard properties. For more information. ). Note that you cannot change the order of dashboard tabs. add and remove widgets from tabs. the tab cycle and page refresh intervals.Using Dashboards Working with Dashboards Chapter 3 To pause the dashboard: Access: Any except Restricted On the time range control. IMPORTANT! Any user. delete. Version 4. regardless of role. ). and rename tabs. which include its name and description. click the play icon ( The dashboard is unpaused. the tab cycle and page refresh intervals. which include its name and description. can modify shared dashboards.1 Sourcefire 3D System Administrator Guide 93 .9. and whether you want to share the dashboard with other users. click the pause icon ( The dashboard is paused until you unpause it. Modifying Dashboards Requires: Any Each dashboard has one or more tabs. as well as rearrange the widgets on a tab. make sure to set it as a private dashboard in the dashboard properties. If you want to make sure that only you can modify a particular dashboard. Each tab can display one or more widgets in a three-column layout. You can add. and whether you want to share the dashboard with other users.

See Creating a Custom Dashboard on page 89 for information on the various configurations you can change. The Dashboard List page appears. or simply click OK to accept the default name. 3. it appears. Select Analysis & Reporting > Event Summary > Dashboards. prompting you to name the tab.Using Dashboards Working with Dashboards Chapter 3 To change a dashboard’s properties: Access: Any except Restricted 1. 2. skip to step 3. 4. continue with the next step. 3. To the right of the existing tabs. Click Edit next to the dashboard whose properties you want to change. see Adding Widgets on page 95. On the toolbar. To add a tab to a dashboard: Access: Any except Restricted 1. If you do not have a default dashboard defined. The dashboard is changed. the Dashboard List page appears. 2. Note that you can rename the tab at any time. see Viewing Dashboards on page 91. click Dashboards. Version 4. For more information. Type a name for the tab and click OK. A pop-up window appears. see Renaming Tabs on page 95. You can now add widgets to the new tab.1 Sourcefire 3D System Administrator Guide 94 .9. View the dashboard where you want to add a tab. click the add tab icon ( ). Adding Tabs Requires: Any Use the following procedure to add a tab to a dashboard. Make changes as needed and click Save. For more information. The Edit Dashboard page appears. If you have a default dashboard defined. The new tab is added.

see Viewing Dashboards on page 91. On the tab you want to delete.9. For more information. View the dashboard where you want to add a widget. You cannot. the new widget is added to the left-most column. Version 4. You cannot delete the last tab from a dashboard. For more information. Adding Widgets Requires: Any To add a widget to a dashboard. When you add a widget to a tab. each dashboard must have at least one tab. Renaming Tabs Requires: Any Use the following procedure to rename a dashboard tab. View the dashboard where you want to rename a tab. 2. To delete a tab from a dashboard: Access: Any except Restricted 1. If all columns have an equal number of widgets.1 Sourcefire 3D System Administrator Guide 95 . however.Using Dashboards Working with Dashboards Chapter 3 Deleting Tabs Requires: Any Use the following procedure to delete a dashboard tab and all its widgets. you can move them to any location on the tab. For more information. prompting you to rename the tab. 4. To add a widget to a dashboard: Access: Any except Restricted 1. View the dashboard where you want to delete a tab. ). see Viewing Dashboards on page 91. Click the tab title. You can add a maximum of 15 widgets to a dashboard tab. The tab is renamed. the appliance automatically adds it to the column with the fewest widgets. Click the tab you want to rename. Type a name for the tab and click OK. see Viewing Dashboards on page 91. To rename a tab: Access: Any except Restricted 1. Confirm that you want to delete the tab. click the delete icon ( 3. The tab is deleted. you must first decide to which tab you want to add the widget. move widgets from tab to tab. see Rearranging Widgets on page 97. 2. For more information. A pop-up window appears. TIP! After you add widgets. 3.

4. when you are finished adding widgets. or multiple Custom Analysis widgets). 5. including the widget you just added.9. The tab where you added the widgets appears again. click Add again. Operations. The Add Widgets page appears. reflecting the changes you made. The Add Widgets page indicates how many widgets of each type are on the tab.Using Dashboards Working with Dashboards Chapter 3 2. and Miscellaneous.1 Sourcefire 3D System Administrator Guide 96 . Click Add Widgets. click Done to return to the dashboard. Optionally. Version 4. 3. Click Add next to the widgets you want to add. They are organized according to function: Analysis & Reporting. The widgets that you can add depend on the type of appliance you are using and on your user role. You can view the widgets in each category by clicking on the category name. The widget is immediately added to the dashboard. or you can view all widgets by clicking All Categories. TIP! To add multiple widgets of the same type (for example. you may want to add multiple RSS Feed widgets. Select the tab where you want to add the widget.

see Specifying Your Default Dashboard on page 35. To delete a dashboard: Access: Any except Restricted 1. ) in a widget’s title bar. that you cannot move widgets from tab to tab. To minimize a widget: Access: Any except Restricted Access: Any except Restricted Requires: Any Click the minimize icon ( To maximize a widget: Click the maximize icon ( ) in a minimized widget’s title bar. you must define a new default or the appliance will force you to select a dashboard to view every time you attempt to view a dashboard. To delete a widget: Access: Any except Restricted 1. The widget is deleted from the tab. If you want a widget to appear on a different tab. however. For more information.9. you must delete it from the existing tab and add it to the new tab. Deleting a Dashboard Requires: Any Delete a dashboard if you no longer need to use it. Minimizing and Maximizing Widgets Requires: Any You can minimize widgets to simplify your view. skip to step 3. then maximize them when you want to see them again. Note. Deleting Widgets Delete a widget if you no longer want to view it on a tab. Version 4.1 Sourcefire 3D System Administrator Guide 97 . If you do not have a default dashboard defined. Click the close icon ( ) in the title bar of the widget.Using Dashboards Working with Dashboards Chapter 3 Rearranging Widgets Requires: Any You can change the location of any widget on a tab. Confirm that you want to delete the widget. Select Analysis & Reporting > Event Summary > Dashboards. it appears. If you have a default dashboard defined. If you delete your default dashboard. the Dashboard List page appears. 2. then drag it to its new location. To move a widget: Access: Any except Restricted Click the title bar of the widget you want to move. continue with the next step.

Click Delete next to the dashboard you want to delete. Confirm that you want to delete the dashboard.1 Sourcefire 3D System Administrator Guide 98 .9. Version 4.Using Dashboards Working with Dashboards Chapter 3 2. The Dashboard List page appears. click Dashboards. On the toolbar. 4. The dashboard is deleted. 3.

You must use a Defense Center if your deployment includes any of these products. In addition. analyze. and to aggregate. Version 4. 3Dx800 sensors. IMPORTANT! Some of the components in the Sourcefire 3D System (such as the Virtual 3D Sensors. By using the Defense Center to manage sensors. allowing you to monitor the information that your sensors are reporting in relation to one another and to assess the overall activity occurring on your network. You can also push health policies to your managed sensors and monitor their health status from the Defense Center. making it easier to change configurations. Intrusion Agents. The Defense Center aggregates and correlates intrusion events. network discovery information.1 Sourcefire 3D System Administrator Guide 99 .9. RNA Software for Red Hat Linux. and sensor performance data. you can push various types of software updates to sensors. and Crossbeam-based software sensors) do not provide a web interface that you can use to view events or manage policies. you can configure policies for all your sensors from a single location. and respond to the threats they detect on your network. You can use the Defense Center to manage the full range of sensors that are a part of the Sourcefire 3D System.Using the Defense Center Chapter 4 Administrator Guide The Sourcefire Defense Center is a key component in the Sourcefire 3D System.

Configuring High Availability on page 145 describes how to set up two Defense Centers as a high availability pair to help ensure continuity of operations. and change the state of managed sensors and how to reset management of a sensor. • • • • • Management Concepts Requires: DC You can use a Defense Center to manage nearly every aspect of a sensor’s behavior. Working in NAT Environments on page 112 describes the principles of setting up the management of your sensors in Network Address Translation environments. Instead of managing each sensor using its own local web interface. The sections that follow explain some of the concepts you need to know as you plan your Sourcefire 3D System deployment. For example. Editing a Managed Sensor’s System Settings on page 133 describes the sensor attributes you can edit and explains how to edit them. delete. This saves you from having Version 4. Managing Sensor Groups on page 131 describes how to create sensor groups as well as how to add and remove sensors from groups.9. It also explains how to add. you can use the Defense Center as a central point of management. Working with Sensors on page 113 describes how to establish and disable connections between sensors and your Defense Center.1 Sourcefire 3D System Administrator Guide 100 . you can create an intrusion policy on the Defense Center and apply it to all your managed 3D Sensors with IPS. • • • • • The Benefits of Managing Your Sensors on page 100 What Can Be Managed by a Defense Center? on page 101 Understanding Software Sensors on page 105 Beyond Policies and Events on page 111 Using Redundant Defense Centers on page 112 The Benefits of Managing Your Sensors Requires: DC There are several benefits to using a Defense Center to manage your sensors. Managing a Clustered Pair on page 140 describes how to create a clustered pair of 3D9900s and how to remove 3D9900s from clusters.Using the Defense Center Management Concepts Chapter 4 See the following sections for more information about using the Defense Center to manage your sensors: • • Management Concepts on page 100 describes some of the features and limitations involved with managing your sensors with a Defense Center. First. You can only use a single Defense Center to manage your sensor unless you are using a second Defense Center as a part of a high availability pair. you can use the Defense Center’s web interface to accomplish nearly any task on any sensor it manages.

9. you can create the policy on the Defense Center and push it to the appropriate sensors instead of replicating it locally. then the Defense Center can correlate the intrusion events it receives with the information about hosts that RNA provides. and those sensors view the same network traffic. Finally. which can be a laborious task depending on how many of the thousands of intrusion rules you want to enable or disable. when you manage a sensor with a Defense Center. There is a similar savings when you create and apply RNA appliance and detection policies to managed 3D Sensors with RNA. You can also generate reports based on events from multiple sensors.Using the Defense Center Management Concepts Chapter 4 to replicate the intrusion policy on each sensor. By pushing a system policy with configured authentication objects to your sensor. You can use user information from an external server to authenticate users on your Sourcefire 3D System appliances. you can use your Defense Center to configure external authentication through an Lightweight Directory Access Protocol (LDAP) or Remote Authentication Dial In User Service (RADIUS) server. the Defense Center includes a feature called health monitoring that you can use to check the status of critical functionality across your Sourcefire 3D System deployment. Third. you push the external authentication object to the sensor. Because most of the sensors in your deployment are likely to have similar settings in the system policy. You can also apply a health policy to the Defense Center to monitor its health. What Can Be Managed by a Defense Center? Requires: DC You can use your Defense Center as a central management point in a Sourcefire 3D System deployment to manage the following devices: • • Sourcefire 3D Sensors RNA Software for Red Hat Linux Version 4. if your Defense Center manages sensors with IPS and RNA. You can take advantage of health monitoring by applying health policies to each of your managed sensors and then reviewing the health data that they send back to the Defense Center. You can also create and apply system policies to your managed sensors. The impact flag indicates how likely it is that an intrusion attempt will affect its target. Second. A system policy controls several appliance-level settings such as the login banner and the access control list. so you must use the Defense Center to manage it. External authentication cannot be managed on the sensor. The Defense Center can then assign impact flags to each intrusion event. Fourth.1 Sourcefire 3D System Administrator Guide 101 . all the intrusion events and RNA events are automatically sent to the Defense Center. You can view the events from a single web interface instead of having to log into each sensor’s interface to view the events there.

Version 4. Note that the types of events and policies that are sent between the appliances are based on the sensor type. information is transmitted between the Defense Center and the sensor over a secure. For details on DC500 database limitations see Database Event Limits on page 333. you can see a read-only version of the policy on the Defense Center’s web interface. The following illustration lists what is transmitted between a Sourcefire Defense Center and its managed sensors. as well as intrusion agents and RNA software on approved platforms.Using the Defense Center Management Concepts Chapter 4 • • 3D Sensor Software for Crossbeam Systems X-Series Intrusion Agents on various platforms IMPORTANT! Sourcefire recommends that you manage no more than three 3D Sensors with the DC500 model Defense Center. You can also use a DC500 to manage Sourcefire 3D Sensor software on approved platforms.1 Sourcefire 3D System Administrator Guide 102 . When you manage a sensor (or a software sensor). If you apply a policy on a sensor before you begin managing it with a Defense Center. SSL-encrypted TCP tunnel.9.

each appliance has its own policies: Version 4.1 Sourcefire 3D System Administrator Guide 103 . after you set up communications with a Defense Center and apply policies from the Defense Center to your sensor. you can see a read-only version of the running policies on the sensor’s web interface. The following graphics illustrate this process.9.Using the Defense Center Management Concepts Chapter 4 Similarly. First. before you set up sensor management.

Sourcefire recommends that you use only the Defense Center’s web interface to view events and manage policies for your managed sensors. you must do it on the appliance where the policy was created.Using the Defense Center Management Concepts Chapter 4 Then. If you want to edit a policy. the following graphic shows the Detection Engine page on a 3D Sensor with IPS. read-only versions of running policies (represented by the dotted lines) are available: The appliance where you originally create a policy is the policy’s “owner” and is identified that way if you view the policy on a different appliance.9.1 Sourcefire 3D System Administrator Guide 104 . TIP! After you set up management with a Defense Center. For example. after communications are set up. The Sample Intrusion Policy that is currently applied to the sensor’s two detection engines was created on the Defense Center (pine. Version 4.example.com).

1 Sourcefire 3D System Administrator Guide 105 . see Managing 3D Sensor Software with IPS for Crossbeam on page 110 • Version 4. see Managing RNA Software for Red Hat Linux on page 109 3D Sensor Software with RNA for Crossbeam X-Series .9. The following Sourcefire 3D System sensors are software-based: • • • • Intrusion Agents for various platforms . if you delete an intrusion event from the Defense Center. Understanding Software Sensors Requires: DC Several of the sensors you can manage with a Defense Center are softwarebased sensors. see Managing Intrusion Agents on page 106 3D5800. 3D3800. Similarly. they are automatically shared with managed 3D Sensors with RNA.for more information. Also note that operations you perform on data on one appliance are not transmitted to other appliances. For example. and 3D9800 sensors . RNA Software for Red Hat Linux .for more information. deleting an intrusion event from a sensor does not delete it from the Defense Center.for more information. A software-based sensor is a software-only installation of Sourcefire 3D System sensor software. see Managing 3D Sensor Software with RNA for Crossbeam on page 110 3D Sensor Software with IPS for Crossbeam X-Series . the event remains on the sensor that discovered it. see Managing 3Dx800 Sensors on page 107.for more information.for more information.Using the Defense Center Management Concepts Chapter 4 The following user-created data and configurations are retained locally on the sensor and are not shared with the Defense Center: • • • • • • • • • • • user accounts user preferences bookmarks saved searches custom workflows report profiles audit events syslog messages reviewed status for intrusion events (IPS only) contents of the clipboard (IPS only) incidents (IPS only) If you create custom fingerprints on the Defense Center.

Managing Intrusion Agents Requires: DC The Sourcefire Intrusion Agent transmits events generated by open source Snort sensor installations to the Sourcefire Defense Center. register all Intrusion Agents to the primary Defense Center. You must tune your Snort rules and options manually on the computer where the Intrusion Agent resides. some of the functionality in the Defense Center interface cannot be used with software-based sensors.9. Also. These events can then be viewed along with data from 3D Sensors with IPS so you can easily analyze all the intrusion information gathered on your network.1 Sourcefire 3D System Administrator Guide 106 . The Defense Center cannot apply intrusion policies to the Intrusion Agent. For some software-based sensors. Version 4. certain aspects of functionality are managed through the operating system or other features on the appliance.Using the Defense Center Management Concepts Chapter 4 Software-based sensors do not have a user interface on the sensor. IMPORTANT! When using Intrusion Agents registered to Defense Centers configured for high availability and managed by a Master Defense Center. In addition. high availability is not supported on Intrusion Agents. they can only be managed from a Defense Center.

9. Supported Features for Intrusion Agents Supported through Defense Center • Intrusion event collection and management • Licensing • Reports generated on the Defense Center Supported through CLI and .Using the Defense Center Management Concepts Chapter 4 See the Supported Features for Intrusion Agents table for more information. Version 4. and 3D Sensor 9800 models (usually referred to as the 3Dx800 sensors) provide many of the features found on other 3D Sensors.1 Sourcefire 3D System Administrator Guide 107 . 3D Sensor 5800. because these models do not have a web interface and because configuration and event data cannot be stored on the sensors.conf files • Process management • Registration of remote manager • Rules tuning Not Supported • Detection engine management • Event storage on sensor • Health policy apply • High availability synchronization • Host Statistics • Interface set management • Intrusion policy apply • Network interface management • Network settings • Performance Statistics • Remote backup and restore • Remote reports • Sensor information management (System Settings) • SEU updates • Software updates • System policy apply • Time settings Managing 3Dx800 Sensors Requires: DC + 3D Sensor Sourcefire 3D Sensor 3800. However.

9.Using the Defense Center Management Concepts Chapter 4 certain features cannot be used with these sensors. See the Supported Features for 3Dx800 Sensors table for more information.1 Sourcefire 3D System Administrator Guide 108 . Supported Features for 3Dx800 Sensors Supported through Defense Center All 3Dx800 models: • Detection engine management • Health policy apply • High availability synchronization • Host Statistics • Interface set management • Intrusion policy apply (no OPSEC support) • Intrusion event collection and management • Licensing • Performance Statistics (may be underreported because of multiple detection resources) • Process management • Reports generated on the Defense Center • Sensor information management (System Settings) • SEU updates • Software updates • System policy apply • Time settings 3D3800 and 3D5800 only: • Compliance policy apply • RNA and compliance event collection and management • RNA detection policy apply • VDB updates Supported through CLI • Network interface management • Network settings • Registration of remote manager Not Supported • Custom fingerprinting • Event storage on sensor • Remote backup and restore • Remote reports Version 4.

However.1 Sourcefire 3D System Administrator Guide 109 . not all of the features function in the same manner.9. See the Supported Features for RNA Software for Red Hat Linux table for more information.Using the Defense Center Management Concepts Chapter 4 Managing RNA Software for Red Hat Linux Requires: DC RNA Software for Red Hat Linux provides many of the features found on 3D Sensors with RNA. Supported Features for RNA Software for Red Hat Linux Supported through Defense Center • Compliance policy apply • Detection engine management • High availability synchronization • Host Statistics • Interface set management • Licensing • Performance Statistics • Reports generated on the Defense Center • RNA and compliance event collection and management • RNA detection policy apply • Sensor information management (System Settings) • Software updates • VDB updates Supported through CLI • Network interface management • Network settings • Process management • Registration of remote manager • Time settings Not Supported • Custom fingerprinting • Event storage on sensor • Health policy apply • Remote backup and restore • Remote reports • System policy apply Version 4.

Using the Defense Center Management Concepts Chapter 4 Managing 3D Sensor Software with RNA for Crossbeam Requires: DC 3D Sensor Software with RNA for Crossbeam provides many of the features found on 3D Sensors with RNA. However. Supported Features for RNA on Crossbeam Supported through Defense Center Supported through Crossbeam X-Series CLI • Backup and restore • Network interface management • Network settings • Process management • Registration of remote manager • Time settings Not Supported • Compliance policy apply • Detection engine management • High availability synchronization • Host Statistics • Interface set management • Licensing • Performance Statistics • Reports generated on the Defense Center • RNA detection policy apply • RNA and compliance event collection and management • Sensor information management (in System Settings) • Software updates • VDB updates • Custom fingerprinting • Event storage on sensor • Health policy apply • Remote backup and restore • Remote reports • System policy apply Managing 3D Sensor Software with IPS for Crossbeam Requires: DC 3D Sensor Software with IPS for Crossbeam provides many of the features found on 3D Sensors with IPS. not all of the features function in the same manner.9. because the Crossbeam sensors do not have a user interface and because configuration and event data cannot be stored on Version 4. However. See the Supported Features for RNA on Crossbeam table for more information.1 Sourcefire 3D System Administrator Guide 110 .

1 Sourcefire 3D System Administrator Guide 111 . See the Supported Features for IPS on Crossbeam table for more information. you can use the Defense Center’s web interface to back up those events from the sensor. This is particularly useful if you want to generate a report for the audit events on a managed sensor.Using the Defense Center Management Concepts Chapter 4 the sensors. Running Remote Reports You can create a report profile on the Defense Center and run it remotely using the data on a managed sensor. certain features cannot be used with this software. See Performing Sensor Backup with the Defense Center on page 419 for more information. Supported Features for IPS on Crossbeam Supported through Defense Center Supported through Crossbeam X-Series CLI • Backup and restore • Network interface management • Network settings • Process management • Registration of remote manager • Time settings Not Supported • Detection engine management • High availability synchronization • Host Statistics • Interface set management • Intrusion policy apply • Intrusion event collection and management • Licensing • Performance Statistics • Reports generated on the Defense Center • SEU updates • Sensor information management (in System Settings) • Software updates • Custom fingerprinting • Event storage on sensor • Health policy apply • Remote backup and restore • Remote reports • System policy apply Beyond Policies and Events Requires: DC In addition to applying policies to sensors and receiving events from them. Audit events are stored locally Version 4. Backing Up a Sensor If you are storing event data on your sensor in addition to sending it to the Defense Center. you can also perform other sensor-related tasks on the Defense Center.9.

you do not even need a user account on the sensor to read the resulting report. If you establish that communication in an environment without NAT.1 Sourcefire 3D System Administrator Guide 112 . including: • Security Enhancement Updates (SEUs). Using Redundant Defense Centers Requires: DC You can set up two Defense Centers as a high availability pair. and more are shared between the two Defense Centers. For the registration key. you establish connections between appliances and register the appliances with one another. See Working with Event Reports on page 232 for more information. because the registration key does not have to Version 4. the two required pieces of common information during registration are the registration key and the unique IP address or the fully qualified domain name of the host.com as its host name. Events are automatically sent to both Defense Centers.company. you can use snort when adding either sensor. and run the report. Policies. select a managed sensor. user accounts. the two required pieces of common information during registration are the registration key and the unique NAT ID.Using the Defense Center Working in NAT Environments Chapter 4 and are not sent to the Defense Center. Updating Sensors From time to time. When you add an appliance. This ensures redundant functionality in case one of the Defense Centers fails. which can contain new and updated intrusion rules. Typical applications using NAT enable multiple hosts on a private network to use a single public IP address to access the public network. If you establish that communication in an environment with NAT. If you set up the report so that it is automatically emailed to you.9. as well as new and updated preprocessors and protocol decoders vulnerability database updates software patches and updates • • You can use the Defense Center to push an update to the sensors it manages and then automatically install the update. Working in NAT Environments Requires: Any Network address translation (NAT) is a method of transmitting and receiving network traffic through a router that involves reassigning the source or destination IP address as the traffic passes through the router. when you set up the remote office 3D Sensors connections to the home office. In the example diagram. use the Defense Center’s fully qualified domain name maple. but you can design a report on the Defense Center. See Configuring High Availability on page 145 or more information. Sourcefire releases updates to the Sourcefire 3D System.

As the sensor evaluates the traffic. However. you set up a two-way. Working with Sensors Requires: DC + 3D Sensor When you manage a sensor. and then use a different unique NAT ID when adding the Miami 3D Sensor.9. You can create the following policies on your Defense Center and apply them to managed sensors: • • • health policies system policies RUA policies Version 4. SSL-encrypted communication channel between the Defense Center and the sensor.Using the Defense Center Working with Sensors Chapter 4 be unique. it generates events and sends them to the Defense Center using the same channel. Each NAT ID has to be unique among all NAT IDs used to register sensors on the Defense Center.1 Sourcefire 3D System Administrator Guide 113 . you must use a unique NAT ID when adding the New York 3D Sensor to the Defense Center. The Defense Center uses this channel to send information (in the form of policies) to the sensor about how you want to analyze your network traffic.

1. You can also create and apply system policies. See Viewing Intrusion Event Statistics in the Analyst Guide and Viewing RNA Event Statistics in the Analyst Guide for more information. This is a two-step process.) 2.Using the Defense Center Working with Sensors Chapter 4 • • RNA detection policies intrusion policies There are several steps to managing a sensor with a Defense Center: The procedure for managing a 3Dx800 sensor differs from the procedure for managing other sensors. which control certain appliance-level features on your sensors. • IPS detection engines require an intrusion policy that determines which types of attacks 3D Sensor with IPS detect. RNA detection engines require an RNA detection policy. Refer to the configuration guides for those products for more information. Begin by setting up a communications channel between the two appliances. See What is an RNA Detection Policy? in the Analyst Guide for more information. Confirm that you are receiving the events generated by your sensors. • • • 3. See Managing System Policies on page 320 for more information. See Configuring Health Policies on page 489 for more information. Create the appropriate policies on the Defense Center and apply them to the sensor or to the appropriate detection engines on the sensor. Version 4. with procedures that you need to perform on each side of the communications channel. (Deleting Sensors on page 121 explains how to remove a sensor from the Defense Center. which controls the networks that 3D Sensors with RNA monitor. Many sensor management tasks are performed on the Sensors page and are described in Understanding the Sensors Page on page 115. See Using Intrusion Policies in the Analyst Guide for more information. Note that the system policy applied to the Defense Center controls the types of RNA events that are logged to the database. RNA Software for Red Hat Linux. See Managing a 3Dx800 Sensor on page 125 for more information. TIP! The process for setting up communications between the Defense Center and other products such as the Crossbeam-based software sensors.9. and the Intrusion Agents are slightly different.1 Sourcefire 3D System Administrator Guide 114 . You can create and apply health policies that allow you to monitor the processes and status of your sensors. See Adding Sensors to the Defense Center on page 117 for more information.

if one has been applied. see the Virtual Defense Center and 3D Sensor Installation Guide.1 Sourcefire 3D System Administrator Guide 115 . the field for a Virtual Sensor count appears above the sensor list on the Sensors page. see Managing Sensor Groups on page 131) Model (that is. sensor type. sensor model. Virtual Sensor Count When you manage Virtual 3D Sensors from the Defense Center. For details about Virtual 3D Sensors. you can see which sensors are paired and if you configured the sensor as a master or a slave. sensor group. and software version for each sensor. You can click the name of the health policy to view a read-only version of the policy. Health Policy The next column lists the health policy for the sensor. You can click the folder icon next to the name of the category to expand and contract the list of sensors. The following sections describe some of the features on the Sensors page.Using the Defense Center Working with Sensors Chapter 4 Understanding the Sensors Page Requires: DC + 3D Sensor The Sensors page (Operations > Sensors) provides you with a range of information and options that you can use to manage your sensors (including software-based sensors). Sort-by Drop-Down List Use this drop-down list to sort the Sensors page according to your needs. When you hover over the peer icon. and sensor groups.9. intrusion agents. Version 4. they are designated in the sensor list by a peer icon. the sensor model) Sensor List The first column lists the hostname. You can sort by: • • Group (that is. If you use clustered 3D9900 sensors. See Editing Health Policies on page 530 for information about modifying an existing health policy.

the time. you can click the name of the system policy to view a read-only version.1 Sourcefire 3D System Administrator Guide 116 . The green check mark icon indicates that the sensor and the Defense Center are communicating properly. Note that this is the case for any policy that you create and apply from the Defense Center. If a policy has a different icon and its name is in italics. Status Icons The status icons indicate the state of a sensor. The policy name and the icon for the system policy in the top row highlight a special feature of the Sensors page. See Editing Sensor Groups on page 132 for more information. As with the health policy. minutes. If the Defense Center has not received a communication from a sensor within the last two minutes. The system settings include the storage settings for the sensor. The red exclamation point icon indicates that the Defense Center has not received communications from the sensor in the last three minutes. See Editing a Managed Sensor’s System Settings on page 133 for more information. If your network is constrained in bandwidth. a pop-up window indicates the amount of time (in hours. and access to the processes for stopping and restarting the sensor or its software. Edit and Delete Icons Click the Edit icon next to a sensor if you want to change the sensor’s current system settings. that indicates the policy was modified after it was applied to the sensor. the remote management configuration.Using the Defense Center Working with Sensors Chapter 4 System Policy The next column lists the currently applied system policy. If you hover your cursor over the icon. you can click the Edit icon next to the name of a sensor group to modify the list of sensors that belong to the group. it sends a two-byte heartbeat packet to establish contact and ensure that the communications channel is still running. If you sort your Sensors page by sensor group. and seconds) since the last contact. The icon and the name of the policy in the bottom row indicate that the version applied to the sensor is up to date. See Managing System Policies on page 320 for more information.9. Version 4. you can contact technical support to change the default time interval.

which control how protocol decoders and preprocessors are configured and which intrusion rules are enabled health policies. The Defense Center uses this channel to send information about how you want to analyze your network traffic (in the form of policies) to the sensor. which monitor the health of your managed sensors Note that before you add sensors to a Defense Center. you must delete and re-register the sensor. This is usually completed as part of the installation process. You can also add Intrusion Agents to the Defense Center. you must make sure that the network settings are configured correctly on the sensor. If you sort your Sensors page by sensor group. you set up a two-way. SSL-encrypted communication channel between the Defense Center and the sensor. See Deleting Sensors on page 121 for more information. Version 4. you can click the Delete icon next to the name of a sensor group to remove the sensor group from the Defense Center. Adding Sensors to the Defense Center Requires: DC + 3D Sensor When you manage a sensor. For more information.9. DNS cache settings. but you can refer to Configuring Network Settings on page 377 for details. see Adding Intrusion Agents on page 130 and the Sourcefire Intrusion Agent Configuration Guide. it generates events and sends them to the Defense Center using the same channel. which control RNA data-gathering behavior and determine which networks are monitored which detection engines intrusion policies. See Deleting Sensor Groups on page 133 for more information. As the sensor evaluates the traffic. IMPORTANT! If you registered a Defense Center and 3D Sensor using IPv4 and want to convert them to IPv6.Using the Defense Center Working with Sensors Chapter 4 Click the Delete icon next to a sensor if you no longer want to manage the sensor with the Defense Center. You can create the following policies on your Defense Center and apply them to managed sensors: • • • • system policies.1 Sourcefire 3D System Administrator Guide 117 . and custom login banners RNA detection policies. which control appliance-level configurations such as database limits.

Log into the web interface of the sensor you want to add. Version 4. you need: • the sensor’s IP address or hostname (in the connection context “hostname” is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address) the Defense Center’s IP address or hostname to decide if you want to store the events generated by the sensor only on the Defense Center. Registration Key . or on both the Defense Center and the sensor • • TIP! Set up the managed appliance first. Unique NAT ID . Refer to Working in NAT Environments on page 112 for more information. and Unique NAT ID used on the Defense Center.1 Sourcefire 3D System Administrator Guide 118 . Management Host. You must begin the procedure for setting up the management relationship between a Defense Center and a sensor on the sensor. 2. and Unique NAT ID used on the 3D Sensor with Registration Key and Unique NAT ID used on the Defense Center.for a unique alphanumeric ID. The Information page appears. Registration Key.9. Management Host and Registration Key used on both appliances Registration Key and Unique NAT ID used on the 3D Sensor with Host. Select Operations > System Settings.for registration key. Registration Key. Three fields are provided for setting up communications between appliances: • • • Management Host .Using the Defense Center Working with Sensors Chapter 4 To add a sensor. To add a sensor to a Defense Center: Access: Admin 1.for the hostname or IP address. Valid combinations include: • • • IMPORTANT! The Management Host or Host field (hostname or IP address) must be used on at least one of the appliances.

the Pending Registration status appears. The Remote Management page appears. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. The Add Remote Management page appears. 4.1 Sourcefire 3D System Administrator Guide 119 . type the one-time use registration key that you want to use to set up a communications channel between the sensor and the Defense Center.9. use both the Registration Key and the Unique NAT ID fields. Version 4. type the IP address or the host name of the Defense Center that you want to use to manage the sensor. Click Remote Management. In the Registration Key field. 7. In the Management Host field.Using the Defense Center Working with Sensors Chapter 4 3. 5. Click Add Manager. After the sensor confirms communication with the Defense Center. Click Save. Optionally. in the Unique NAT ID field. In that case. TIP! You can leave the Management Host field empty if the management host does not have a routable address. 6. 8. type a unique alphanumeric ID that you want to use to identify the sensor.

9. 11. enter the same registration key that you used in step 6. For more information on supported functionality for software-based sensors. If you used a NAT ID in step 7. 14. packet data is not retained. The Add New Sensor page appears. You must store events on the Defense Center. 15.Using the Defense Center Working with Sensors Chapter 4 9. Type the IP address or the hostname of the sensor you want to add in the Host field. and select Operations > Sensors. Version 4. 10. The Sensors page appears. Packet data is often important for forensic analysis. 13. 12. enter the same ID in the Unique NAT ID (optional) field. IMPORTANT! Software-based sensors such as the 3D Sensor Software for Crossbeam cannot store data locally. see Understanding Software Sensors on page 105. Log into the Defense Center’s web interface using a user account with Admin access.1 Sourcefire 3D System Administrator Guide 120 . WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. By default. You can store data on both the Defense Center and the sensor by clearing the Store Events and Packets Only on the Defense Center check box. IMPORTANT! If you elect to prohibit sending packets and you do not store events on the 3D Sensor. Click New Sensor. data is stored only on the Defense Center and not on the sensor. You can prevent packet data from leaving a sensor by enabling the Prohibit Packet Transfer to the Defense Center check box. In the Registration Key field.

select the group from the Add to Group list. Communication between the sensor and the Defense Center is discontinued and the sensor is deleted from the Sensors page. you may need to use the Add Manager feature a second time to add the secondary Defense Center. see Managing Sensor Groups on page 131. It can take up to two minutes for the Defense Center to verify the sensor’s heartbeat and establish communication. You can view the sensor’s status on the Sensors page (Operations > Sensors). To add the sensor to a group. 2. you should delete the managed sensor from the Defense Center and then re-add it rather than try to delete the non-communicative detection engine. Version 4. To delete a sensor from the Defense Center: Access: Admin 1. if the sensor is down or the network interface card is damaged). IMPORTANT! In some high availability deployments where network address translation is used. you can delete it from the Defense Center. Deleting a sensor severs all communication between the Defense Center and the sensor. IMPORTANT! If you delete a sensor from a Defense Center configured in a high availability pair and intend to re-add it. Deleting Sensors Requires: DC + 3D Sensor If you no longer want to manage a sensor.1 Sourcefire 3D System Administrator Guide 121 . you must re-add it to the Defense Center. If you do not wait five minutes. you should also delete the manager on the sensor. This interval ensures that the high availability pair re-synchronizes so that both Defense Centers recognize the deletion. TIP! If you can no longer communicate with a detection engine on a managed sensor (for example. Log into the Defense Center web interface and select Operations > Sensors.Using the Defense Center Working with Sensors Chapter 4 16. Click Delete next to the sensor you want to delete. To manage the sensor again at a later date. For more information about groups. The sensor is added to the Defense Center. The Sensors page appears. 17.9. it may take more than one synchronization cycle to add the sensor to both Defense Centers. Sourcefire recommends that you wait at least five minutes before re-adding it. To keep the sensor from trying to reconnect to the Defense Center. Click Add. Contact technical support for more information.

see Managing Communication on a Managed Sensor on page 138. you must also reset management before adding the sensor to another Defense Center. log into the web interface of the sensor you want to delete.9. Resetting Management of a Sensor Requires: DC + 3D Sensor If communications fail between the Defense Center and one of your sensors. see Resetting Communications on the 3Dx800 on page 128. The Information page appears. For more information on resetting management on a 3Dx800 sensor. Using a user account with Admin access. time management. Click Delete next to the Defense Center where you want to reset management. If you want to manage a sensor with a different Defense Center. TIP! To temporarily disable communications between appliances without having to reset management. you can reset management of the sensor. 5. 6. For more information on resetting management on a Crossbeam-based software sensor. For more information.Using the Defense Center Working with Sensors Chapter 4 3. To reset management: Access: Admin 1. Click Remote Management. Select Operations > System Settings. The manager is removed. you can disable the manager on the sensor. 2. The Sensors page appears. Version 4.1 Sourcefire 3D System Administrator Guide 122 . see the Sourcefire 3D Sensor Software for X-Series Installation Guide. You must first delete the manager on the sensor and delete the sensor on the Defense Center. Log into the web interface of the Defense Center where you want to reset communications. Select Operations > Sensors. If the sensor has a system policy that causes it to receive time from the Defense Center via NTP the sensor reverts to local . 4. You can then re-add the manager on the sensor and then add the sensor to a Defense Center. The Remote Management page appears. The procedures for resetting management on the 3Dx800 sensors and on Crossbeam-based software sensors differ from the procedure for other sensors.

Click Delete next to the Defense Center where you want to reset management. 3. Log into the web interface of the sensor where you want to reset communications. 2. The Remote Management page appears. Communication between the sensor and the Defense Center is discontinued and the sensor is deleted from the Sensors page. To delete management on the sensor: Access: Admin 1. type the IP address or the host name of the Defense Center that you want to use to manage the sensor.com. you can delete the management on the sensor. In that case. Version 4. 3. Log into the web interface of the sensor where you want to reset communications and click Add Manager. You can leave the Management Host field empty if the management host does not have a routable address. Click Delete next to the sensor you want to delete.1 Sourcefire 3D System Administrator Guide 123 . To re-add the sensor to the Defense Center: Access: Admin 1. maple. Select Operations > System Settings. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. The Add Remote Management page appears. 4.9. If you attempt to delete management on the sensor while it is communicating with the Defense Center you will receive an error similar to: Delete failed.Using the Defense Center Working with Sensors Chapter 4 3. In the Registration Key field.example. type the one-time use registration key that you want to use to set up a communications channel between the sensor and the Defense Center. 2. If your sensor is no longer communicating with the Defense Center. You must delete the appliance from its manager. The manager is removed. In the Management Host field. use both the Registration Key and the Unique NAT ID fields. Click Remote Management. The Information page appears.

packet data is not retained. The Sensors page appears. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. the Pending Registration status appears. 9. Optionally. and select Operations > Sensors. 12.Using the Defense Center Working with Sensors Chapter 4 4. Type the IP address or the hostname of the sensor you want to add in the Host field. You can prevent packet data from leaving a sensor by checking the Prohibit Packet Transfer to the Defense Center check box. 5. data is stored only on the Defense Center and not on the sensor. If you elect to prohibit sending packets and you do not store events on the 3D Sensor. 7. You can store data on both the Defense Center and the sensor by clearing the Store Events and Packets Only on the Defense Center check box. type a unique ID that you want to use to identify the sensor. If you used a unique NAT ID in step 4. type the same value in the Unique NAT ID field. Log into the Defense Center’s web interface using a user account with Admin access. In the Registration Key field. Click Save. 10. 11. Packet data is often important for forensic analysis. in the Unique NAT ID field. The Add New Sensor page appears.1 Sourcefire 3D System Administrator Guide 124 . By default. Version 4. Click New Sensor. 8. After the sensor confirms communication with the Defense Center. type the same one-time use registration key that you used in step 3.9. 6.

Click Add. To manage a 3Dx800 sensor with a Defense Center: Access: Admin 1. Log into the 3D Sensor using the admin account.9. The CLI prompt appears.Using the Defense Center Working with Sensors Chapter 4 13.domain [admin] Version 4. The sensor is added to the Defense Center. you may need to use the Add Manager feature a second time to add the secondary Defense Center. you must add them to a Defense Center as managed sensors so that you can perform procedures such as: • • • • creating and applying intrusion and RNA detection policies viewing events generating reports uploading and installing software updates The following sections explain how to manage 3Dx800 sensors with a Defense Center: • • • Managing 3Dx800 Sensors with a Defense Center on page 125 Deleting a 3Dx800 Sensor from the Defense Center on page 127 Resetting Communications on the 3Dx800 on page 128 Managing 3Dx800 Sensors with a Defense Center Requires: DC + 3D Sensor Setting up communications between a 3Dx800 sensor and a Defense Center is a two-step process that involves setting up the sensor and then adding the sensor to the Defense Center. and 3D Sensor 9800 (usually called the 3Dx800 sensors) do not have their own web interfaces. select the group from the Add to Group list. Contact technical support for more information. To add the sensor to a group. sensor. see Managing Sensor Groups on page 131. For more information about groups. Managing a 3Dx800 Sensor Requires: DC + 3D Sensor Because the Sourcefire 3D Sensor 3800.1 Sourcefire 3D System Administrator Guide 125 . 14. 3D Sensor 5800. This procedure assumes that you have completed the setup steps described in the sensor’s Installation Guide. It can take up to two minutes for the Defense Center to verify the sensor’s heartbeat and establish communication. You can view the sensor’s status on the Sensors page (Operations > Sensors). In some high availability deployments where network address translation is used.

the sensor may be managed by another Defense Center. 6. Use one of the following commands to enable management on the 3D Sensor: • If you are deploying your sensor in a network that does not use network address translation. Using a user account with Admin access. The Sensors page appears. See Resetting Communications on the 3Dx800 on page 128 for information about deleting the sensor from the other Defense Center and preparing it for new management. reg_key is a unique single-use alphanumeric registration key. a message appears indicating that remote management is enabled. 4. If you changed the management port on the Defense Center.1 Sourcefire 3D System Administrator Guide 126 . enter the following command: [admin:sensor] set management enable NONE reg_key nat_id where NONE is a placeholder for the unresolvable IP address of the Defense Center. Version 4. • If you are deploying your sensor in a network that does use network address translation. In either case. The IP address and registration key pair must uniquely identify the communications channel between the sensor and the Defense Center. Use the following command to exit the CLI and return to the login prompt: [admin:sensor] exit 7.Using the Defense Center Working with Sensors Chapter 4 2. The NAT ID together with the registration key must uniquely identify the communications channel between the sensor and the Defense Center.9. you must change it on the 3Dx800 also: [admin:sensor] set management port port_number where port_number is the same port number you used on the Defense Center. Use the following command to determine whether remote management is already enabled: [admin:sensor] show management If management is already enabled. 5. 8. Enter the following at the CLI prompt: [admin] configure sensor 3. log into the web interface of the Defense Center where you want to add the sensor. Select Operations > Sensors. and nat_id is a unique alphanumeric string. enter the following command: [admin:sensor] set management enable ip_address reg_key where ip_address is the IP address of the Defense Center and reg_key is a unique single-use alphanumeric registration key.

15. In the Host field. type the same value in the Unique NAT ID field. 12. is not retained anywhere. Deleting a 3Dx800 Sensor from the Defense Center Requires: DC + 3D Sensor If you want to delete a 3Dx800 sensor from a Defense Center (for example.Using the Defense Center Working with Sensors Chapter 4 9. The 3Dx800 is added to the Defense Center. If you used a NAT ID in step 4. It can take up to two minutes for the Defense Center to verify the sensor’s heartbeat and establish communication. Click Add. you must complete a two-step process to disable remote management and then delete it from the Defense Center. type the same one-time use registration key that you used on the sensor. 13. In the Registration Key field. type the IP address or the hostname of the sensor you want to add. 10. 14. You can prevent packet data from leaving a sensor by checking the Prohibit Packet Transfer to the Defense Center check box. 11. Version 4. Click New Sensor. IMPORTANT! Because 3Dx800 sensors do not have any local storage for events. which is often important for forensic analysis. For more information about groups. The Add New Sensor page appears. If you prohibit sending packets to the Defense Center. to manage it with a different Defense Center). packet data. see Managing Sensor Groups on page 131. select the name of the group from the Add to Group list.1 Sourcefire 3D System Administrator Guide 127 . To add the sensor to a group.9. make sure the Store Events and Packets Only on the Defense Center check box is selected.

The Sensors page appears. 3. Resetting Communications on the 3Dx800. 6. Log into the web interface of the Defense Center that manages the sensor. To reset communications between the sensor and the Defense Center: Access: Admin 1. see the next section. you must re-enable remote management and then add the sensor to the Defense Center. The CLI prompt appears. Click Delete next to the sensor you want to delete. Enter the following command to disable remote management: [admin:sensor] set management disable A message appears indicating that remote management is disabled. The sensor is deleted.1 Sourcefire 3D System Administrator Guide 128 . On the sensor.domain [admin] 5. sensor. Select Operations > Sensors. 3. The sensor is deleted. Enter the following at the CLI prompt: [admin] configure sensor 2. Resetting Communications on the 3Dx800 Requires: DC + 3D Sensor If communication fails between a 3Dx800 sensor and the Defense Center that manages it. On the sensor. Enter the following command to exit the CLI and return to the login prompt: [admin:sensor] exit To add the sensor to either the same or a different Defense Center. you can manually reset communications on the sensor. 4. The Sensors page appears. The CLI prompt appears.Using the Defense Center Working with Sensors Chapter 4 To delete a 3Dx800 sensor from a Defense Center: Access: Admin 1. access the command prompt and use the admin account to log in. Version 4. sensor. For more information. Select Operations > Sensors. 7. access the command prompt and use the admin account to log in. Log into the web interface of the Defense Center where you want to delete the sensor.domain [admin] 2.9. 4. Click Delete next to the sensor that is no longer communicating with the Defense Center.

Enter the following command to disable remote management: [admin:sensor] set management disable Remote management is disabled. • If your sensor is in a network that does use network address translation.Using the Defense Center Working with Sensors Chapter 4 5. The NAT ID together with the registration key must uniquely identify the communications channel between the sensor and the Defense Center. enter the following command: [admin:sensor] set management enable ip_address reg_key where ip_address is the IP address of the Defense Center and reg_key is a unique single-use alphanumeric registration key. On the Defense Center’s Sensors page. Click Add. remote management is enabled again. Version 4. 10. Enter the following command to exit the CLI and return to the login prompt: [admin:sensor] exit 9. The IP address and registration key pair must uniquely identify the communications channel between the sensor and the Defense Center.9. Communications are restarted and the sensor is re-added to the Defense Center. type the IP address or hostname of the sensor and make sure the Store Events and Packets Only on the Defense Center check box is selected. Use one of the following commands to enable remote management. re-add the sensor by clicking New Sensor. 11. The Sensors page appears.1 Sourcefire 3D System Administrator Guide 129 . 8. • If your sensor is in a network that does not use network address translation. 7. In the Host field. Enter the following at the CLI prompt: [admin] configure sensor 6. In either case. and nat_id is a unique alphanumeric string. reg_key is a unique single-use alphanumeric registration key. enter the following command: [admin:sensor] set management enable NONE reg_key nat_id where NONE is a placeholder for the unresolvable IP address of the Defense Center.

Version 4. Access the Defense Center web interface and select Operations > Sensors. see Sensor Attributes . register all Intrusion Agents to the primary Defense Center. 6. event view pages. enter the IP address granted by the NAT device. This is the name that the Defense Center uses to identify the Intrusion Agent. 2. During configuration.9.Intrusion Agent Page on page 130. 3. To add an Intrusion Agent: Access: Admin 1. you copy this file to the Intrusion Agent appliance to allow the Intrusion Agent to authenticate with the Defense Center. IMPORTANT! When using Intrusion Agents registered to Defense Centers configured for high availability and managed by a Master Defense Center. To download authentication credentials. type an identifying name for the agent. Click Add Agent. Click Download Auth Credentials and save them for later use on the Intrusion Agent. The Agent Administration page appears.Using the Defense Center Working with Sensors Chapter 4 Adding Intrusion Agents Requires: DC + Intrusion Agent The Add Agent page allows you to add an Intrusion Agent.1 Sourcefire 3D System Administrator Guide 130 . displaying a link that allows you to download authentication credentials. For information on the requirements for the intrusion agent side of the connection. It will appear on the event summary. you should the IP address that the Defense Center will “see” when the Intrusion Agent attempts to communicate with it. and reports. type the Intrusion Agent’s host name (if DNS resolution is enabled on the Defense Center) or IP address. In the Hostname or IP Address field. Sensor Attributes . WARNING! If your Intrusion Agent sensor resides behind a NAT device. The Managed Sensors page appears. that is. In the Name Of Agent field. Click New Agent. see the Sourcefire Intrusion Agent Configuration Guide. 5. The Intrusion Agent is added and the page reloads.Intrusion Agent Page Requires: DC + Intrusion Agent The Sensor Attributes page for Intrusion Agents allows you to view basic information about the Intrusion Agent and allows you to download authentication credentials. 4.

For information about Defense Center groups. The Sensors page appears. See the following sections for more information: • • • Creating Sensor Groups on page 131 explains how to create a sensor group on the Defense Center. The Managed Sensors page appears. You are prompted to download the credentials to your local computer. Managing Sensor Groups Requires: DC + 3D Sensor The Defense Center allows you to group sensors so that you can easily apply policies and install updates on multiple sensors. see the Sourcefire Intrusion Agent Configuration Guide. Creating Sensor Groups Requires: DC + 3D Sensor Grouping managed sensors allows you to configure multiple sensors with a single system or health policy. Editing Sensor Groups on page 132 explains how to modify the list of sensors in a sensor group.Using the Defense Center Managing Sensor Groups Chapter 4 Authentication credentials are unique to each Intrusion Agent appliance and Defense Center and cannot be copied from one appliance to another. Access the Defense Center web interface and select Operations > Sensors. For more information about copying the credentials. Version 4. On the Defense Center. select Operations > Sensors. Click Edit next to the Intrusion Agent. The System Settings page for the Intrusion Agent appears. 3. Deleting Sensor Groups on page 133 explains how to delete a sensor group. see Managing Appliance Groups on page 179. To download authentication credentials from the Sensor Attributes page: Access: Admin 1. Click Download Credential File.9.1 Sourcefire 3D System Administrator Guide 131 . To create a sensor group and add sensors to it: Access: Admin 1. and update multiple sensors with new software updates at the same time. 2.

1 Sourcefire 3D System Administrator Guide 132 . The Create Sensor Group page appears. Version 4. The group is added. The sensors are added to the group. See Applying an Intrusion Policy in the Analyst Guide for details. To add sensors to the group. The Sensors page appears.Using the Defense Center Managing Sensor Groups Chapter 4 2. To change the sensor’s policy. type the name of the group you want to create. select Operations > Sensors. 6. you must apply a new policy to the sensor or sensor group. On the Defense Center. 4. Click Save. Select the IP addresses or hostnames of the sensors you want to add from the Available Sensors list and click the arrow to move them into sensor group. Click Create New Sensor Group. The Sensor Group Edit page appears.9. To edit a sensor group: Access: Admin 1. 3. Editing Sensor Groups Requires: DC + 3D Sensor You can change the set of sensors that reside in any sensor group. Moving a sensor to a new group does not change its policy to the policy previously applied to the group. 5. return to the Sensors page (Operations > Sensors) and click Edit next to the name of the sensor group. 7. Click Save. TIP! You must remove a sensor from its current group before you can add it to a new group. In the Group Name field.

Select Operations > Sensors. Editing a Managed Sensor’s System Settings Requires: DC or 3D Sensor Each sensor has a number of system settings.Using the Defense Center Editing a Managed Sensor’s System Settings Chapter 4 2. Click Done.9. When you Version 4. Click Delete next to the group you want to delete. 3. The Sensor Group Edit page appears. To remove a sensor from a group. Deleting Sensor Groups Requires: DC + 3D Sensor If you delete a group that contains sensors. Click Edit next to the sensor group you want to edit. the sensors are moved to Ungrouped on the Sensors page. • • To add a sensor to the group. Select the sensor you want to move and click the arrow to add or remove it from the group. select it from the list in the group you are editing and click the arrow pointing to the Available Sensors list. 2. To delete a sensor group: Access: Admin 1.1 Sourcefire 3D System Administrator Guide 133 . The Sensors page appears. They are not deleted from the Defense Center. 4. On an unmanaged sensor you can use the sensor’s web interface to modify the settings as needed. select it from the Available Sensors list and click the arrow pointing toward the group you are editing.

Version 4. see Viewing a Sensor’s Information Page on page 135.Using the Defense Center Editing a Managed Sensor’s System Settings Chapter 4 manage one or more sensors with a Defense Center. select Operations > Sensors. From the System Settings page. For more information. To edit the system settings for a managed sensor: Access: Admin 1. The Appliance page appears and includes a list of links on the left side of the page that you can use to navigate between pages. IMPORTANT! You cannot edit the network settings or add a license file to a sensor through the Defense Center’s web interface. see Editing Network Interface Configurations on page 380. modify the default settings for each network interface on the managed sensor. The Sensors page appears. You must perform those tasks on the sensor’s web interface (generally before you begin to manage the sensor with the Defense Center). For more information. See Configuring System Settings on page 360 for more information about system settings. Click Edit next to the name of the sensor where you want to edit the system settings. 3.1 Sourcefire 3D System Administrator Guide 134 . On the Defense Center. • reboot or restart the processes on the managed sensor. WARNING! Do not modify the settings for the management interface unless you have physical access to the appliance. see Stopping and Restarting a Managed Sensor on page 137. For more information.9. you can: • • view detailed information about the sensor. you can modify their system settings through the Defense Center’s web interface. It is possible to select a setting that makes it difficult to access the web interface. 2.

1 Sourcefire 3D System Administrator Guide 135 . but not the managed sensor. Clear this check box to allow packet data to be stored on the DC with events. manage time settings on the managed sensor. blacklist individual health policy modules on the managed sensor. The version of the software currently installed on the managed sensor. Clear this check box to store event data on both appliances. See Editing Settings for a Managed Defense Center on page 175. The model name for the managed sensor. The version level of the vulnerability database currently loaded on the managed sensor.9. see Blacklisting a Health Policy Module on page 537. Product Model Software Version Store Events Only on Defense Center Prohibit Packet Transfer to the Defense Center Operating System Operating System Version VDB Version IPv4 Address Version 4. Enable this check box to prevent the managed sensor from sending packet data with the events. For more information. see Setting the Time on a Managed Sensor on page 139. not the hostname. Note that is the name of the sensor in the Defense Center web interface. the fields are slightly different. The operating system currently running on the managed sensor. The IPv4 address of the managed sensor. The version of the operating system currently running on the managed sensor. Enable this check box to store event data on the Defense Center. Sensor Information Field Name Description The assigned name for the managed sensor. see Managing Communication on a Managed Sensor on page 138.Using the Defense Center Editing a Managed Sensor’s System Settings Chapter 4 • manage communications between the sensor and the Defense Center. • • Viewing a Sensor’s Information Page Requires: DC or 3D Sensor The Information page for a managed sensor includes the fields described in the Sensor Information table. When you view the Information page for a managed Defense Center from the Master Defense Center’s web interface. For more information. For more information.

1 Sourcefire 3D System Administrator Guide 136 .Using the Defense Center Editing a Managed Sensor’s System Settings Chapter 4 Sensor Information (Continued) Field IPv6 Address Current Policies Description The IPv6 address of the managed sensor. a pop-up message indicates how long it has been (in hours. See Creating Sensor Groups on page 131 for more information. If you hover your cursor over the icon. The sensor group that the sensor belongs to. The Sensors page appears.9. Version 4. To edit a managed sensor’s settings: Access: Admin 1. This number can be important for troubleshooting. the name of the policy appears in italics. minutes. • The name of the current health policy is listed under Health. if any. If a policy has been updated since it was last applied. and seconds) since the sensor communicated with the Defense Center. The appliance-level policies currently applied to the managed sensor. You can click Refresh to update the Status icon and its accompanying pop-up message. Status An icon showing the current status of the managed sensor. • The name of the current system policy is listed under System. if you applied one from the Defense Center that manages the sensor. Model Number Current Group The model number for the sensor. Select Operations > Sensors.

Click Save. You can edit the following: • • • the sensor’s hostname where events generated by the sensor are stored the group in which the sensor resides WARNING! Sensor host names must be made up of a combination of alphanumeric characters and should not be made up of numeric characters only. The updated sensor attributes are saved. you can reboot or restart the processes on a managed sensor using the Defense Center’s web interface. RNA Software for Red Hat Linux.Using the Defense Center Editing a Managed Sensor’s System Settings Chapter 4 2. You must use the command line interface (CLI) to manage processes on Crossbeam-based software sensors. Change the sensor’s attributes as needed. Stopping and Restarting a Managed Sensor Requires: DC For 3D Sensors. 4.9. The Information page for that sensor appears. See the Sensor Information table on page 135 for a description of each field. Click Edit next to the name of the sensor whose system settings you want to edit. Version 4.1 Sourcefire 3D System Administrator Guide 137 . and Intrusion Agents. 3.

you can manage communications between a managed sensor and the Defense Center managing it using the Defense Center’s web interface. WARNING! If you shut down the appliance. Click Edit next to the name of the sensor that you want to restart. The Sensors page appears.1 Sourcefire 3D System Administrator Guide 138 . but does not physically shut off power. Specify what command you want to perform: • • • • If you want to shut down the sensor. click Run Command next to Restart Detection Engines. RNA Software for Red Hat Linux. and Intrusion Agents. If you want to reboot the sensor. click Run Command next to Restart Appliance Console. Select Operations > Sensors. The Sensors page appears. Crossbeam-based software sensors. 2.Using the Defense Center Editing a Managed Sensor’s System Settings Chapter 4 To shut down or restart a managed sensor: Access: Admin 1. Managing Communication on a Managed Sensor Requires: DC + 3D Sensor For most 3D Sensors. Version 4. Click Process in the list to the left of the page. The Information page for that sensor appears. you must press the power button on the appliance. 4. You must use the command line interface (CLI) to manage communication on 3Dx800 sensors. The Process page appears for your managed sensor. 3. To shut off power. Select Operations > Sensors. If you want to restart the Snort and RNA processes. the process shuts down the operating system on the appliance. click Run Command next to Reboot Appliance. If you want to restart the software processes on the sensor. To disable communications between the Defense Center and the sensor: Access: Admin 1. click Run Command next to Shutdown Appliance.9.

The Information page for that sensor appears. then you cannot change the time manually. Select Operations > Sensors.1 Sourcefire 3D System Administrator Guide 139 . The Information page for that sensor appears. 3. The Remote Management page appears. 4. See the NTP Status table on page 390 for a description of the values you are likely to see for a sensor that is synchronized with an NTP server. However. The Sensors page appears. if the system policy applied to the managed sensor allows you to set the time manually. To set the time for a managed sensor: Access: Admin 1. TIP! To enable communications between the two appliances again. You cannot manage time settings on Intrusion Agents. click Enable. Setting the Time on a Managed Sensor Requires: DC or 3D Sensor If your managed sensor is receiving its time from an NTP server. Click Edit next to the name of the sensor where you want to set the time. Click Edit next to the name of the sensor that you want to manage.Using the Defense Center Editing a Managed Sensor’s System Settings Chapter 4 2. Communications between the two appliances are interrupted. Click Disable next to the name of the sensor. 2. you can manage time settings on a managed sensor using the Defense Center’s web interface. For 3D Sensors.9. You must use the command line interface (CLI) to manage time settings on Crossbeam-based software sensors and RNA Software for Red Hat Linux. which is the recommended setting for a managed sensor and its Defense Center. Click Remote Management in the list to the left of the page. For information about editing the remote management communications from a sensor see Configuring Remote Access to the Defense Center on page 386. then you can change it as part of the system settings. Version 4.

Select your time zone and click Save and. use a Defense Center to establish the clustered pair relationship between the two sensors and manage their joint resources. Click Apply. shared configuration. click the time zone link located next to the date and time. this time zone option changes the time setting your user account uses on the Defense Center web interface.1 Sourcefire 3D System Administrator Guide 140 . This setting does not affect the time zone setting on the managed sensor. after the time zone setting is saved. 4. Changing the time zone with this option is equivalent to changing the time zone using the Time Zone Settings option in the user preferences. In other words.Using the Defense Center Managing a Clustered Pair Chapter 4 3. From the Set Time drop-down lists. Managing a Clustered Pair Requires: DC + 3D9900 You can increase the amount of traffic inspected on a network segment by connecting two fiber-based 3D9900 sensors in a clustered pair.9. Click Time in the list to the left of the page. select the following: • • • • • year month day hour minute 5. The Time page appears showing the current time. If you want to change the time zone. click Close to close the pop-up window. After you do the cabling. you combine the 3D9900 sensors resources into a single. 7. 6. Version 4. The time is updated. When you establish a clustered pair configuration. When you connect the two 3D9900 sensors you determine which is the master. A pop-up window appears. You connect the master to the network segment you wish to analyze.

interface set. see the Cluster Interconnect table.9. Cluster Interconnect Master Interface ethb2 RX ethb2 TX Slave Interface ethb0 TX ethb0 RX Version 4. For information on the detection engines. The following diagram shows interfaces on the master and slave sensors. and local management is blocked on the shared portion of the clustered pair.1 Sourcefire 3D System Administrator Guide 141 . For information about the connections between the master and slave 3D9900 sensors. see: • • • Using Detection Engines on Clustered 3D Sensors on page 228 Understanding Interface Sets on Clustered 3D Sensors on page 229 Managing Information from a Clustered 3D Sensor on page 230 The Defense Center manages the clustered pair. and data from a clustered pair. they act like two separate sensors with a single. shared detection configuration.Using the Defense Center Managing a Clustered Pair Chapter 4 After you establish the relationship between the two sensors.

you must: • • • decide which unit will be the master have SEU 2. you cannot change which sensor is the master or slave unless you break and reestablish the relationship using the Defense Center.1 Sourcefire 3D System Administrator Guide 142 . IMPORTANT! If you apply an RNA detection policy to the RNA detection engines on two different 3D9900 sensors and then establish clustering with those two sensors. After you establish the master/slave relationship.Using the Defense Center Managing a Clustered Pair Chapter 4 Cluster Interconnect Master Interface ethb3 RX ethb3 TX Slave Interface ethb1 TX ethb1 RX You connect the master to the network and the slave to the master. After you establish the relationship.6 or later loaded on your 3D9900 and Defense Center cable the units properly prior to designating the master/slave relationship Connect the master’s ethb0 and ethb1 pair to the network. Before you begin. For more information about cabling. You determine the master/slave designation by the way you cable the pair. see: • • Establishing a Clustered Pair on page 142 Separating a Clustered Pair on page 144 Establishing a Clustered Pair Requires: DC + 3D9900 You can group two fiber-based 3D9900 sensors in a clustered pair to increase throughput.9. For more information. see the Sourcefire 3D Sensor Installation Guide. Version 4.8. Connect the master’s ethb2 and ethb3 pair to the slave’s ethb0 and ethb1 pair as shown in the Cluster Interconnect table. you must edit and reapply your detection policy after you establish clustering. IMPORTANT! You cannot connect the slave’s ethb2 and ethb3 pair when you establish the clustered pairing. the detection engines and interface set are combined on the two sensors.

select Clustered with birch. To establish 3D9900 clustered pairing: Access: Admin 1.com. 2.1 Sourcefire 3D System Administrator Guide 143 . the following message is displayed. Select Operations > Sensors on your Defense Center. TIP! If you edit a 3D9900 that is not cabled as the master. The Click Edit next to the 3D9900 sensor that you cabled for master operation. They are managed from the Defense Center. you cannot perform the next series of steps.9. The Sensor page appears. Clustering is established and a confirmation message appears. instead of the 3D9900 sensors. In the Clustering field.example. 3. select the sensor you want to form a cluster with. If you attempt to manage the combined detection engines and interface set on the paired 3D9900 sensors. if the other member of your pair is birch. The System Settings page appears and there is a Clustering field at the bottom. under status.example.com. Version 4.Using the Defense Center Managing a Clustered Pair Chapter 4 There is one detection engine and interface set shared over the paired 3D9900 sensors. For example.

Separating a Clustered Pair Requires: DC + 3D9900 If you no longer need to use the two 3D9900 sensors as a clustered pair. the sensing traffic is interrupted. Select Operations > Sensors on your Defense Center. The System Settings page appears with the Clustering field at the bottom. If the system determines that the cabling is correct. To separate a 3D9900 clustered pair: Access: Admin 1. Click Save. you can use the Defense Center to break the cluster. • On the master.9. it removes detection configurations (interface sets. After clustering is established. Review the confirmation message and confirm the correct the Master/Slave pairing. 3. the field reads: Status Clustered and Role Slave • 3D9900 clustering is established. Click Edit next to the 3D9900 sensor that you designated as the maser sensor when you connected the pair’s cables. verify that the Clustering field changes to indicate the correct state. 5. 2.1 Sourcefire 3D System Administrator Guide 144 . Select Break Cluster in the Clustering field. Version 4.Using the Defense Center Managing a Clustered Pair Chapter 4 4. Review the confirmation message. On the slave. where sensor_name is the name of the sensor you designated as the slave in step 3 and Role Master. 5. Note the Master/Slave pairing and click OK to confirm the Master/Slave that you want to separate the clustered pair. detection engines) from the slave. the field reads: Status Clustered sensor_name. For example: 4. Use the managing Defense Center to establish the cluster’s detection configurations for the interface set and detection engines. The 3D9900 sensors separate and the confirmation message disappears. The Sensor page appears. Click OK to confirm the Master/Slave pairing. IMPORTANT! While system verifies the cabling configuration. 6.

Sourcefire strongly recommends that both Defense Centers in an HA pair be the same model. do not attempt to set up high availability between a Defense Center 1000 and a Defense Center 3000. RUA events. Monitoring the High Availability Status on page 152 explains how to check the status of your linked Defense Centers. Event data streams from managed sensors to both Defense Centers and certain configuration elements are maintained on both Defense Centers. Pausing Communication between Paired Defense Centers on page 154 explains how to pause communications between linked Defense Centers.9. • • • • • • • Using High Availability on page 145 list the items that are and are not duplicated when you implement high availability. Using High Availability Requires: DC The DC1000 and DC3000 models of the Defense Center support high availability configurations. and compliance events without interruption using the second Defense Center. See the following sections for more information about setting up high availability. the high availability feature allows you to designate redundant Defense Centers to manage 3D Sensors.1 Sourcefire 3D System Administrator Guide 145 . RNA events. The DC500 model of the Defense Center and the Virtual Defense Center do not support high availability. you can monitor your network for intrusion events. WARNING! Sourcefire recommends that you change configurations only on the primary Defense Center and that you keep your secondary Defense Center as a backup. Disabling High Availability and Unregistering Sensors on page 153 explains how to permanently remove the link between linked Defense Centers. If one Defense Center fails. Restarting Communication between Paired Defense Centers on page 154 explains how to restart communications between linked Defense Centers. That is.Using the Defense Center Configuring High Availability Chapter 4 Configuring High Availability Requires: DC To ensure the continuity of operations. Version 4. Setting Up High Availability on page 150 explains how to specify primary and secondary Defense Centers. Guidelines for Implementing High Availability on page 149 outlines some guidelines you must follow if you want to implement high availability.

see Sensor Configurations and User Information on page 146 health and system policies shared in a high availability pair. Also. see Health and System Policies on page 147 feature license operation in a high availability pair.Using the Defense Center Configuring High Availability Chapter 4 For more information on: • • • • sensor attributes and user information shared in a high availability pair. RNA. make sure you remove duplicate user accounts from one of the Defense Centers.1 Sourcefire 3D System Administrator Guide 146 . if you have any user accounts with the same name on both Defense Centers. such as the sensor’s host name. • • • • • • • • • • custom dashboards authentication objects for Sourcefire 3D System user accounts custom workflows custom tables sensor attributes. and RUA detection engines intrusion policies and their associated rule states local rules custom intrusion rule classifications variable values and user-defined variables IMPORTANT! If your deployment includes intrusion agents and you are also using a Master Defense Center to manage your linked Defense Centers.9. see Understanding High Availability on page 148 Sensor Configurations and User Information Requires: DC Defense Centers in a high availability pair (also called an HA pair) share the following sensor attributes and user information: • user account attributes and authentication configurations WARNING! Before you establish a high availability. • • RNA detection policies RNA custom service detectors Version 4. where events generated by the sensor are stored. because both Defense Centers must have an admin account. make sure you register all intrusion agents to the primary Defense Center. and the group in which the sensor resides intrusion. you must make sure that the admin account uses the same password on both Defense Centers. see Feature Licenses on page 148 details of high availability pair operation.

is synchronized on a newly activated Defense Center. services. you can point to one Defense Center as your first NTP server and the other Defense Center as your second NTP server. apply the policy after it synchronizes. the NTP function does not automatically switch. Version 4. the deletion of hosts. including notes and host criticality. For more information. if you created associations between rules or white lists and their responses and remediations on the secondary Defense Center. For more information. you should quickly associate your compliance policies with the appropriate responses and remediations on the secondary Defense Center to maintain continuity of operations. make sure you remove the associations so responses and remediations will only be generated by the primary Defense Center. modules.9. Health and System Policies Requires: DC Health and system policies for Defense Centers and 3D Sensors are shared in high availability pairs. If you want identical system policies on both Defense Centers. Although system policies are shared by Defense Centers in a high availability pair. However. blacklists. For 3D Sensors.You must upload and install any custom remediation modules and configure remediation instances on your secondary Defense Center before remediations are available to associate with compliance policies. they are not automatically applied. Defense Centers do not share the associations between the policies and their responses and remediations. see Synchronizing Time on page 354.1 Sourcefire 3D System Administrator Guide 147 . If the primary Defense Center fails.Using the Defense Center Configuring High Availability Chapter 4 • • • • activated custom fingerprints host attributes traffic profiles RNA user feedback. Allow enough time to ensure that 3D Sensor information about health policies. and the deactivation or modification of vulnerabilities compliance policies and their associated rules compliance white lists • • To avoid launching duplicate responses and remediations when compliance policies are violated. When you restore your primary Defense Center after a failure. you can synchronize time with multiple alternative NTP servers. see Creating Compliance Policies in the Analyst Guide and Configuring Remediations in the Analyst Guide. and networks from the network map. TIP! If you employ an HA paired Defense Center as a NTP server.

if the primary Defense Center fails. • While RUA LDAP authentication objects are shared. it will not receive data from your NetFlow-enabled devices. ” Defense Centers periodically update each other on changes to their configurations. both Defense Centers must have RUA licenses if you want to manage 3D Sensors with RUA with the high availability pair. and NetFlow licenses: • • Both Defense Centers must have RNA host licenses if you want to manage 3D Sensors with RNA with the high availability pair.9. RUA. While NetFlow data and devices are shared. and any change you make to one Defense Center should be applied on the other Defense Center within ten minutes. see Configuring an RUA Agent on an Active Directory Server in the Analyst Guide. TIP! Both Defense Centers in a high-availability pair must have NetFlow licenses for at least the number of NetFlow-enabled devices you are using. In an high-availability environment. if you want to use NetFlow data to supplement the data gathered by your 3D Sensors with RNA. so changes appear within two five-minute Version 4. the two Defense Centers must have enough NetFlow licenses to merge the list of devices on each. you can make policy or other changes to either Defense Center. Understanding High Availability Requires: DC Although Defense Centers in high availability mode are named “primary” and “secondary. If one Defense Center does not have a NetFlow license.1 Sourcefire 3D System Administrator Guide 148 . but the cycles themselves could be out of sync by as much as five minutes. (Each Defense Center has a five-minute synchronization cycle. IMPORTANT! An RUA Agent can only connect to one Defense Center at a time. you must make sure that your RUA Agents can communicate with the secondary Defense Center.Using the Defense Center Configuring High Availability Chapter 4 Defense Centers in an HA pair share the following system and health policy information: • • • • • • system policies system policy configurations (what policy is applied where) health policies health monitoring configurations (what policy is applied where) which appliances are blacklisted from health monitoring which appliances have individual health monitoring policies blacklisted Feature Licenses Requires: DC Defense Centers in an HA pair do not share RNA. For more information.

rules. the last change you make takes precedence. Because the sensor has a policy applied to it that the secondary Defense Center does not recognize. You must recreate the recurring task schedule on a newly activated Defense Center when it changes from inactive to active. • • • Version 4. policies may appear incorrectly on the other Defense Center. use the Restore CD to remove changed settings. • By default. if you make conflicting policy or other changes to both Defense Centers within the same window between Defense Centers syncs.) However. You can change the port as described in Configuring the Communication Channel on page 383. Defense Centers configured as a high availability pair do not need to be on the same trusted management network. The Defense Center software version must be the same or newer than the software version of managed 3D Sensors. during this ten-minute window. see Guidelines for Implementing High Availability on page 149. To make sure the secondary Defense Center is in its original state. nor created any new rules. • You must designate one Defense Center as the primary Defense Center and one as the secondary. You cannot configure a recurring task schedule on the inactive Defense Center. the Defense Centers use port 8305/tcp for communications. you must follow these guidelines. nor do they have to be in the same geographic location. TIP! To avoid confusion. nor have you previously managed any sensors with it. managed sensors. Also. For more information. the secondary Defense Center displays a new policy with the name “unknown” until the Defense Centers synchronize. Both Defense Centers must be running the same SEU version. Regardless of their designations as primary and secondary. Both Defense Centers must be running the same software version.9. For example. you have not created or modified any policies.1 Sourcefire 3D System Administrator Guide 149 . both Defense Centers can be configured with policies. the sensor could contact the secondary Defense Center before the Defense Centers contact each other. start with the secondary Defense Center in its original state. and so on before you set up high availability. regardless of the designations of the Defense Center as primary and secondary.Using the Defense Center Configuring High Availability Chapter 4 cycles. if you create a policy on your primary Defense Center and apply it to a sensor that is also managed by your secondary Defense Center. Guidelines for Implementing High Availability Requires: DC To take advantage of high availability. That is. Note that this also deletes event and configuration data from the Defense Center.

In addition.Using the Defense Center Configuring High Availability Chapter 4 • • All RNA software sensors managed by Defense Centers in high availability mode must be the same software version. see Editing the Management Virtual Network on page 385. see Adding a Master Defense Center on page 165. • Setting Up High Availability Requires: DC To use high availability. For information about adding a Defense Center to a Master Defense Center. That is. If you use a Master Defense Center to manage a high-availability pair of Defense Centers. For details on setting time. and vice versa. Select Operations > Configuration > High Availability. but each of the Defense Centers must be able to communicate with the other and with the sensors they share. WARNING! Sourcefire recommends that you change configurations only on the primary Defense Center and that you use your secondary Defense Center as a backup. Before you configure high availability. The two Defense Centers do not need to be on the same network segment. To set up high availability for two Defense Centers: Access: Admin 1.9.1 Sourcefire 3D System Administrator Guide 150 . make sure you synchronize time settings between the Defense Centers you want to link. either each Defense Center must be able to contact the sensors it manages or the sensors must be able to contact the Defense Center. The High Availability page appears. you must designate one Defense Center as the primary and another Defense Center of the same model as the secondary. For information about editing the remote management communications between the two appliances. the primary Defense Center must be able to contact the secondary Defense Center at the IP address on the secondary Defense Center’s own management interface. see Synchronizing Time on page 354. set up remote management between each Defense Center and the Master Defense Center as detailed in Adding and Deleting Defense Centers on page 164. then set up high availability as detailed in Setting Up High Availability on page 150. Version 4. 2. add the primary Defense Center and the secondary Defense Center is automatically added. Log into the Defense Center that you want to designate as the secondary Defense Center. TIP! To add an existing high availability pair of Defense Centers to a Master Defense Center. use this sequence to establish communications between the three of them: First.

1 Sourcefire 3D System Administrator Guide 151 . 4. Click the primary Defense Center option. The Secondary Defense Center Setup page appears. Type the hostname or IP address of the secondary Defense Center in the Secondary DC Host text box. 8. Version 4. 7. Select Operations > Configuration > High Availability. You can leave the Primary DC Host field empty if the management host does not have a routable address. The High Availability page appears. 5.9. Type a one-time-use registration key in the Registration Key text box 6. A success message appears. Optionally. showing the current state of the secondary Defense Center. type a unique alphanumeric registration ID that you want to use to identify the primary Defense Center. Type the hostname or IP address of the primary Defense Center in the Primary DC Host text box. 9. and the Peer Manager page appears. The Primary Defense Center Setup page appears. Using an account with Admin access. Click the secondary Defense Center option.Using the Defense Center Configuring High Availability Chapter 4 3. See Working in NAT Environments on page 112 for more information. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. In that case. 11. 10. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. use both the Registration Key and the Unique NAT ID fields. in the Unique NAT ID field. Click Register. log into the Defense Center that you want to designate as the primary.

Depending upon the number of policies and custom standard text rules they have. The High Availability page appears. 2. 13.1 Sourcefire 3D System Administrator Guide 152 . Select Operations > Configuration > High Availability. and the Peer Manager page appears. A success message appears. you can use one of them to view status information about the other. showing the current state of the primary Defense Center. type the same registration ID that you used in step 6 in the Unique NAT ID text box. including: • • • • • IP address product model operating system operation system version time the Defense Centers last synchronized To check high availability status: Access: Admin 1. it may take up to 10 minutes before all the rules and policies appear on both Defense Centers. If you used a unique NAT ID on the secondary Defense Center. You can also monitor the Task Status to see when the process completes. Click Register. Log into one of the Defense Centers that you linked using high availability. 14.9. Monitoring the High Availability Status Requires: DC Once you have identified your primary and secondary Defense Centers. See Monitoring the High Availability Status on page 152. Type the same one-time-use registration key in the Registration Key text box you used in step 5. You can view the High Availability page to check the status of the link between the two Defense Centers.Using the Defense Center Configuring High Availability Chapter 4 12. Version 4.

You can view the following information: • • • the IP address of the other Defense Center in the HA pair the status.Using the Defense Center Configuring High Availability Chapter 4 3. If you do not wait five minutes. you must first disable the high availability link between them.9. registered or unregistered. The two Defense Centers automatically synchronize within ten minutes (five minutes for each Defense Center) after any action that affects a shared feature. if you want to synchronize the policy immediately. if you create a new policy on one Defense Center. you can view the following information about the other Defense Center in the high availability pair: • • • • • the IP address the model name the software version the operating system the length of time since the last contact between the two Defense Centers 4. Under High Availability Status. Click Peer Manager in the toolbar. Version 4. click Synchronize. For example. of the communications link the state. Disabling High Availability and Unregistering Sensors Requires: DC If you want to remove one of the Defense Centers from a high availability pair. see Editing the Management Virtual Network on page 385. Sourcefire recommends that you wait at least five minutes before adding the sensor back. 5. This interval ensures that the high availability pair re-synchronizes first. it may take more than one synchronization cycle to add the sensor to both Defense Centers. The Peer Manager page appears. enabled or disabled. it is automatically shared with the other Defense Center within 5 minutes.1 Sourcefire 3D System Administrator Guide 153 . IMPORTANT! If you delete a sensor from a Defense Center configured in a high availability pair and intend to re-add it. However. of the HA pair For information about editing the remote management communications between the two appliances.

select Unregister sensors on both peers. You can enable high availability with a different Defense Center as described in Setting Up High Availability on page 150. Log into one of the Defense Centers in the HA pair. 2. Click Disable to disable the communications channel between the two Defense Centers. 2. 4. For information about editing the remote management communications between the two appliances. The Peer Manager page appears. The High Availability page appears. you can enable the communications channel between the Defense Centers to restart high availability. After you answer the prompt Do you really want to Disable High Availability? by selecting OK. Select Operations > Configuration > High Availability. Click Disable HA. Restarting Communication between Paired Defense Centers Requires: DC If you temporarily disabled high availability. Select one of the following options from the Handle Registered Sensors dropdown list: • • • To control all the managed sensors with the Defense Center where you are accessing this page. select Unregister sensors on the other peer. high availability is disabled and any managed sensors are deleted from the Defense Centers according to your selection. To disable the communications channel for a high availability pair: Access: Admin 1.1 Sourcefire 3D System Administrator Guide 154 . Click Peer Manager. see Editing the Management Virtual Network on page 385. To stop managing the sensors altogether. you can disable the communications channel between the Defense Centers. To control all the managed sensors with the other Defense Center. Pausing Communication between Paired Defense Centers Requires: DC If you want to temporarily disable high availability.9.Using the Defense Center Configuring High Availability Chapter 4 To disable a high availability pair: Access: Admin 1. Version 4. 3. select Unregister sensors on this peer.

For information about editing the remote management communications between the two appliances. Click Peer Manager.1 Sourcefire 3D System Administrator Guide 155 .Using the Defense Center Configuring High Availability Chapter 4 To enable the communications channel for a high availability pair: Access: Admin 1. Click Enable to disable the communications channel between the two Defense Centers. The Peer Manager page appears. Version 4. see Editing the Management Virtual Network on page 385.9. 2.

Version 4.Using the Master Defense Center Chapter 5 Administrator Guide The Sourcefire Master Defense Center is a key component in the Sourcefire 3D System. compliance events.1 Sourcefire 3D System Administrator Guide 156 .9. You can use the Master Defense Center to aggregate and analyze intrusion events. and white list events from up to ten Defense Centers within your Sourcefire 3D System deployment.

Managing Appliance Groups on page 179 explains how to use appliance groups to aid in managing 3D Sensors and Defense Centers. The Master Defense Center can also aggregate events related to the health of managed Defense Centers.9.Using the Master Defense Center Understanding Event Aggregation Chapter 5 You can use the Master Defense Center to build and dispatch global detection and intrusion policies. • Understanding Event Aggregation on page 157 explains which types of events you can send from your Master Defense Centers to your Master Defense Center. If it finds an older SEU. The settings on the Filter Configuration page determine which events are forwarded from the Defense Center to the Master Defense Center. Adding and Deleting Defense Centers on page 164 explains how to configure a Defense Center to communicate with a Master Defense Center. You can also choose whether to include the packet data collected with the intrusion events. You can set up a different configuration for each Defense Center. it updates the managing Defense Center’s SEU. When you apply intrusion policies from a Master Defense Center. Editing Settings for a Managed Defense Center on page 175 explains how to change some of the settings for a Defense Center from the Master Defense Center’s web interface. • • • • Understanding Event Aggregation Requires: MDC A Master Defense Center can aggregate intrusion events and compliance events (including white list events) from up to ten Defense Centers. The following sections explain more about using a Master Defense Center in your Sourcefire 3D System deployment. You can configure a Defense Center to send intrusion events based on their flag.1 Sourcefire 3D System Administrator Guide 157 . See the following sections for more information: • • • Aggregating Intrusion Events on page 158 Aggregating Compliance Events on page 158 Limitations on Event Aggregation on page 159 Version 4. you can view the current status of the Defense Centers across your enterprise from a web interface. In this way. Understanding Global Policy Management on page 161 explains which policies you can send from your Master Defense Center to 3D Sensors and Defense Centers. IMPORTANT! The Product Compatibility section of the release notes for each version describes which versions of the Defense Center you can manage with a Master Defense Center. although most deployments will use the same configuration across the enterprise. the Sourcefire 3D System checks the SEU on the managing Defense Center.

Events Only . Events and Packet Data . any packets captured for the event are not sent. Aggregating Compliance Events Requires: MDC A compliance event is generated by a Defense Center when the conditions for a compliance rule in an active compliance policy are met.9.Intrusion events are not forwarded to the Master Defense Center. then intrusion events are limited to gray impact flags to indicate unknown impact. Version 4.1 Sourcefire 3D System Administrator Guide 158 . When you use the Filter Configuration page to specify which events are forwarded to the Master Defense Center. RNA events. that is. If you do not deploy 3D Sensors with RNA on your network. however. IMPORTANT! You must deploy both RNA and IPS on your network to generate intrusion events with meaningful impact flags.The intrusion events specified in the Flags section. the red impact flag. If your 3D Sensors are deployed inline and you are using intrusion rules set to Drop and Generate Events.The intrusion events specified in the Flags section are forwarded to the Master Defense Center. preprocessors. For example. along with any related packets. and intrusion rules are all able to generate intrusion events. The conditions that can trigger a compliance rule include intrusion events. and anomalous network traffic. • You can use the Flags section of the Filter Configuration page to forward only the intrusion events that are important to your analysis. you can choose one of the following options: • • Do Not Send . you may want to limit the intrusion events on the Master Defense Center to only those with the greatest impact. are forwarded to the Master Defense Center.Using the Master Defense Center Understanding Event Aggregation Chapter 5 Aggregating Intrusion Events Requires: MDC An intrusion event is generated by IPS when it analyzes network traffic and finds one or more packets that violate the currently applied intrusion policy. For example. You can also use flag settings to reduce the number of intrusion events that are sent to the Master Defense Center in deployments where large numbers of intrusion events are being generated from your 3D Sensors. flow data. you can greatly reduce the number of events sent from a Defense Center by excluding events with the blue or gray impact flags. Packet decoders. you may also want to send intrusion events with the black inline result flag.

1 Sourcefire 3D System Administrator Guide 159 . scan results. services. SEU import log. compliance events.Using the Master Defense Center Understanding Event Aggregation Chapter 5 When you use the Filter Configuration page to specify which events are forwarded to the Master Defense Center. compliance events. white list events. hosts. health events. client applications. RNA and RUA feature licenses allows you to configure detection engines. audit log. white list events. vulnerabilities. you can choose to send or not send compliance events. See the following sections for more information: • • Adding a Defense Center on page 168 Editing the Event Filter Configuration on page 176 Limitations on Event Aggregation Requires: MDC The Master Defense Center is a powerful tool for analyzing the potential malicious activity across your enterprise’s network. flow data. The Master Defense Center and Defense Center Functional Comparison table compares and contrasts Defense Center and Master Defense Center functional areas. host attributes. Analysis and reporting search Version 4.9. there are certain limitations that you should take into consideration when you design your Master Defense Center deployment. white list violations. audit log. Master Defense Center and Defense Center Functional Comparison Function License provisions Master Defense Center provides product license Defense Center provides product license. interface sets. network interfaces. users. SEU import log. 3D Sensor configuration allows you to configure detection engines allows you to search for intrusion events. allows you search for intrusion events. and NetFlow. and RUA events. However. RNA events. remediation status. health events.

the Master Defense Center does not build a network map or host data for the hosts on your network. This means that if your Defense Centers are accepting events from their 3D Sensors up to the rate limit. Version 4. To take advantage of this. For example. and not sending the packet data. because you can forward compliance events and white list events from your managed Defense Centers to your Master Defense Center. you must adjust the event filter on the Master Defense Center so that only the most important events are forwarded from the Defense Centers. in cases where the intrusion event rate is high. Intrusion Agents Intrusion events generated by intrusion agents are not forwarded to the Master Defense Center. However. allows you to build intrusion policies and to distribute them through connected Defense Centers to their managed 3D Sensors throughout the enterprise allows for collection of events from up to ten Defense Centers Defense Center provides Nessus and Nmap scans and results. policies are normally downloaded only to their managed 3D Sensors Event consolidation events are collected only from managed 3D Sensors Data Generated by RNA The Master Defense Center cannot aggregate RNA events or flow data generated by RNA and forwarded to a Defense Center.1 Sourcefire 3D System Administrator Guide 160 . You can also limit the amount of data transferred between a Defense Center and its Master Defense Center by sending only intrusion event data.Using the Master Defense Center Understanding Event Aggregation Chapter 5 Master Defense Center and Defense Center Functional Comparison (Continued) Function Network scans Global policies Master Defense Center does not provide for Nessus and Nmap scans. you might want to adjust the filter to send only intrusion events with red impact flags. Event Rate The event rate limit for the Master Defense Center is the same rate limit on Defense Centers. you can gain insight into RNA-detected activity across your enterprise.9. In addition. on your Defense Centers you need to build compliance rules and policies that are triggered by the RNA events that interest you and forward the resulting compliance events to the Master Defense Center.

Existing RNA policies are available for viewing so that you can determine: • • • • RNA policy name and description Detection policy settings such as update interval.1 Sourcefire 3D System Administrator Guide 161 . Managing Global Intrusion Policies Requires: MDC Refer to the following sections for information about managing intrusion policies: • • • • Creating an Intrusion Policy in the Analyst Guide explains how to create an intrusion policy. delete and export RNA on a Master Defense Center. and health policies. For information on import and export functions. Master Defense Center generated policies are not accessible on an intermediate Defense Center. Global intrusion policies are beneficial in rapid response scenarios and during enterprise-wide intrusion policy updates. see What is an RNA Detection Policy? in the Analyst Guide. For information on creating and applying as well as deleting RNA policies. You can also import and export compliance policies and rules. as well as intrusion. if client application are being detected. which networks and NetFlow-enabled devices are monitored by NetFlow. Applying an Intrusion Policy in the Analyst Guide explains how to apply a new or updated intrusion policy to the appropriate IPS detection engines. system. see Importing and Exporting Objects on page 583. and so on. This ensures that a global intrusion policies utilize the latest SEU. RNA compares the data it collects and analyzes with its vulnerability database to determine the potential vulnerabilities on the detected host. custom service decoders. Defining IP Addresses and Ports for Your Network in the Analyst Guide provides the syntax used to specify IP addresses and port numbers within the variables and rules in your policy. You can build. Managing Variables in the Analyst Guide explains how to create and manage variables that you can use within intrusion policies. then the downstream SEU is updated. Editing an Intrusion Policy in the Analyst Guide explains how to modify existing intrusion policies. if banners and HTTP URLs are captured.Using the Master Defense Center Understanding Global Policy Management Chapter 5 Understanding Global Policy Management Requires: MDC You can use the Master Defense Center to generate global intrusion policies and coordinate them with potential vulnerabilities detected by RNA policies. however if a newer SEU resides on the Master Defense Center than on a Defense Center in the path. Which networks and ports are monitored by the RNA policy If NetFlow is used to generate host information. • Version 4.9. apply edit. The Master Defense Center sends the policy through a Defense Center to a 3D Sensor’s detection engine.

• Using RNA Detection Policies on a Master Defense Center Requires: MDC You can create. Note that SEUs can also contain new and updated decoders and preprocessors. for information on the following RNA detection policy functions: • • • • Creating RNA Detection Policies in the Analyst Guide Applying an RNA Detection Policy in the Analyst Guide Editing an RNA Detection Policy in the Analyst Guide Deleting an RNA Detection Policy in the Analyst Guide Using Health Policies on a Master Defense Center Requires: MDC You can edit. Importing SEUs and Rule Files in the Analyst Guide explains how to download and import Security Enhancement Updates (SEUs) that contain new intrusion rules. This section also explains how to configure rules in inline intrusion policies so that they drop malicious packets. delete.1 Sourcefire 3D System Administrator Guide 162 . For information about health policies see the following: • • • • • • • Understanding Health Monitoring on page 483 Configuring Health Policies on page 489 Using the Health Monitor Blacklist on page 534 Configuring Health Monitor Alerts on page 539 Using the Health Monitor on page 545 Using Appliance Health Monitors on page 547 Working with Health Events on page 555 See Health Policies on page 164 to distinguish the health policy modules that are useful on a Master Defense Center or Defense Center from those that are not.Using the Master Defense Center Understanding Global Policy Management Chapter 5 • Managing Intrusion Rules in the Analyst Guide explains how to enable and disable intrusion rules within an intrusion policy. and for brief descriptions of those modules that are used. Using System Policies on a Master Defense Center Requires: MDC System policies allow you to manage the following functions on your Defense Centers or Master Defense Center: • • access configuration authentication profiles (Defense Center only) Version 4. delete. Refer to the following. export. and apply default health policies to the Master Defense Center and to connected Defense Centers. edit. and apply RNA detection policies from a Master Defense Center.9.

the Sourcefire 3D System checks for any older SEUs on Defense Center(s) managing those detection engines.1 Sourcefire 3D System Administrator Guide 163 . However. RUA detection. if your Version 4. Detection and Prevention Policies You can create. the Apply button activates. delete. You cannot apply a non-filtered policy from a Defense Center then add filters to it from a managing Master Defense Center. they are updated. export. Therefore. you must apply a non-filtered policy to the detection engine from the same Defense Center or Master Defense Center. The Defense Center and Master Defense Center do not handle these policies in the same manner. When you apply an intrusion policy to a 3D Sensor’s detection engines from a Master Defense Center.9. After you acknowledge the message by clicking its check box. TIP! Before applying a filtered policy. a warning message with a check box appears. and listing client applications and vulnerabilities are performed on Defense Centers and not on Master Defense Centers. The Sourcefire 3D System bases intrusion policies on SEUs residing on the appliance where the policy is built. RNA Detection Policies RNA analysis and reporting functions such as using the network map. and apply intrusion detection and prevention policies from a Master Defense Center. You can apply one or more custom intrusion policies filtered to monitor VLAN or subnetwork traffic on the network monitored by the detection engine where you apply the policy. listing RNA hosts and events. edit. RNA detection. and health policies. Master Defense Center Policy Management Limitations Requires: MDC There are several types of policies including detection and prevention.Using the Master Defense Center Understanding Global Policy Management Chapter 5 • • • • • • • database limits DNS cache settings the mail relay host and a notification address for database prune messages language selection (English or Japanese) login banner the kinds and amount of RNA data stored in the database (Defense Center only) time synchronization settings See Managing System Policies on page 320 for information about system policy usage. If it finds SEUs older than those on the Master Defense Center.

Default Health Policy table on page 494. System Policies System policies are applied only to Master Defense Centers and Defense Centers from a Master Defense Center. RUA Detection Policies There are currently no Real-Time User Awareness functions on a Master Defense Center. it should send to the Master Defense Center using the same channel. Default IPS. The Defense Center uses this channel to send events to the Master Defense Center. Default IPS (3Dx800 only). based on filter configuration.1 Sourcefire 3D System Administrator Guide 164 .9. only the generic Default Health Policy is available for editing and application to appliances.Default Health Policy table on page 493. you can view host profiles from event views by clicking the host profile icon ( ) next to an IP address. see Editing Health Policies on page 530. SSL -encrypted communication channel between the appliances. and Default RNA Health Policies are not used on the Master Defense Center. RUA functions are available only on properly licensed Defense Centers. For a listing of the health policy modules that apply to Master Defense Centers. For a listing of the health policy modules that apply to Defense Centers. Currently. Policies that are not applicable are implicitly disabled when there is an attempt to apply them to a Defense Center or an Master Defense Center. For details about editing appropriate health policies. see the Enabled MDC Health Modules . Master Defense Centers apply health policies only to Master Defense Centers and Defense Centers. see the Enabled Defense Center Health Modules . Health Policies The Master Defense Center monitors its health and the health of connected Defense Centers. Default 3D Sensor. • • • Adding a Defense Center on page 168 Deleting a Defense Center on page 171 Resetting Management of a Defense Center on page 171 Version 4. As the Defense Center receives events from its sensors. it evaluates which events. you set up a two-way. Adding and Deleting Defense Centers Requires: MDC + DC When you manage a Defense Center with your Master Defense Center.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 deployment includes RNA.

This is usually completed as part of the installation process.registration key Unique NAT ID (optional) .for the hostname or IP address. and Unique NAT ID used on the Defense Center with Registration Key and Unique NAT ID used on the Master Defense Center IMPORTANT! The Management Host or Host field (hostname or IP address) must be used on at least one of the appliance. Registration Key. and Unique NAT ID used on the Master Defense Center Management Host. Log into the web interface of the Defense Center you want to add. Select Operations > System Settings. TIP! Set up the managed appliance first. add the primary Defense Center and the secondary Defense Center is automatically added. To add a Master Defense Center to a Defense Center: Access: Admin 1. you need to determine which events on the Defense Center you want to forward to the Master Defense Center. Version 4. Valid combinations include: • • • Management Host or Host and Registration Key used on both appliances Registration Key and Unique NAT ID used on the Defense Center with Host. however before you do. 2. TIP! To add an existing high availability pair of Defense Centers to a Master Defense Center.for a unique alphanumeric ID. See Working in NAT Environments on page 112 for more information. Registration Key . Three fields are provided for setting up communications between appliances: • • • Management Host or Host. Registration Key.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 Adding a Master Defense Center Requires: MDC + DC You can add a Master Defense Center connection to your Defense Center. you must make sure that the network settings are configured correctly on both appliances. At a Defense Center.9. To add a Master Defense Center.1 Sourcefire 3D System Administrator Guide 165 . The Information page appears. add the Defense Center. but you can see Configuring Network Settings on page 377 for details. add the remote management then at the managing Master Defense Center.

type the one-time use registration key that you want to use to set up a communications channel between the Master Defense Center and the Defense Center. Click Add Manager. Optionally. After the Defense Center confirms communication with the Master Defense Center.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 3. Version 4. In the Management Host field. You can leave the Management Host field empty if the management host does not have a routable address. 8. 7. The Defense Centers page appears. in the Unique NAT ID field. Click Remote Management. 4. and select Operations > Appliances. the Pending Registration status appears. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. 9. type the IP address or the host name of the Master Defense Center that you want to use to manage the Defense Center. The Add Remote Management page appears. In the Registration Key field.1 Sourcefire 3D System Administrator Guide 166 . 5. Click Save. use both the Registration Key and the Unique NAT ID fields 6.9. The Remote Management page appears. In that case. Log into the Master Defense Center’s web interface using a user account with Admin access. type a unique alphanumeric NAT ID that you want to use to identify the Defense Center.

Version 4. The New Defense Center page appears.1 Sourcefire 3D System Administrator Guide 167 . If you chose to send compliance events to the Master Defense Center. use both the Registration Key and the Unique NAT ID fields 12. identify the types of events you want to forward from the Defense Center to the Master Defense Center. In that case. In the Registration Key field. Note that if you select intrusion events. you can send events or events and packet data. white list events are also sent. Click New Defense Center. 13. You can leave the Host field empty if the host does not have a routable address. type the same value in the Unique NAT ID (optional) field. If you used an unique NAT ID in step 6. type the same one-time use registration key that you used in step 6. Type the IP address or the hostname of the Defense Center you want to add in the Host field. IMPORTANT! You must select at least one type of flag if you want to send intrusion events.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 10. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. 14. See Editing the Event Filter Configuration on page 176 for more information.9. Under Filter Configuration. 11. You can also filter which intrusion events are forwarded based on their impact flag.

Registration Key . Three fields are provided for setting up communications between appliances: • • • Management Host or Host.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 15. and Unique NAT ID used on the Defense Center with Registration Key and Unique NAT ID used on the Master Defense Center IMPORTANT! The Management Host or Host field (hostname or IP address) must be used on at least one of the appliance. Version 4. It can take up to two minutes for the Defense Center to establish communication with the Master Defense Center. IMPORTANT! If you registered a Master Defense Center and Defense Center using IPv4 and want to convert them to IPv6. Registration Key.one-time use registration key Unique NAT ID (optional) .for the hostname or IP address. then at the managing Master Defense Center add the Defense Center. Click Add. add the remote management. You can view the status on the Defense Centers page (Operations > Appliances).9. The Defense Center is added to the Master Defense Center. you must make sure that the network settings are configured correctly on both appliances. 16. This is usually completed as part of the installation process. See Working in NAT Environments on page 112 for more information.1 Sourcefire 3D System Administrator Guide 168 . TIP! Set up the managed appliance first. and Unique NAT ID used on the Master Defense Center Management Host. Adding a Defense Center Requires: MDC + DC Before you add a Defense Center to a Master Defense Center. you must delete and re-register the Defense Center. Valid combinations include: • • • Management Host or Host and Registration Key used on both appliances Registration Key and Unique NAT ID used on the Defense Center with Host.for a unique alphanumeric ID. After communications between the two appliances are established. Registration Key. For more information see Configuring Network Settings on page 377. continue with the procedure in Adding a Defense Center. At a Defense Center.

In that case. 7. type the IP address or the host name of the Master Defense Center that you want to use to manage the Defense Center. 5. 4. The Information page appears. Click Add Manager. you need to predetermine which events on the Defense Center you want to forward to the Master Defense Center. To add a Defense Center to a Master Defense Center: Access: Admin 1. In the Registration Key field. type a unique alphanumeric NAT ID that you want to use to identify the Defense Center. use both the Registration Key and the Unique NAT ID fields. 3. The Add Remote Management page appears. Version 4. Click Save.9. 8. TIP! You can leave the Management Host field empty if the management host does not have a routable address. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. 2. Select Operations > System Settings. 6. Using a user account with Admin access. in the Unique NAT ID field. The Remote Management page appears. In the Management Host field. After the Defense Center confirms communication with the Master Defense Center. the Pending Registration status appears. Click Remote Management. type the one-time use registration key that you want to use to set up a communications channel between the Master Defense Center and the Defense Center.1 Sourcefire 3D System Administrator Guide 169 . log into the web interface of the Defense Center you want to add. Optionally.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 To add a Defense Center.

identify the types of events you want to forward from the Defense Center to the Master Defense Center. If you used a NAT ID in step 7. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. type the same one-time use registration key that you used in step 6. In the Registration Key field. Under Filter Configuration. 10. The New Defense Center page appears. 12.1 Sourcefire 3D System Administrator Guide 170 . type the same value in the Unique NAT ID (optional) field. The Defense Centers page appears. See Editing the Event Filter Configuration on page 176 for more information. Note that if you select intrusion events.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 9. 11. Click New Defense Center. Type the IP address or the hostname of the Defense Center you want to add in the Host field. and select Operations > Appliances. IMPORTANT! You must select at least one type of flag if you want to send intrusion events. 14. Version 4. you can send events or events and packet data.9. If you chose to send compliance events to the Master Defense Center. You can also filter which intrusion events are forwarded based on their impact flag. 13. white list events are also sent. Log into the Master Defense Center’s web interface using a user account with Admin access.

Resetting Management of a Defense Center Requires: MDC + DC If communications fail between the Master Defense Center and one of your Defense Centers. 4. 6. you can delete it from the Master Defense Center. Version 4. To keep the Defense Center from trying to reconnect to the Master Defense Center.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 15. you must re-add it to the Master Defense Center. The manager is removed. The Information page appears. Click Delete next to the Defense Center you want to delete. Deleting a Defense Center severs all communication between the Defense Center and the Master Defense Center. You can then re-add the Master Defense Center on the Defense Center and then add the Defense Center to a Master Defense Center. Communication between the Master Defense Center and the Defense Center is discontinued and the Defense Center is deleted from the Defense Centers page. Click Delete next to the Master Defense Center that was managing the Defense Center. 3. 2. you should also delete the manager on the Defense Center. If you want to manage a Defense Center with a different Master Defense Center. Select Operations > System Settings.1 Sourcefire 3D System Administrator Guide 171 . Click Add.9. Deleting a Defense Center Requires: MDC + DC If you no longer want to manage a Defense Center. and select Operations > Appliances. 5. you must also reset management before adding the Defense Center to the another Master Defense Center. To delete a Defense Center from the Master Defense Center: Access: Admin 1. you can reset management of the Defense Center. The Defense Center is added to the Master Defense Center. You can view the status on the Defense Centers page (Operations > Appliances). Log into the Master Defense Center web interface. The Defense Centers page appears. The Remote Management page appears. you must first delete the manager on the Defense Center and delete the Defense Center on the Master Defense Center. To do this. To manage the Defense Center again at a later date. Log into the web interface of the Defense Center you want to delete. It can take up to two minutes for the Defense Center to establish communication with the Master Defense Center. Click Remote Management.

Log into the web interface of the Master Defense Center where you want to reset communications. Click Remote Management. In the Management Host field. 3. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. The Remote Management page appears. The Defense Centers page appears. 2. To delete management on the Defense Center: Access: Admin 1. TIP! You can leave the Management Host field empty if the management host does not have a routable address. Select Operations > Appliances. Communication between the Defense Center and the Master Defense Center is discontinued and the Defense Center is deleted from the Defense Centers page. To re-add the Defense Center to the Master Defense Center: Access: Admin 1. Log into the web interface of the Defense Center where you want to reset communications. The Information page appears. Log into the web interface of the Defense Center where you want to reset communications and click Add Manager. 3. Click Delete next to the Defense Center you want to delete. use both the Registration Key and the Unique NAT ID fields Version 4. 2. The manager is removed. type the IP address or the host name of the Master Defense Center that you want to use to manage the Defense Center. Click Delete next to the Master Defense Center where you want to reset management. Select Operations > System Settings. 4. The Remote Management page appears. In that case.9.1 Sourcefire 3D System Administrator Guide 172 . 2.Using the Master Defense Center Adding and Deleting Defense Centers Chapter 5 To reset management from a Master Defense Center: Access: Admin 1.

1 Sourcefire 3D System Administrator Guide 173 . 8. Using the Appliances Page Requires: MDC + DC The Appliances page (Operations > Appliances) provides you with a range of information and options that you can use to manage your Defense Centers. It can take up to two minutes for the Master Defense Center to verify communication with the Defense Center. Type the IP address or the hostname of the Defense Center you want to add in the Host field. type a unique alphanumeric NAT ID that you want to use to identify the Defense Center.9. The Add New Defense Center page appears. type the one-time use registration key that you want to use to set up a communications channel between the Defense Center and the Master Defense Center. Log into the Master Defense Center’s web interface and select Operations > Appliances. 11. See Working in NAT Environments on page 112 for more information. Optionally. The following sections describe the features on the Appliances page. 6. To add the Defense Center to a group. the Pending Registration status appears. Click Save. see Managing Appliance Groups on page 179. type the same one-time use registration key that you used in step 3. In the Registration Key field. 4. Click Add. Click New Defense Center. 12. 7. 9. select the group from the Add to Group list. Version 4. In the Registration Key field. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. You can view the Defense Center’s status on the Defense Centers page (Operations > Appliances).Using the Master Defense Center Using the Appliances Page Chapter 5 3. For more information about Defense Center groups. 10. in the Unique NAT ID field. The Defense Centers page appears. If you used an alphanumeric NAT ID in step 4. The Defense Center is added to the Master Defense Center. After the Defense Center confirms communication with the Master Defense Center. type the same value in the Unique NAT ID (optional) field. 5.

You can sort by: • Group. Model. the Defense Center 1000 and the Defense Center 3000. The system settings include the filter configuration for the Defense Center. Version 4. • • Manager. which sorts by Appliance group (see Managing Appliance Groups on page 179) TIP! High availability Defense Center pairs are automatically listed as an appliance group.1 Sourcefire 3D System Administrator Guide 174 . Click the Delete icon next to a Defense Center if you no longer want to manage the Defense Center with the Master Defense Center.9. and the high availability settings. the remote management configuration. An HA pair is listed as a group named with the name of the active Defense Center. you can contact technical support to change the default time interval. and so on. If the Master Defense Center has not received a communication from a Defense Center within the last two minutes. If your network is constrained in bandwidth. that is. See Deleting a Defense Center on page 171 for more information. minutes. the health blacklist settings. which sorts by appliance model number.Using the Master Defense Center Using the Appliances Page Chapter 5 Sort-by Drop-Down List Use this drop-down list to sort the Appliances page according to your needs. 3D Sensor 2100. Edit and Delete Icons Click the Edit icon next to a sensor if you want to change the Defense Center’s current system settings. If you hover your cursor over the icon. which sorts by the Defense Center then the 3D Sensor connected to it. The green check mark icon indicates that the Master Defense Center and the Defense Center are communicating properly. Status Icons The status icons indicate the state of a Defense Center. a pop-up window indicates the amount of time (in hours. and seconds) since the last contact. The red exclamation point icon indicates that the Master Defense Center has not received communications from the Defense Center in the last three minutes. See Editing Settings for a Managed Defense Center on page 175 for more information. it sends a two-byte heartbeat packet to establish contact and ensure that the communications channel is still running.

The model name for the managed Defense Center. Note that this is the name of the Defense Center in the Master Defense Center web interface. select Appliances from the Operations menu.9. The Vulnerability Database version on the managed Defense Center. Product Model Software Version Operating System Operating System Version VDB Version IP Address Version 4. The version of the software currently installed on the managed Defense Center. you can use the Master Defense Center web interface to view and edit the configuration of the Defense Center. The Information page for a managed Defense Center includes the fields described in the Defense Center Information table. not the hostname. Defense Center Information Field Name Description The assigned name for the Defense Center. See the following sections for more information.Using the Master Defense Center Editing Settings for a Managed Defense Center Chapter 5 Editing Settings for a Managed Defense Center Requires: MDC + DC After you configure management of a Defense Center by a Master Defense Center. • • • • • Viewing the Defense Center Information Page on page 175 Editing the Event Filter Configuration on page 176 Editing or Disabling Remote Management Communications on page 178 Managing the Health Blacklist on page 178 Managing High Availability Defense Centers on page 178 Viewing the Defense Center Information Page Requires: MDC + DC To access the system settings information page for a managed Defense Center. then click Edit next to the Defense Center. The version of the operating system currently running on the managed Defense Center. The IP address of the managed Defense Center. The operating system currently running on the managed Defense Center.1 Sourcefire 3D System Administrator Guide 175 .

a pop-up message indicates how long it has been (in hours. Click Save. minutes. You can edit the following: • • the name of the Defense Center the group in which the Defense Center resides WARNING! The name must be made up of a combination of alphanumeric characters and should not be made up of numeric characters only. and compliance events. See the Impact Flags table in the Analyst Guide for an explanation of what each impact Version 4. Change the Defense Center’s attributes as needed. Your options are to send intrusion events. intrusion events and related packet data. 2.1 Sourcefire 3D System Administrator Guide 176 . if any. Model Number Current Group The model number for the Defense Center. You can click Refresh to update the Status icon and its accompanying pop-up message. If you hover your cursor over the icon. The updated Defense Center attributes are saved. To edit a managed Defense Center’s settings: Access: Admin 1. If you want to send intrusion events (with or without packet data). This number can be important for troubleshooting. The group that the Defense Center belongs to.Using the Master Defense Center Editing Settings for a Managed Defense Center Chapter 5 Defense Center Information (Continued) Field Status Description An icon showing the current status of the managed Defense Center. you can also specify which intrusion events are sent based on their impact flag.9. Editing the Event Filter Configuration Requires: MDC The settings on the Filter Configuration page control which events are sent from the Defense Center to the Master Defense Center that manages it. and seconds) since the Defense Center communicated with the Master Defense Center.

Next to the Defense Center whose filter configuration you want to change. use the drop-down list to indicate whether you want to forward intrusion events to the Master Defense Center. then you must specify which events you want to send based on their impact flag.Using the Master Defense Center Editing Settings for a Managed Defense Center Chapter 5 flag means. In the Intrusion Events area. If you indicated that you want to send intrusion events. then packet data is not forwarded to the Master Defense Center. select Operations > Appliances. and Events and Packet Data. Version 4.9. Note that you must deploy both RNA and IPS as part of your Sourcefire 3D System deployment to generate meaningful impact flags. 2. The Flags options are: • • • • • • • All Black (or Drop) Red (or Vulnerable) Orange (or Potentially Vulnerable) Yellow (or Currently Not Vulnerable) Blue (or Unknown Target) Gray (or Unknown) TIP! If you select All. Events Only. TIP! If you set up the 3D Sensor so it does not send packet data to the intermediate Defense Center. If you want to send intrusion events to the Master Defense Center. The Filter Configuration page appears. then all the options are immediately selected. The options are Do Not Send.1 Sourcefire 3D System Administrator Guide 177 . 4. To modify the event filter configuration: Access: Admin 1. The Appliances page appears. then you must select at least one impact flag option. click Edit. 3. On the Master Defense Center’s web interface.

9. you can temporarily disable communications between the Defense Center and its Master Defense Center.0. To enable communications between the two appliances again. The field is filled with 0.0. Editing or Disabling Remote Management Communications Requires: MDC + DC You can manage communications between a managed Defense Center and its Master Defense Center using the Master Defense Center’s web interface. Managing High Availability Defense Centers Requires: MDC + DC You can configure. In the Compliance Events area. You may want to do this to prevent events from the module from changing the status for the appliance to warning or critical. For example. Your settings are saved and the Defense Center begins forwarding the events you specified to the Master Defense Center that manages it. The options are Do Not Send and Send. disable. monitor. See the following sections for more information: • • Using Redundant Defense Centers on page 112 Setting Up High Availability on page 150 Version 4.Using the Master Defense Center Editing Settings for a Managed Defense Center Chapter 5 5. Managing the Health Blacklist Requires: MDC + DC You can blacklist individual health policy modules on Defense Centers. click Enable. see Editing the Management Virtual Network on page 385.0/24 to indicate that the Management Virtual Network is disabled on a Master Defense Center. IMPORTANT! Master Defense Centers do not currently use a Management Virtual Network. To disable communications between the Defense Center and the Master Defense Center: Access: Admin Click Disable next to the name of the Defense Center.1 Sourcefire 3D System Administrator Guide 178 . pause and restart Defense Center High Availability from a Defense Center. 6. You cannot edit the Management Virtual Network field of a Master Defense Center. see Using the Health Monitor Blacklist on page 534. use the drop-down list to indicate whether you want to forward compliance events to the Master Defense Center. Click Save. For information on using the blacklisting function. Communications between the two appliances are interrupted. if a Defense Center is no longer responding. For more information about editing the Management Virtual Network.

TIP! High availability Defense Center pairs are automatically listed as an appliance group. TIP! A light bulb icon shows which of the high availability paired Defense Centers is currently active. Click High Availability. The System Settings page for that Defense Center appears. TIP! When using Intrusion Agents registered to Defense Centers configured for high availability and managed by a Master Defense Center. To activate a redundant Defense Center: Access: Admin 1. The Appliances page appears. 2. register all Intrusion Agents to the primary Defense Center. An HA pair is listed as a group with the name of the active Defense Center. The high availability page appears with the paired Defense Centers.9.Using the Master Defense Center Managing Appliance Groups Chapter 5 • • • • Monitoring the High Availability Status on page 152 Disabling High Availability and Unregistering Sensors on page 153 Pausing Communication between Paired Defense Centers on page 154 Restarting Communication between Paired Defense Centers on page 154 If High Availability is configured. Click Activate to activate the redundant Defense Center. Select Operations > Appliances. you can activate Defense Center High Availability from a Master Defense Center. Click Edit next to the appropriate Defense Center.1 Sourcefire 3D System Administrator Guide 179 . The redundant Defense Center is activated. Managing Appliance Groups Requires: MDC The Master Defense Center allows you to group appliances so that you can easily search for events based on whether they were forwarded by one of a specific group of appliances. 4. 3. Version 4.

To create an appliance group and add appliances to it: Access: Admin 1. select Operations > Appliances. Editing Appliance Groups on page 180 explains how to modify the list of Defense Centers in a Defense Center group. 2. Editing Appliance Groups Requires: MDC You can change the set of appliances that reside in any appliance group. 4. return to the Appliances page (Operations > Appliances) and click Edit next to the name of the group. Select the IP addresses or hostnames of the appliances you want to add from the Available Appliances list and click the arrow to move them into the group. The Appliances page appears. Deleting Appliance Groups on page 181 explains how to delete a Defense Center group. 7. Click Save. 5. The group is added. 3. Creating Appliance Groups Requires: MDC Grouping managed appliances allows you to use the group name as a search criterion when you search for specific compliance or intrusion events. TIP! You must remove an appliance from its current group before you can add it to a new group. In the Group Name field.Using the Master Defense Center Managing Appliance Groups Chapter 5 See the following sections for more information: • • • Creating Appliance Groups on page 180 explains how to create a Defense Center group on the Master Defense Center.9. Click Create New Appliance Group. type the name of the group you want to create. Moving an appliance to a new group does not change any of its policies or configurations. Click Save. To add appliances to the group. On the Master Defense Center. The appliances are added to the group and the Appliances page appears again. The Create Appliance Group page appears. The Appliance Group Edit page appears.1 Sourcefire 3D System Administrator Guide 180 . 6. Version 4.

2. the Master Defense Center system settings are the same as those of a Defense Center. Editing Master Defense Center System Settings Requires: MDC With a few exceptions. The Appliances page appears. select it from the list in the group you are editing and click the arrow pointing to the Available Appliances list. • • To add an appliance to the group. Click Edit next to the Appliance group you want to edit. To delete an appliance group: Access: Admin 1. 2. • • • • Listing Master Defense Center Information on page 182 Viewing a Master Defense Center License on page 182 Configuring Network Settings on page 377 Shutting Down and Restarting the System on page 182 Version 4. The Appliances page appears.9. Click Save. On the Master Defense Center.Using the Master Defense Center Editing Master Defense Center System Settings Chapter 5 To edit an appliance group: Access: Admin 1. 3. the appliances are moved to Ungrouped on the Appliances page. Select the appliance you want to move and click the arrow to add or remove it from the group. See the following sections for information on each of the listed system settings: IMPORTANT! NetFlow-enabled devices cannot currently be added to a Master Defense Center. To remove an appliance from a group. Click Delete next to the group you want to delete. select it from the Available Appliances list and click the arrow pointing toward the group you are editing. The appliances group is removed from the Master Defense Center. Select Operations > Appliances. 4. The Appliance Group Edit page appears. They are not deleted from the Master Defense Center.1 Sourcefire 3D System Administrator Guide 181 . select Operations > Appliances. Deleting Appliance Groups Requires: MDC If you delete a group that contains appliances.

You can: • • • shut down the appliance reboot the appliance restart the appliance Version 4.9. Click Save. 2. The updated Master Defense Center attributes are saved.1 Sourcefire 3D System Administrator Guide 182 . To view information about the Master Defense Center license: Access: Admin 1. Configuring Network Settings Requires: MDC The network settings are identical to those of the Defense Center. The License page appears. Viewing a Master Defense Center License Requires: MDC Unlike a Defense Center. For information on configuring the Master Defense Center network settings. see Configuring Network Settings on page 377. see Defense Center Information on page 175.Using the Master Defense Center Editing Master Defense Center System Settings Chapter 5 • • Setting System Time on page 183 Blacklisting Health Policies on page 184 Listing Master Defense Center Information Requires: MDC For details on information listed under the Master Defense Center system settings. The Information page appears. Shutting Down and Restarting the System Requires: MDC You have several options for controlling the processes on your Master Defense Center. Select Operations > System Settings. a Master Defense Center cannot manage the licenses of Defense Centers or 3D Sensors. Click License. WARNING! The name must be made up of a combination of alphanumeric characters and should not be made up of numeric characters only. Change the name of the Master Defense Center attributes as needed. 2. To edit a Master Defense Center’s settings: Access: Admin 1.

click Run Command next to Reboot Master Defense Center. Setting System Time Requires: MDC The system time is set and synchronized in accordance with the system policy. click Run Command next to Restart Master Defense Center Console.0/24 to disable the Management Virtual Network. The field is filled with the address range 0. Select Operations > System Settings. their real IP network is used to serve time. On the Time Synchronization page you can choose to serve time from the Master Defense Center by selecting Enabled in the Serve Time via NTP field. You cannot edit the Management Virtual Network field if the Defense Center is in the Master Defense Center operational mode. IMPORTANT! Master Defense Centers do not currently use a Management Virtual Network. click Run Command next to Shutdown Master Defense Center.0. Click Process. The Appliance Process page appears. 3.0. 2.9. The Information page appears. TIP! Because Master Defense Centers do not currently use Management Virtual Networks.1 Sourcefire 3D System Administrator Guide 183 . Configuring Remote Management Networking Requires: MDC A Master Defense Center’s Management Virtual Network is disabled. Specify the command you want to perform: • • • If you want to shut down the Master Defense Center. If you want to restart the Defense Center. Version 4. Note that restarting the Defense Center may cause deleted hosts to reappear. If you want to reboot the system.Using the Master Defense Center Editing Master Defense Center System Settings Chapter 5 To shut down or restart your appliance: Access: Admin 1.

the DHCP-provided NTP server will be used instead. you should configure your DHCP server to set the same NTP server. select Via NTP Server from and. see Blacklisting a Health Policy Module on page 537. Version 4. type the fully qualified host and domain name.Using the Master Defense Center Editing Master Defense Center System Settings Chapter 5 To specify how the Master Defense Center clock is set: Access: Admin You have two options: • • To set the time manually. To receive time through NTP from a different server. For more information about setting system time. WARNING! If the appliance is rebooted and your DHCP server sets an NTP server record different than the one you specify here. type the IP address of the NTP server or. see Synchronizing Time on page 354. Blacklisting Health Policies Requires: MDC You can blacklist health policy modules when required. To avoid this situation.9. The Master Defense Center supports the following health policy modules: • • • • • • • • Appliance Heartbeat CPU Usage Data Correlator Process Defense Center Status Disk Usage eStreamer Process Event Stream Status Memory Usage For more information on blacklisting a health policy. in the text box.1 Sourcefire 3D System Administrator Guide 184 . if DNS is enabled. select Manually in the System Settings.

However.1 Sourcefire 3D System Administrator Guide 185 .9.Using Detection Engines and Interface Sets Chapter 6 Administrator Guide To give you increased flexibility in your deployment choices. You can think of a detection engine as a collection of one or more sensing interfaces (called an interface set) on a 3D Sensor plus a portion of the sensor’s computing resources (called a detection resource). and the third for RUA. Most 3D Sensor models have at least three detection resources available and can support at least three detection engines: one for IPS. Version 4. you can combine the data from those sensors with RUA or RNA on a Defense Center. the Sourcefire 3D System provides a feature called the detection engine. See the Detection Resources by Model table on page 190 for more information. The number of detection engines per sensor is limited by the number of detection resources that are available. you cannot use RUA or RNA on 3D9800 sensors. 3D Sensors support three types of detection engines: • • • IPS RNA RUA TIP! You cannot use the RUA feature on Crossbeam-based software sensors. one for RNA. In addition.

• • • • • • • Understanding Detection Engines Requires: DC or 3D Sensor A detection engine is the mechanism on a 3D Sensor that is responsible for analyzing the traffic on the network segment where the sensor is connected.1 Sourcefire 3D System Administrator Guide 186 . including some of the limitations based on the sensor model. or interface set type. This section also describes how default detection engines are configured.Using Detection Engines and Interface Sets Understanding Detection Engines Chapter 6 The following sections describe the detection engines and interface set features and how you can use them in your Sourcefire 3D System deployment: • Understanding Detection Engines on page 186 explains detection engines in more detail. Using Interface Set Groups on page 223 describes how to create and use interface sets groups. and delete detection engines. Using Clustered 3D Sensors on page 227 explains how to use detection engines and interface sets in a clustered 3D9900 sensor pairing. detection engine type. sensor. Managing Detection Engines on page 193 explains how to create. Inline Fail Open Interface Set Commands on page 225 explains how to force an interface set in and out of bypass mode when using an inline fiber fail open interface set. Using Detection Engine Groups on page 197 explains how to create and use detection engine groups. Version 4. To list the available detection engines: Access: Admin Select Operations > Configuration > Detection Engines > Detection Engines. The Available Detection Engines page appears. Using Variables within Detection Engines on page 199 explains how to use detection engine-specific variable values to tailor your detection capabilities to more closely match your infrastructure. Using Interface Sets on page 207 describes how to create interface sets and how to use them with detection engines.9. The figure below shows the Defense Center version of the page. edit. You can sort the available detection engines by group. policy.

Note that you can use any two of the non-fail-open interfaces on the sensor’s network interface cards as part of an inline interface set. Inline with Fail Open Version 4. Use an inline interface set if you deployed the sensor inline on your network and the sensing interfaces do not support automatic fail-open capabilities.9. see Understanding Detection Resources and 3D Sensor Models on page 189 PEP Policy Only 3D9900 sensors provide the PEP feature. which can include one or more sensing interfaces a detection resource. Set Type An interface set refers to a grouping of one or more sensing interfaces on a sensor.Using Detection Engines and Interface Sets Understanding Detection Engines Chapter 6 Detection Engine Type. 3D Sensors can support three types of detection engines: IPS. Use an inline with fail open interface set if you deployed the sensor inline on your network and the sensing interfaces do support automatic fail-open capabilities. although a sensing interface can belong to only one interface set at a time. but the interface options available to you depend on the type of sensor and the capabilities of its sensing interfaces. The Sourcefire 3D System supports three types of interface sets. For more information on the PEP feature. Note that you must use paired fail-open interfaces on the sensor’s network interface cards for an inline with fail open interface set. RNA. where pairs are pre-determined). (The exception is on 3D9900s. A detection engine has two main components: • • an interface set. Interface Set Types Type Passive Inline Description Use a passive interface set if you deployed the sensor out of band from the flow of network traffic. The three interface types are described in the Interface Set Types table. and Interface Set Depending on which components are licensed on the sensor. Resources. which is a portion of the sensor’s computing resources For information about detection engines and detection resources. see Using PEP to Manage Traffic in the Analyst Guide.1 Sourcefire 3D System Administrator Guide 187 . and RUA.

you must either configure an IPS detection engine that uses that interface set. See Using Interface Sets on page 207 for more information about creating and editing interface sets. For more information see Viewing an Intrusion Policy Report in the Analyst Guide. Policy 3D Sensors have different capabilities and limitations depending on whether you licensed IPS. or RNA. You can determine what the name and state of IPS and RNA policies from the following information in the policy column: • If you change an IPS and RNA policy and have not applied it to the detection engine since the change.Using Detection Engines and Interface Sets Understanding Detection Engines Chapter 6 You can use RNA or RUA to monitor the traffic that passes through any of the three types of interface sets. then the icon has an exclamation point and the name is italicized.9 you have the advantage of the following listed features. and the IPS detection engine fails for any reason. Otherwise. RUA. the RNA or RUA detection engine monitoring that interface set will not see any traffic until the IPS detection engine restarts.9. or configure the interface set in tap mode. If you are monitoring the same inline interface set with both IPS and RNA or RUA. Neither RNA nor RUA are supported on the 3D9800 sensor. IMPORTANT! On a 3D3800 or 3D5800 sensor. if you plan to use RNA to monitor either an inline or inline with fail open interface set. as well as apply an intrusion policy to that detection engine. TIP! After you upgrade your sensor to version 4. the RNA detection engine monitoring that interface set will not see any traffic. • You can click the name of an IPS policy to see details about the running policy. Version 4.1 Sourcefire 3D System Administrator Guide 188 .

See Editing a Detection Engine on page 194 and Deleting a Detection Engine on page 197 for more information. click the delete icon ( ) next to the intrusion policy name. add. click Variables. use one detection resource per application per core on your appliance. it has a predefined detection engine that you can choose to modify to meet your needs. you can click More or the down icon ( ) and view the type (Net for network or VLAN for virtual LAN) filter. • • For more information see Understanding Detection Resources and 3D Sensor Models on page 189 When you configure a new sensor.1 Sourcefire 3D System Administrator Guide 189 . If you hover above the name you can view the network or VLAN range of the filter. The delete icon only appears next to the base policy when there are no network or VLAN filters applied. IMPORTANT! Initially. edit. then OK to confirm. if you plan to use the 3D3500 sensor in inline mode. As a best practice. If you want to remove the currently applied IPS policy from the detection engine.9. See Using Variables within Detection Engines on page 199 for more information. If you want to remove the currently applied filter from the IPS policy. Understanding Detection Resources and 3D Sensor Models Requires: DC or 3D Sensor 3D Sensors with IPS can use multiple detection resources per detection engine. click the delete icon ( ) next to the filter name. • Sensor The sensor column provides the name of the sensor where the policy is applied. If you want to reapply all policies for the detection engine. or delete variables associated with a detection engine’s IPS or RNA policy.Using Detection Engines and Interface Sets Understanding Detection Engines Chapter 6 • If there is a network or VLAN filter applied to the IPS policy. click Edit or Delete next to its sensor name. which allows you to use more computing resources when network traffic is high. click Reapply All. reset. you could assign two detection resources to your detection engine to allow processing of more events per second. See Understanding Default Detection Engines for more information. which takes approximately 30 seconds. Different sensor models have different Version 4. It also provides the following capabilities: • If you want to edit or delete a detection engine. If you want to list. the Available Detection Engines page does not indicate that the filtered or base intrusion policy is deleted. Select Monitor > Task Status to track the progress of the deletion process. For example.

• The Optimal column indicates the per-sensor total number of detection resources you should use if you want to maximize the performance of the sensor. • • Detection Resources by Model Model 3D500 3D1000 3D2000 3D2100 3D2500 3D3000 3D3500 3D3800 3D4500 3D5800 3D6500 3D9800 3D9900 Optimal per Sensor 1 1 1 2 2 2 2 2 4 6 8 12 7 Maximum per Sensor 2 2 2 3 4 4 6 2 8 6 12 12 12 Combination Restrictions Maximum of one IPS and either one RNA or one RUA Maximum of two. 3D Sensors can run combinations of IPS. can be any type No restrictions No restrictions No restrictions No restrictions No restrictions No restrictions No restrictions No restrictions No restrictions No restrictions Version 4.9. can be any type Maximum of two. The Combination Restrictions column indicates the permitted combinations of detection resources that you can allocate to detection engines on the same sensor. It also indicates the maximum number of detection resources you can assign a single detection engine.1 Sourcefire 3D System Administrator Guide 190 . RNA and RUA. The Maximum column indicates the total number of detection resources available on the sensor.Using Detection Engines and Interface Sets Understanding Detection Engines Chapter 6 numbers of detection resources available as shown in the Detection Resources by Model table.

you have several deployment options for 3D Sensor Software. Understanding Default Detection Engines Requires: DC or 3D Sensor When you install a new 3D Sensor. As with other 3D Sensors. and detection resources available on Crossbeam System hardware. Refer to the Sourcefire 3D Sensor Software for X-Series Installation Guide for information on deployment scenarios. The number of detection resource depends on the Crossbeam System hardware. current Crossbeam System hardware and software support.9. then distribute the detection engines and detection resources across all operative interfaces on the sensor. Version 4. the maximum number of detection engines that you can create is equal to the number of available detection resources.Using Detection Engines and Interface Sets Understanding Detection Engines Chapter 6 Detection Resources by Model (Continued) Model Virtual 3D Sensor Crossbeambased software sensors Optimal per Sensor 3 Maximum per Sensor 3 Combination Restrictions No restrictions Refer to Crossbeam-based Software Sensor Considerations on page 191 General Recommendations with Two or More Detection Resources For improved 3D Sensor performance on sensors with optimal detection resources of two or greater. you can use initial interface sets and default detection engines to quickly begin evaluating network traffic. you can reduce latency by distributing your network traffic across all available interfaces on the sensor. Consider how your network is configured and how you want to deploy the Sourcefire 3D System within it. Crossbeam-based Software Sensor Considerations Depending upon the capabilities of your X-Series and the products you are licensed to use. After initial installation can modify interface sets and detection engines.1 Sourcefire 3D System Administrator Guide 191 .

With this configuration.9. on some of the older models. the second on-board interface cannot support the same high-performance standards as the interfaces on the network interface cards. Select Inline with Fail-Open Mode if you cabled the sensing interfaces inline on your network as an IPS. typically you pair adjacent interfaces. less the management interface. Version 4. Default Detection Engines Default detection engines are configured with the optimal (rather than maximum) number of detection resources as described in the Detection Resources by Model table on page 190. Depending on the 3D Sensor.Using Detection Engines and Interface Sets Understanding Detection Engines Chapter 6 Initial Interface Sets The initial interface sets for 3D Sensors are: • • Inline with Fail-Open. and you have deployed it in a high-bandwidth environment where the traffic load is likely to reach the design limits of the appliance. see Editing a Detection Engine on page 194. a 3D2000 Sensor uses eth1 and eth2 as one inline fail-open interface set and it uses eth3 and eth4 as another inline fail-open interface set. the default that builds paired fail-open interface sets on all 3D Sensor interfaces. usually near the management interface. If your appliance has one of these extra interfaces. Passive that builds a single passive interface set for all 3D Sensor interfaces. If you want to change either the number of detection resources or the interfaces assigned to the default detection engine. Sourcefire recommends that you remove the second on-board interface from the detection engine for improved performance. Select Passive Mode if the sensing interfaces are not cabled inline. If you modify the default detection engine to include it. that is automatically included in the default detection engine. IMPORTANT! For the 3D3000 on the IBM xSeries 346 appliance. note that the default detection engine does not include the second on-board interface. Choose from these initial interface sets based on how you deployed the sensor. less the management interface. the detection engine may not provide optimum performance. you can connect any of the non-management interfaces to your network and apply the appropriate policy to the detection engine and begin analyzing your network. Second On-Board Interface Some Sourcefire sensors have a second on-board interface. for example. However.1 Sourcefire 3D System Administrator Guide 192 .

The following sections explain how to create. punctuation. The Create Detection Engine page appears. The figure below shows the Defense Center version of the page.1 Sourcefire 3D System Administrator Guide 193 . To create a detection engine: Access: Admin 1. Click Create Detection Engine. You can use interface sets that include multiple inline interface pairs. The Detection Engines page appears.9. enter a name and description for the new detection engine. You can use alphanumeric characters. and delete detection engines. • • • Creating a Detection Engine on page 193 Editing a Detection Engine on page 194 Deleting a Detection Engine on page 197 Creating a Detection Engine Requires: DC or 3D Sensor You can create a detection engine if you have an available interface set and at least one available detection resource. Select Operations > Configuration > Detection Engines > Detection Engines. In the Name and Description fields. and spaces.Using Detection Engines and Interface Sets Managing Detection Engines Chapter 6 Managing Detection Engines Requires: DC/MDC or 3D Sensor See Understanding Detection Engines on page 186 and Using Interface Sets on page 207 for more information about the capabilities of detection engines and the interface sets they depend on. when they are available on your 3D Sensor. edit. 2. Version 4. 3.

Click Save. or RUA. Optionally. The following sections describe some of the cases where a detection engines is affected by changes to the detection engines and interface sets: Version 4. you can select Inspect Traffic During Policy Apply. 8. 3D1000. 5. 6. or 3D3800. you can only use one of the two detection resources for IPS. Select the number of detection resources for this detection engine. Select the type of detection engine that you want to create from the Type drop-down list. 9. IMPORTANT! On the 3D500. Although some packets are transmitted without inspection during this time.Using Detection Engines and Interface Sets Managing Detection Engines Chapter 6 4. IMPORTANT! For most 3D Sensors with inline interface sets. See Using Interface Sets on page 207 for information about creating and modifying interface sets. RNA. the detection engine does not restart and interrupt traffic inspection when the policy is applied. See Using Detection Engine Groups on page 197 for information on creating and modifying detection engine groups. add the detection engine to an existing detection engine group. Editing a Detection Engine Requires: DC or 3D Sensor In some circumstances. However. Select the interface set that you want to assign to this detection engine. Optionally. if you are creating an IPS detection engine and if you are using a 3D Sensor other than a 3D500. IPS. TIP! This option may degrade performance when you apply a policy and may result in longer policy-apply periods. The detection engine is created. a software bridge is automatically set up to transport packets when the sensor restarts. if this option is employed. no packets are lost. 7.9. editing an interface set or detection engine can cause the detection engines on the sensor to restart.1 Sourcefire 3D System Administrator Guide 194 . which can cause a short pause in processing. The second detection resource is available only if you want to create a second detection engine for RNA or RUA. See the Detection Resources by Model table on page 190 for more information.

Contact Sourcefire Support for information about how to clear those hardware alarms. If you change a detection engine’s interface set. • Other Sensors • • • • • • If you change which network interfaces are used by an interface set. • • • • If you create a detection engine. it will generate hardware alarms. If you change the number of detection resources.1 Sourcefire 3D System Administrator Guide 195 . only that detection engine is restarted (although other CPUs may be restarted to rebalance the processing load). all detection engines on the sensor are restarted. When you create a detection engine. only that detection engine is started (although other CPUs may be restarted to rebalance the processing load). IMPORTANT! If you have an 3Dx800 health policy applied to a 3D9800 sensor when you change the number of detection resources. nothing is restarted. If you create an interface set. all detection engines on the sensor are restarted. If you create an interface set.9. If you change the name or description of an interface set or detection engine. or interface set type. all the detection engines using that interface set are restarted. all detection engines assigned to that interface set are restarted. the interface set type. nothing is restarted. If you change the number of detection resources allocated to a detection engine. that detection engine is restarted. If you delete a detection engine or interface set. A restart occurs only when you assign a detection engine to the interface set. all the detection engines on the sensor are restarted.Using Detection Engines and Interface Sets Managing Detection Engines Chapter 6 3Dx800 Sensors • If you change the number of network interfaces. all the detection engines on the sensor are restarted. If you change the detection engine type for a detection engine. • • • Version 4. nothing is restarted. or the detection engine type. all detection engines on the sensor are restarted. If you change an interface set’s transparent mode setting. nothing is restarted. all the detection engines on the sensor are restarted because the total number of allocated resources has changed. or the setting for tap mode or transparent mode for an interface set. which interface set is used. If you delete a detection engine or interface set. If you change the name or description of an interface set or detection engine.

For more information. Select Operations > Configuration > Detection Engines > Detection Engines. you must delete the detection engine and create a new one. Your changes are saved.9. or 3D3800 sensors. Click Edit next to the detection engine you want to modify. and number of detection resources for the detection engine. In the case of an IPS detection engine you can also select if traffic is inspected while a policy is being applied. TIP! The Inspect Traffic During Policy Apply option is not available on 3D500. To edit an existing detection engine: Access: Admin 1. Version 4. you may want to remove any affected VAPs from the load-balanced list until the associated detection engines restart. TIP! On your 3D Sensor Software for Crossbeam Systems X-Series. The Edit Detection Engine page appears. then reinstate the VAPs. 3.1 Sourcefire 3D System Administrator Guide 196 . You cannot modify the detection engine type. group.Using Detection Engines and Interface Sets Managing Detection Engines Chapter 6 Make sure you plan these actions for times when they will have the least impact on your deployment. description. If you need to change the detection engine type. 2. The Detection Engines page appears. 3D1000. Click Save. You can modify the name. see the Sourcefire 3D Sensor Software for X-Series Installation Guide.

At the prompt. however. 3. For information on modifying compliance rules. Click Delete next to the detection engine you want to delete.Using Detection Engines and Interface Sets Using Detection Engine Groups Chapter 6 Deleting a Detection Engine Requires: DC or 3D Sensor Use the following procedure to delete a detection engine. To create a detection engine group: 1. you should not delete a detection engine that is used as a constraint in one or more compliance rules. see Modifying a Rule in the Analyst Guide. The detection engine is deleted.1 Sourcefire 3D System Administrator Guide 197 . Select Operations > Configuration > Detection Engines > Detection Engines. These groups make it easier to apply policies to detection engines that have similar purposes. confirm that you want to delete the detection engine. 2. a record of the detection engine is retained so that events generated by that detection engine are viewable. Version 4.9. you should first delete (or modify) the constraint in all rules in which it is used. See the following sections for more information: • • • Creating Detection Engine Groups on page 197 Editing Detection Engine Groups on page 198 Deleting Detection Engine Groups on page 199 Creating Detection Engine Groups Requires: DC/MDC or 3D Sensor Access: Admin The following procedure explains how to create a detection engine group. Select Operations > Configuration > Detection Engines > Detection Engines. To delete a detection engine: Access: Admin 1. Also. WARNING! Do not delete a detection engine that is in use. The Detection Engines page appears. Using Detection Engine Groups Requires: DC/MDC or 3D Sensor You can use detection engine groups to combine similar detection engines. The Detection Engines page appears.

3. Select Operations > Configuration > Detection Engines > Detection Engines. Click Save to add the selected detection engines to the detection engine group. Select available detections engines and to move them to the detection engine group with the arrow buttons. on the Edit Detection Engine page. The Detection Engines page appears. 4. The Available Detection Engines page appears.1 Sourcefire 3D System Administrator Guide 198 .Using Detection Engines and Interface Sets Using Detection Engine Groups Chapter 6 2. You can add detection engines to this group by clicking Edit next to a detection engine name and. The Detection Engine Group Edit page appears. Type a name for the detection engine group in the Group Name field. The Detection Engine page appears again.9. Click Save. To edit a detection engine group: Access: Admin 1. adding the detection engine to the group and clicking Update. See Creating Detection Engine Groups on page 197. You must create a detection engine group before you can edit it. Version 4. Click Edit for the detection engine group. 3. Editing Detection Engine Groups Requires: DC/MDC or 3D Sensor The following procedure explains how to edit a detection engine group. Click Create Detection Engine Group. The Create Detection Engine Group page appears. 2. 4. You can also move detection engines out of the detection engine group.

10. Click Delete next to the name of the detection engine group.30. hosts in your network’s DMZ in the range 10. which includes a mixed address space. You can define HOME_NET in your system default variable to encompass your internal address range (for example.10. When you apply an intrusion policy to that detection engine. The detection engine group is deleted. To delete a detection engine group: Access: Admin 1. any detection engines in the group are automatically ungrouped. see Creating New Policy-Specific Variables in the Analyst Guide. you can use the system default Version 4. you can use detection engine-specific variable values to tailor your detection capabilities to more closely match your infrastructure. they are not deleted.0/24). IPS can use the value of the detection engine-specific variable in rules you enable in your policy to monitor network traffic and generate events. Select Operations > Configuration > Detection Engines > Detection Engines. 10. hosts in your accounting department in the address range 10. In the system default variable used in the intrusion policy: HOME_NET = 10.10.0.10. 2.0/16 In the detection engine named DE_DMZ: HOME_NET = 10.Using Detection Engines and Interface Sets Using Variables within Detection Engines Chapter 6 Deleting Detection Engine Groups Requires: DC/MDC or 3D Sensor When you delete a detection engine group. However. if you have created your detection engines so that one detection engine monitors one class of hosts (in this example. For example.0.9.1 Sourcefire 3D System Administrator Guide 199 . the intrusion rules in an intrusion policy take advantage of certain system default variables such as HOME_NET and EXTERNAL_NET to look for exploits that originate outside your network and are targeted against hosts within your network.0/24 In the detection engine named DE_ACCT: HOME_NET = 10.0/24 If you later create another detection engine that monitors the rest of your network.10.90.30.90.0/16). The Detection Engines page appears. You can associate a system default variable with a specific detection engine and give the resulting detection engine-specific variable an explicit value for that detection engine. For information on policy-specific variables.10. Using Variables within Detection Engines Requires: IPS or DC/MDC + IPS A system default variable sets a variable value on your Sourcefire 3D Sensor or Defense Center that IPS uses by default unless it is overridden by a policy-specific or detection engine-specific value for the same variable. which are specific to the policy in which they are created.0/24) and another monitors a different class (for example.

You can create detection engine-specific variables and set detection engine-specific values for system default variables within an intrusion policy or from the detection engine Variable List page. You can view the corresponding new system default variable in the list of system default variables within each policy. Creating a detection engine-specific variable from the detection engine Variable List page also creates a corresponding system default variable with the value set to any. For more information. Optionally.9. IMPORTANT! You cannot use variables with RNA detection engines. If you disable a variable defined on the Variable List page by resetting the variable. which means that the value specified in the policy will be used when you apply the policy. you can modify the variable in the intrusion policies and detection engines where it is added automatically to give it a specific definition. For an explanation see Using Variables within Detection Engines on page 199. see the following sections: • • • • • Assigning Values to System Default Variables in Detection Engines on page 200 Creating New Variables for Detection Engines on page 202 Deleting and Resetting Variables on page 203 Configuring Custom Variables in Detection Engines on page 204 Using Portscan-Only Detection Engines on page 205 Assigning Values to System Default Variables in Detection Engines Requires: IPS or DC/MDC + IPS You can assign detection engine-specific values to system default variables.Using Detection Engines and Interface Sets Using Variables within Detection Engines Chapter 6 variable value rather than creating another detection engine-specific value for HOME_NET. Configuration details in this section relate to the detection engine Variable List page. You can also create new variables for use only within the context of the detection engine. You can view the explicit detection engine-specific value you configured in the list of variables for the detection engine within each policy. the definition reverts to the definition in the intrusion policy the next time you apply the policy. See Creating New Variables in the Analyst Guide and Modifying Variables in the Analyst Guide for more information. For configuration details related to setting detection engine-specific variables within an intrusion policy. Variables use the same syntax and must follow the same guidelines regardless of whether you create or define them from within intrusion policies or from the detection engine Variable List page. or on the detection engine Variable List page for the detection engine. Version 4.1 Sourcefire 3D System Administrator Guide 200 . see Creating New Variables in the Analyst Guide. and on the Variable list page for all other detection engines where it is listed with the value set to Policy Defined. When they exist. a detection engine-specific variable value takes precedence over a policy-specific or system default value for the same variable.

1 Sourcefire 3D System Administrator Guide 201 . Enter a value for the variable and click Save. as described in Applying an Intrusion Policy in the Analyst Guide. Click Edit next to the variable you want to define. The Detection Engines page appears. 2. 4. See Creating New Variables in the Analyst Guide for information about variable syntax. The Variable Binding page appears. The Variable List page appears. The Variable List page appears again and shows the new value for the variable. Version 4.Using Detection Engines and Interface Sets Using Variables within Detection Engines Chapter 6 To assign a detection engine-specific value to a system default variable: Access: Admin 1. Select Operations > Configuration > Detection Engines > Detection Engines. The variable takes effect the next time you apply an intrusion policy to the detection engine. 3. Click Variables next to the detection engine where you want to define a variable value.9. The value for each of the variables defaults to the value within the intrusion policy that is applied to the detection engine.

See Understanding Custom Variables in the Analyst Guide if you are defining a special-purpose custom variable with one of the reserved variable names described in the Custom Variables table in the Analyst Guide.9. The Variable page appears. The Variable List page appears. Click Add Variable. 4. select IP Port. • • • See Defining IP Addresses in Variables and Rules in the Analyst Guide for more information if you are defining a IP address-based variable. you can associate detection engine-specific variable definitions with the policy. See Defining Ports in Variables and Rules in the Analyst Guide for more information if you are defining a port-based variable. 2. . enter a name for the variable.1 Sourcefire 3D System Administrator Guide 202 . Click Variables next to the detection engine where you want to define a variable value. or Custom. 3. In the Variable Name field. Select Operations > Configuration > Detection Engines > Detection Engines. 5. Version 4. To create a new variable for a detection engine: Access: Admin 1. For an explanation see Using Variables within Detection Engines on page 199. The Detection Engines page appears. From the Variable Type drop-down list.Using Detection Engines and Interface Sets Using Variables within Detection Engines Chapter 6 Creating New Variables for Detection Engines Requires: IPS or DC/MDC + IPS When you create an intrusion policy.

Creating the new detection engine variable also lists the description Policy Defined for all other IPS detection engines on the Variable List page. The Detection Engines page appears.9. See Creating New Variables in the Analyst Guide for information about the syntax for variables. You can also delete variables that you created within the context of the detection engine. as described in Applying an Intrusion Policy in the Analyst Guide. You can delete predefined system variables on the detection engine Variable List page. Select Operations > Configuration > Detection Engines > Detection Engines. enter a value for the variable and click Save. To delete or reset variables on a detection engine: Access: Admin 1. The variable takes effect the next time you apply an intrusion policy to the detection engine. Deleting and Resetting Variables Requires: IPS or DC/MDC + IPS You can reset the value of a variable on the Variable List page and the variable reverts to the value defined in the intrusion policy the next time you apply the intrusion policy to the detection engine. IMPORTANT! Each new detection engine variable adds a system variable with a value of any that is accessible in all your intrusion policies. In any intrusion policy that you apply to a different detection engine and do not explicitly set a policy-defined or detection engine-specific variable to override the value of the system variable. but only if they are not used in any active or inactive rule within the system. the value any will be used. meaning that the value specified in the policy will be used when you apply the policy. In the Value field. It is listed in the variable list for the detection engine in all intrusion policies with the explicitly set value.Using Detection Engines and Interface Sets Using Variables within Detection Engines Chapter 6 6. The Variable List page appears again and shows the new variable and its value. and listed for all other detection engines on the Variable List page with a value of Policy Defined. You cannot delete predefined system variables within an intrusion policy. Version 4.1 Sourcefire 3D System Administrator Guide 203 . The variable is created and is accessible to all policies as a system default variable.

click Delete next to the name of the variable. You create a detection engine-specific custom variable by setting an explicit value for a reserved predefined system variable. or by creating a variable using a specific reserved name. • To delete a locally created variable. 3. You then define the variable value with a set of instructions appropriate to the function the variable provides.9. see Understanding Custom Variables in the Analyst Guide. The Variable List page appears. For more information. click Reset next to the name of the variable. Configuring Custom Variables in Detection Engines Requires: IPS or DC/MDC + IPS Custom variables allow you to configure special IPS features that you cannot otherwise configure via the web interface. The variable is deleted from the detection engine the next time you apply an intrusion policy to the detection engine. You can add a new USER_CONF detection engine variable using the reserved name USER_CONF . The variable is reset and Policy Defined appears in the Value column.Using Detection Engines and Interface Sets Using Variables within Detection Engines Chapter 6 2. Version 4.1 Sourcefire 3D System Administrator Guide 204 . Click Variables next to the detection engine where you want to delete or reset a variable value. You can set an explicit detection engine value for the predefined SNORT_BPF custom system variable. You have two options: • To disable the variable value defined in the IPS detection engine and revert to the variable value defined in the policy.

or inline with fail open depending on how your sensor is deployed. 3.1 Sourcefire 3D System Administrator Guide 205 . Engines on page 202. In this way. 2. the sensor can process more packets with greater efficiency. see Assigning Values to System Default Variables in Detection Engines on page 200. 1. IMPORTANT! A portscan-only intrusion policy is able to process up to three times more traffic than a more complex intrusion policy because it uses fewer CPU resources.Using Detection Engines and Interface Sets Using Variables within Detection Engines Chapter 6 To configure the SNORT_BPF custom variable for a detection engine: Access: P&R Admin/Admin To set an explicit detection engine-specific value for SNORT_BPF using the existing system default variable. Version 4. The following steps outline the process you can use to configure your sensor to detect portscans in addition to other exploits against your network assets. inline. Make sure you use the interface set that you created in step 1. Using Portscan-Only Detection Engines Requires: IPS or DC/MDC + IPS If you configure a sensor to use multiple detection resources within a single IPS detection engine. which is a requirement for the portscan preprocessor. The interface set can be passive. Create an IPS portscan-only detection engine and assign one detection resource to it. Multiple detection engines will use this interface set. Sourcefire recommends that you monitor the performance of your sensor to make sure that the portscan-only detection engine is able to keep up with the multi-resource detection engine. Using the Defense Center’s web interface. Remember that the portscan-only detection engine can use only one detection resource. you may need to adjust the number of resources in the multi-resource detection engine. To overcome this issue. Depending on the traffic mix on your network. a portion of the traffic that the 3D Sensor sees is directed to each detection resource for processing. Create another IPS detection engine that uses up to the remaining number of detection resources and the interface set that you created in step 1. you can create a portscan-only intrusion policy and apply it to a portscan-only detection engine on the sensor. To configure the USER_CONF custom variable for a detection engine: Access: P&R Admin/Admin To create USER_CONF as a new detection engine-specific variable using the reserved name USER_CONF see Creating New Variables for Detection . Internal logic on the sensor ensures that packets belonging to the same session are directed to the same resource for analysis.9. create an interface set that includes the network interfaces you want to use on the sensor. One downside to using multiple detection resources is that no single resource sees all the traffic on a network segment. However.

Note that all rules are disabled on the Rules page. you must enable rules on the Rules page with generator ID (GID) 122 for enabled portscan types for the portscan detector to generate portscan events.1 Sourcefire 3D System Administrator Guide 206 . Create and apply an intrusion policy for the multi-resource detection engine. • • • • • • IMPORTANT! Note that when portscan detection is enabled. or Rule Processing Configuration. and Applying an Intrusion Policy in the Analyst Guide for more information): • Select the No Rules Active Base Policy and make sure the Protection Mode is Passive. Ensure that the DCE/RPC Configuration preprocessor. The policy should inherit or be set to the following settings in the layer in your intrusion policy where you enable portscan detection (See Creating an Intrusion Policy in the Analyst Guide. Working with Layers. items listed under Performance Statistics. Create and apply an intrusion policy to the portscan-only detection engine. Enable IP Defragmentation (under Transport/Network Layer Preprocessors) and make sure it is configured for your environment (using the Hosts option) See Enabling and Disabling Advanced IPS Features in the Analyst Guide for more information. See Enabling and Disabling Advanced IPS Features in the Analyst Guide for more information. the SMTP Configuration preprocessor (under Application Layer Preprocessors). You do not need to set up variables for this policy. Review the resulting intrusion events to ensure that you are receiving the events you expect.9.Using Detection Engines and Interface Sets Using Variables within Detection Engines Chapter 6 4. and Back Orifice Detection (under Specific Threat Detection) are disabled. Make sure you match the type of intrusion policy to the type of interface set that you created in step 1. 6. See the Portscan Detection SIDs (GID:122) table in the Analyst Guide for more information. Ensure that OPSEC Configuration (under External Responses) is disabled. Make sure portscan rules are enabled for the types of portscans you configure. the HTTP Configuration preprocessor. See Detecting Portscans in the Analyst Guide for more information. 5. Enable Portscan Detection and configure it for your network environment. Also. make sure you disable portscan detection in this policy. You should not change the default settings for Checksum Verification or Packet Decoding (under Transport/Network Layer Preprocessors). Version 4. See Selecting the Base Policy in the Analyst Guide for more information.

On selected sensors you can set interfaces to tap mode. You can also set interfaces on most sensors in transparent inline mode.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 Using Interface Sets Requires: DC or 3D Sensor An interface set is a collection of one or more sensing interfaces on your appliance. The Virtual 3D Sensor supports only passive mode operation. Only 3D9900 sensors provide the PEP feature. Only 3D9900 sensors provide a fail-safe option that works with inline interface sets. • • • • • • • Version 4. or PEP policy. set type. To list the available interface sets: Access: Admin Select Operations > Configuration > Detection Engines > Interface Sets. For more information on the PEP feature. • With the exception of the Virtual 3D Sensor. 3D Sensors deployed in networks that are highly sensitive to latency can use the automatic application bypass option. see Using PEP to Manage Traffic in the Analyst Guide. Sensors with Gigabit Ethernet interfaces can employ jumbo frames. Some installations require that the link state be propagated and most sensor interfaces provide that option.1 Sourcefire 3D System Administrator Guide 207 . You can sort the available interface sets by group. inline.9. See the following sections for more information about interface sets: • • • • • • • Understanding Interface Set Configuration Options on page 207 Creating an Interface Set on page 213 Creating an Inline Interface Set on page 216 Editing an Interface Set on page 221 Deleting an Interface Set on page 223 Inline Fail Open Interface Set Commands on page 225 Using Clustered 3D Sensors on page 227 Understanding Interface Set Configuration Options Requires: DC or 3D Sensor There are a number of configuration variables to consider when you configure interface sets. sensor. you can set up any of your 3D Sensor interfaces in passive. or inline with fail-open mode.

1 Sourcefire 3D System Administrator Guide 208 . Supported Features by 3D Sensor Model 3D Sensor Model Virtual 3D Sensor 3D500 3D1000 3D2000 3D2100 3D2500 3D3000 3D3500 3D3800 3D4500 3D5800 3D6500 3D9800 3D9900 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Transparent Inline Mode Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Link State Propagation Mode Tap Mode Jumbo Frames Automatic Application Bypass Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Enable Fail-safe PEP See the following sections for more information: • • • • • • • Types of Interface Sets on page 209 Transparent Inline Mode on page 209 Tap Mode on page 210 Link State Propagation Mode on page 211 Jumbo Frames on page 212 Automatic Application Bypass on page 212 Enabling Fail-Safe on page 213 Version 4.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 See the following table for a list of 3D Sensors and each of their applicable interfaces features.9.

1 Sourcefire 3D System Administrator Guide 209 . • Inline with Fail Open For most sensors. Note that interface pairs on the same fiber-based NIM will act as fail open interfaces even if you assign them to an inline interface set. If you choose the Inline or Inline with Fail Open option. one for an IPS and the other for RNA. the appliance’s performance could be degraded. For example. except on the 3D9800 sensor. This allows the sensor to act as a “bump in the wire” and means that the sensor forwards all the network traffic it sees regardless of its source and destination. That is.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 Types of Interface Sets When you create an interface set. • Inline For most sensors. network traffic continues to flow through the sensor as it would for an inline with fail open interface set. you could create a single passive interface set and create two detection engines. an inline interface set can include any two interfaces. You can set up multiple detection engines to use a single interface set. an inline with fail open interface set on a 3D3800 or 3D5800 sensor can include up to four interface pairs. the Transparent Inline Mode option is enabled by default. except for the 3D500 and the Virtual 3D Sensor. which only supports a single IPS detection engine. It is not available on the 3D500 and available but not a default configuration on the Virtual 3D Sensor. However. an inline interface set on a 3D3800 or 3D5800 sensor can include up to four interface pairs. and an inline with fail open interface set on a 3D9800 sensor can include up to the total number of interface pairs on the sensor. but you should avoid using an on-board interface. IMPORTANT! If you include an on-board sensing interface (instead of. if the power fails or the Snort process halts. The interfaces do not have to be on the same network cards. and an inline interface set on a 3D9800 sensor can include up to the total number of interface pairs on the sensor. then apply different policies to the detection engines. you can choose one of three types: • Passive A passive interface set can encompass any number of the available sensing interfaces on a sensor. interfaces on the network cards). Transparent Inline Mode Transparent inline mode is a feature for inline interface sets and is not available for Passive interface sets. an inline with fail open interface set must include exactly one interface pair. Version 4.9. or in addition to. However.

and you cannot disable it. but instead of the packet flow passing through the sensor. However. the sensor is deployed inline. Version 4. With tap mode. rules of these types do generate intrusion events when they are triggered. and on later versions of 3D9800 3D Sensor when you create an inline or inline with fail open interface set. Because you are working with copies of packets rather than the packets themselves. Only traffic between Host A and Host C or between Host B to Host C is allowed to pass. then if the sensor sees network traffic from Host A to Host B. 3D5800. consider the following diagram. The Sourcefire 3D System checks the 3D9800 firmware version and displays the optional tap mode check box in the Create Interface Set page when appropriate. when the sensor sees traffic from Host A to Host B. If your sensor is deployed inline (or more precisely. it allows the traffic to pass through the interface even though Host A and Host B are on the same side of the sensor.1 Sourcefire 3D System Administrator Guide 210 . Tap Mode Tap mode is available for the 3D3800. For example. you must be especially careful not to create loops in your network infrastructure. a copy of each packet is sent to the sensor and the network traffic flow is undisturbed. and forwards packets accordingly.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 If you disable this option. the sensor learns which hosts are on which side of the inline interface. Over time. rules that you set to Drop and rules that use the replace keyword do not affect the packet stream. Keep in mind that if you create an inline interface set but do not use transparent inline mode. a sensor acts as a bridge. If the sensor is inline and you are not using transparent inline mode. TIP! 3D9800 sensors with earlier versions of firmware do not support tap mode. 3D9900. 3Dx800 sensors run in transparent inline mode. if your sensor includes a detection engine with an inline interface set) and the Transparent Inline Mode option is selected.9. it does not allow the traffic to pass through the interface to the side of the network with Host C.

as well as apply an intrusion policy to that detection engine. Link state propagation is available for both copper and fiber fail-open NIMs. you can disable tap mode and begin dropping suspicious traffic without having to reconfigure the cabling between the sensor and the network. IMPORTANT! On a 3D3800 or 3D5800 sensor. you can set up the cabling between the sensor and the network as if the sensor were inline and analyze the kinds of intrusion events the sensor generates. too. When you are ready to deploy the sensor inline. other than those on 3D9900s must be in hardware bypass mode for link state propagation to function correctly. if the link state of one interface changes. and the IPS detection engine fails for any reason. When the downed interface comes back up. It is also available on 3D9900s in both the inline and inline fail-open mode. the RNA or RUA detection engine monitoring that interface set will not see any traffic until the IPS detection engine restarts. Link State Propagation Mode Link state propagation mode is a feature for interface sets in the inline fail-open mode so both pairs of an inline pair track state. you can modify your intrusion policy and add the drop rules that best protect your network without impacting its efficiency. Version 4. Link state propagation mode automatically brings down the second interface in the interface pair when one of the interfaces in an inline interface set goes down. see Removing Bypass Mode on Inline Fail Open Fiber Interfaces on page 225. Neither RNA nor RUA are supported on the 3D9800 sensor.9. For more information about fiber interface sets and hardware bypass. IMPORTANT! Fiber interface sets configured as inline fail-open. the second interface automatically comes back up. the RNA detection engine monitoring that interface set will not see any traffic. Based on the results. For example. if you plan to use RNA to monitor either an inline or inline with fail open interface set. Otherwise. If you are monitoring the same inline interface set with both IPS and RNA or RUA.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 There are benefits to using tap mode with sensors that are deployed inline. the link state of the other interface is changed automatically to match it. In other words. or configure the interface set in tap mode. It is not available for passive interface sets. IMPORTANT! Crossbeam-based software sensors and 3D9800 sensors do not support link state propagation.1 Sourcefire 3D System Administrator Guide 211 . you must either configure an IPS detection engine that uses that interface set.

Note also that frames larger than the configured maximum frame size are silently dropped by the sensor. a core file is automatically generated for potential troubleshooting by Sourcefire Support. you do not need to set it in the Create Interface Set page. To see a list of which 3D Sensors you can use Automatic Application Bypass Monitoring on. If a detection engine is bypassed. or RUA detection engine and allows packets to bypass the detection engine if the time is exceeded. The default setting is 750 milliseconds (ms). it is most valuable in inline deployments. You can apply automatic application bypass on an interface set basis. Automatic application bypass limits the time allowed to process packets through an IPS. set the maximum frame size for the interface using the Create Interface Set page. however.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 Link state propagation is especially useful in resilient network environments where routers are configured to reroute traffic automatically around network devices that are in a failure state. For more information on the health monitoring alert. see the Supported Features by 3D Sensor Model table on page 208. Jumbo Frames Jumbo frames are Ethernet frames with a frame size greater than the standard 1518 bytes. The feature functions with both passive and inline interface sets. The automatic application bypass option is off by default. Typical maximum sized jumbo frames are 9018 bytes. excessive numbers of core files can result in disk usage health alerts.000 ms. Automatic Application Bypass The automatic application bypass feature allows you to balance packet processing delays with your network’s tolerance for packet latency.1 Sourcefire 3D System Administrator Guide 212 . If the application bypass triggers repeatedly. see Configuring Automatic Application Bypass Monitoring on page 502. You can change the bypass threshold if the option is selected.9. 3D Sensors generate a health monitoring alert. WARNING! If a detection engine is bypassed. Most gigabit Ethernet network interface cards support jumbo frames to increase efficiency. RNA. The valid range is from 250 ms to 60. 3D Sensor that support jumbo frames include: • • • 3D6500 3D9800 (9018-byte jumbo frames are always accepted) 3D9900 Note that since the 3D9800 is set to always accept the maximum size frame. If your 3D Sensor and interface supports jumbo frames. Version 4.

TIP! Some sensors do not support every interface set type. 4. IMPORTANT! The procedure for creating an inline interface set for 3Dx800 sensors is slightly different. When you enable the Enable Fail-Safe option. Creating an Inline Interface Set. Creating an Interface Set Requires: DC or 3D Sensor An interface set is a collection of one or more sensing interfaces on your appliance.1 Sourcefire 3D System Administrator Guide 213 . 3D9900 sensors monitor internal traffic buffers and bypass detection engines if those buffers are full. Type a name and description for the new interface set in the Name and Description fields. The Enable Fail-Safe option is only available on inline interface configurations.9. The Interface Sets page appears. Select the type of interface you want to create. or Inline with Fail Open. Click Create Interface Set. traffic is allowed to bypass detection and continue through the sensor. Passive. Select Operations > Configuration > Detection Engines > Interface Sets. To create an interface set: Access: Admin 1. Inline. You can use alphanumeric characters and spaces. Version 4. For information about their use.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 Enabling Fail-Safe The Create Interface Set page includes an additional option for 3D9900 sensors: the Enable Fail-Safe option. For more information. The Create Interface Set page appears. 3. 2. from the Interface Set Type drop-down list. see the next section. see Using Interface Sets on page 207.

select an existing interface set group or select Create New Group to create a new interface set group. and if you are configuring an inline interface set on a 3D9900. Optionally. 6. Automatic Application Bypass is most useful in inline applications. however. clear the Transparent Inline Mode check box to disable transparent mode. This option is especially useful if the routers on your network are able to re-route traffic around a network device that is down. 7. Optionally.9. Optionally. The default setting is 750 ms and the valid range is from 250 ms to 60.000 ms. See Using Interface Set Groups on page 223 for more information. you can select a Bypass Threshold in milliseconds (ms). select Automatic Application Bypass if your network is sensitive to latency. select Link State Propagation Mode. if you selected the Inline or Inline with Fail Open option. Optionally. IMPORTANT! Link state propagation and automatic application bypass are not supported on Sourcefire 3D Sensor Software for X-Series platforms. you can select the Enable Fail-safe check box to enable traffic pass-though during application bypass. If you selected either the Inline or Inline with Fail Open option and you are not configuring a Crossbeam-based software sensor. When the option selected. 8.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 5. 9.1 Sourcefire 3D System Administrator Guide 214 . set jumbo frame options on the Crossbeam CLI. Version 4. then optionally. You can.

The following shows a 3D9900 interface set. inclusive. Defense Center Only Select the sensor group containing the sensors where you want to create the interface set. Version 4. and if you are configuring an interface set on a 3D6500 or 3D9900 type a maximum frame size for your IP traffic in the Maximum Frame Size field. including a list of ungrouped sensors. A list of network interfaces on the sensor appears. You can set any jumbo frame size between 1518 and 9018 bytes. On the Defense Center only. Optionally. A list of sensors appears. You can also select the ungrouped sensors.1 Sourcefire 3D System Administrator Guide 215 .9. 11. 12.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 10. a list of sensor groups appears. Defense Center Only Select one of the sensors from the list.

the names that appear in the Available Interfaces list correspond to the slot number and interface location.1 Sourcefire 3D System Administrator Guide 216 . Select the interfaces that you want to add from the Available Interfaces list and click the arrow button to add the interface to the Selected Interfaces list. For 3Dx800 sensors. IMPORTANT! If you select an on-board interface rather than an interface on a network card.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 13. and so on). Different types of interface sets have different requirements. Using one interface set that includes all available inline interface pairs. log into the console and disconnect the network cable from the interface. your sensor may not provide optimum performance.9. Creating an Inline Interface Set Requires: DC or 3D Sensor You can add multiple interface pairs to an inline interface set on 3D Sensors and Crossbeam-based software sensors. make sure you reapply intrusion policies to the IPS detection engines on the affected sensor. For example. you can include all of the available interfaces in a passive interface set. eth2. TIP! After you create an interface set. Inline with fail open interface sets must contain one pair of interfaces from the same fail-open network card. 14. the names that appear in the Available Interfaces list correspond to the device names you assigned to the circuits you created on the X-Series. You can use the Shift and Ctrl keys to select multiple interfaces at once. but inline interface sets must contain exactly two interfaces (except on 3Dx800 sensors). • • For more information. Remember to reconnect the network cable when you are finished. For 3D Sensor Software for Crossbeam Systems X-Series. s0.e0 corresponds to the leftmost interface on the network interface module (NIM) in I/O Slot 0 on the back of your appliance. see the Installation Guide for your sensor or sensor software. A message appears on the console indicating the name of the interface (eth1. you can apply a single policy and rapidly complete your initial Version 4. For example. Click Save. Determining which interface name corresponds with a physical interface on your sensor depends on the model: • For most 3D Sensors. This is the default behavior during 3D Sensor installations. The interface set is created.

the sensor might not correctly analyze your network traffic because a detection engine might see only half of the traffic. as shown in the following graphic. Later. you can refine policies for specific connected network segments and their requirements. Version 4. in many cases you can improve performance by modifying the interface set to include only the inline interface pairs your network requires.1 Sourcefire 3D System Administrator Guide 217 .9. You can also use multiple interface pairs when your network employs asynchronous routing.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 3D Sensor deployment. Your network may be set up to route traffic between a host on your network and external hosts through different interface pairs depending on whether the traffic is inbound or outbound. If you include only one interface pair in an interface set. TIP! Although the default interface set on 3D Sensors includes all the available inline interface pairs.

Select Operations > Configuration > Detection Engines > Interface Sets. the RNA detection engine monitoring that interface set will not see any traffic. choose Inline from the Interface Set Type drop-down list. or configure the interface set in tap mode. no packets are lost. Although some packets are transmitted without inspection during this time. 3. The Create Interface Set page appears. A list of sensor groups appears. the RNA or RUA detection engine monitoring that interface set will not see any traffic until the IPS detection engine restarts. Version 4. If you are monitoring the same inline interface set with both IPS and RNA or RUA. 2. The Interface Sets page appears. 5. See Using Interface Set Groups on page 223 for more information.9. Type a name and description for the new interface set in the Name and Description fields.1 Sourcefire 3D System Administrator Guide 218 . you must either configure an IPS detection engine that uses that interface set. including a list of ungrouped sensors. as well as apply an intrusion policy to that detection engine. • • For an 3Dx800 sensor. select an existing interface set group or select Create New Group to create a new interface set group. Optionally. if you plan to use RNA to monitor either an inline or inline with fail open interface set. a software bridge is automatically set up to transport packets when the sensor restarts. Select the type of inline interface you want to create. and the IPS detection engine fails for any reason. Click Create Interface Set. Neither RNA nor RUA are supported on the 3D9800 sensor. You can use alphanumeric characters and spaces. For Crossbeam-based software sensors.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 For most 3D Sensors with inline interface sets. Otherwise. choose either Inline or Inline with Fail Open. To create an inline interface set: Access: Admin 1. 4. from the Interface Set Type drop-down list. IMPORTANT! On a 3D3800 or 3D5800 sensor.

Select one of the sensors from the list. select Automatic Application Bypass if your network is sensitive to latency. 8. including a list of ungrouped sensors. If you are creating an inline with fail open interface set.1 Sourcefire 3D System Administrator Guide 219 . Optionally. IMPORTANT! Link state propagation and automatic application bypass are not supported on Sourcefire 3D Sensor Software for X-Series platforms. however. If you are creating an inline interface set. On the Defense Center only. Optionally. you can select the Enable Fail-safe check box to enable traffic pass-though during application bypass. You can. You can set any jumbo frame size between 1518 and 9018 bytes. a list of network interfaces on the sensor appears. The following shows a 3D9900 interface set. 7. a list of sensor groups appears.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 6. inclusive. a list of paired network interfaces on the sensor’s fail-open cards appears. you can select a Bypass Threshold in milliseconds (ms). When the option selected.000 ms. The default setting is 750 ms and the valid range is from 250 ms to 60. and if you are configuring an interface set on a 3D9900. Version 4. and if you are configuring an interface set on a 3D6500 or 3D9900 type a maximum frame size for your IP traffic in the Maximum Frame Size field. Optionally. 9. set jumbo frame options on the Crossbeam CLI.9.

Inline with fail open interface sets on 3D3800 and 3D5800 sensors can also contain up to four pairs of interfaces.9. Repeat to add additional interface pairs.e0 corresponds to the leftmost interface on the network interface module (NIM) in I/O Slot 0 on the back of your appliance. Version 4. • Use the Shift and Ctrl keys to select multiple interfaces or interface pairs at once. but each pair must reside on a single fail-open network card. • For more information. for a 3DX800 or 3DX900 sensor. On the 3D9800 sensor. inline and inline with fail open interface sets can include up to the total number of interface pairs on the sensor. • If you are creating an inline interface set. select the Enable Tap Mode check box to use tap mode. see the Installation Guide for your sensor or sensor software.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 10. Add the interfaces to your interface set. For example. 11. Note that 3D Sensor Software for Crossbeam Systems X-Series does not support inline with fail open interface sets. the names that appear in the Available Interfaces list correspond to the slot number and interface location. TIP! 3D9800 sensors with earlier versions of firmware do not support tap mode. You can configure inline interface sets on 3D3800 and 3D5800 sensors to contain up to four pairs of interfaces. select at least one interface pair from the Available Interfaces list and click the arrow button to add the interface to the Selected Interfaces list. If you are creating an inline with fail open interface set. Determining which interface name corresponds with a physical interface on your sensor depends on the model: • For 3Dx800 sensors.1 Sourcefire 3D System Administrator Guide 220 . Optionally. The Sourcefire 3D System checks the 3D9800 firmware version and displays the optional tap mode check box in the Create Interface Set page when appropriate. For 3D Sensor Software for Crossbeam Systems X-Series. the paired interface names that appear in the Available Interfaces list correspond to the device names you assigned to the transparent bridge-mode bridge circuits you created on the X-Series. select two interfaces that you want to designate as an inline pair from the Available Interfaces list and click the arrow button to add the interface to the Selected Interfaces list. s0.

Optionally.9. no packets are lost. IMPORTANT! Note that link state propagation is not available for Crossbeambased software sensors or 3D9800 sensors. The following sections describe some of the cases where a detection engine is affected by changes to the detection engines and interface sets: Version 4. a software bridge is automatically set up to transport packets when the sensor restarts. TIP! After you create an interface set. The interface set is created.1 Sourcefire 3D System Administrator Guide 221 .Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 12. Click Save. Although some packets are transmitted without inspection during this time. This option is especially useful if the routers on your network are able to re-route traffic around a network device that is down. IMPORTANT! For most 3D Sensors with inline interface sets. Editing an Interface Set Requires: DC or 3D Sensor In some circumstances. editing an interface set or detection engine can cause the detection engines on the sensor to restart. make sure you reapply intrusion policies to the IPS detection engines on the affected sensor. TIP! The link lights on fiber fail-open NIMs remain lighted even when the link state is down on 3D3800 or 3D5800 sensors with link state propagation enabled. which can cause a short pause in processing. select Link State Propagation Mode. 13. for a 3D3800 or 3D5800 sensor.

all the detection engines on the sensor are restarted because the total number of allocated resources has changed.1 Sourcefire 3D System Administrator Guide 222 . which interface set is used. all detection engines on the sensor are restarted. TIP! 3D9800 sensors with earlier versions of firmware do not support tap mode. all the detection engines using that interface set are restarted. If you create an interface set. If you delete a detection engine or interface set. only that detection engine is started (although other CPUs may be restarted to rebalance the processing load). the interface set type. • If you change the number of detection resources. all the detection engines on the sensor are restarted. If you change the detection engine type for a detection engine. nothing is restarted. • • • • • Other Sensors • • • • • • • Version 4. The Sourcefire 3D System checks the 3D9800 firmware version and displays the optional tap mode check box in the Create Interface Set page when appropriate. that detection engine is restarted. If you create a detection engine. nothing is restarted. When you create a detection engine. only that detection engine is restarted (although other CPUs may be restarted to rebalance the processing load). all detection engines assigned to that interface set are restarted.Using Detection Engines and Interface Sets Using Interface Sets Chapter 6 3Dx800 Sensors • If you change the number of network interfaces. all the detection engines on the sensor are restarted. all detection engines on the sensor are restarted. If you change an interface set’s tap mode setting. If you change which network interfaces are used by the interface set.9. If you change an interface set’s transparent mode setting or interface set type. If you change the name or description of an interface set or detection engine. If you delete a detection engine or interface set. or the detection engine type. all detection engines assigned to that interface set are restarted. If you change a detection engine’s interface set. all detection engines on the sensor are restarted. If you change the number of detection resources allocated to a detection engine. or transparent mode for an interface set.

The Interface Sets page appears. make sure you reapply your intrusion policy on the affected sensor. Make any changes to the interface set and click Update. 2. See the following sections for more information: • • Creating Interface Set Groups on page 224 Deleting Interface Set Groups on page 225 Version 4.1 Sourcefire 3D System Administrator Guide 223 . Click Edit next to the interface set that you want to modify. 3. Select Operations > Configuration > Detection Engines > Interface Sets. The Create Interface Set page appears. TIP! After you edit an interface set used by an IPS detection engine.9. confirm that you want to delete the interface set. A restart occurs only when you assign a detection engine to the interface set. nothing is restarted. To edit an interface set: Access: Admin 1. Your changes are saved. see Understanding PEP Traffic Management in the Analyst Guide. The Interface Sets page appears. at the prompt. Make sure you plan these actions for times when they will have the least impact on your deployment. Click Delete next to the interface set that you want to delete. If you change the name or description of an interface set or detection engine. 2. Deleting an Interface Set Requires: DC You cannot delete an interface set that is being used by a detection engine. You must delete the detection engine before you can delete the interface set. Using Interface Set Groups Requires: DC You can use interface set groups to combine similar interface sets. These groups make it easier to apply PEP policies to interface sets that have similar purposes. The interface set is deleted. Select Operations > Configuration > Detection Engines > Interface Sets. For more information on PEP policies.Using Detection Engines and Interface Sets Using Interface Set Groups Chapter 6 • • If you create an interface set. nothing is restarted. and. To delete an interface set: Access: Admin 1.

You can add interface sets to an interface set group by clicking Edit next to a interface set group name and. The Interface Set page appears again. Click Edit for the interface set group. 2. To create a interface set group: Access: Admin 1. Select Operations > Configuration > Detection Engines > Interface Sets. See Creating Interface Set Groups on page 224. Editing Interface Set Groups Requires: DC/MDC or 3D Sensor The following procedure explains how to edit an interface set group. Type a name for the interface set group in the Group Name field. on the Interface Group Edit page. The Create Interface Set Group page appears.9. Select Operations > Configuration > Detection Engines > Interface Sets. Click Save. You must create an interface set group before you can edit it. The Interface Group Edit page appears. 2.Using Detection Engines and Interface Sets Using Interface Set Groups Chapter 6 Creating Interface Set Groups Requires: DC The following procedure explains how to create an interface set group. The Available Interface Sets page appears. adding available interfaces to the group and clicking Save. Click Create Interface Set Group or click Create Interface Set then click Create New Group in the Group field.1 Sourcefire 3D System Administrator Guide 224 . 3. Version 4. To edit an interface set group: Access: Admin 1.

Click Save to add the selected interfaces to the interface set group. Version 4. 4. Removing Bypass Mode on Inline Fail Open Fiber Interfaces Requires: 3D Sensor When link state propagation is enabled on a sensor with an inline fail open interface set and the sensor goes into bypass mode. you can force the interface out of bypass mode. The Interface Sets page appears. To delete a interface set group: Access: Admin 1.Using Detection Engines and Interface Sets Inline Fail Open Interface Set Commands Chapter 6 3. Select Operations > Configuration > Detection Engines > Interface Sets. Inline Fail Open Interface Set Commands Requires: 3D Sensor When you use fiber inline fail open interfaces sets and the interface set goes into bypass. TIP! This tool works on most 3D Sensors with inline with fail open fiber interface pairs. See Forcing an Inline Fail Open Interface Set into Bypass Mode on page 226. IMPORTANT! Make sure you contact Technical Support if you are having issues with the fail open interfaces on your sensor. they are not deleted. all network traffic passes through the interface pair without being analyzed. You can also move interface sets out of the interface set group. any interface sets in the group are automatically ungrouped. The Available Interface Sets page appears.1 Sourcefire 3D System Administrator Guide 225 . Select available interface sets and to move them to the interface set group with the arrow buttons. Click Delete next to the name of the interface set group. Deleting Interface Set Groups Requires: DC When you delete an interface set group. See Removing Bypass Mode on Inline Fail Open Fiber Interfaces. most fiber inline fail open interface sets do not return from bypass automatically. The interface set group is deleted. You can force a copper or fiber inline fail open interface in or out of bypass.9. 2. When the links restore. It is not necessary to use this tool on inline with fail open copper interface pairs or to use this tool with 3D9900 sensors. You can use a command line tool to force the interface set out of bypass mode.

1 Sourcefire 3D System Administrator Guide 226 . Open a terminal window on your 3D Sensor and enter the command su and the root password to switch to the root user. To force an inline fail open interface set into bypass mode. a message in syslog indicates the 3D Sensor is analyzing traffic. TIP! Note that this tool works only with inline with fail open interface pairs. click Edit next to the inline with fail open interface set you are investigating. The Interface Sets page appears. you can use a command line tool to force the interface set into bypass mode. a state where all network traffic passes through the interface pair without being analyzed. To force an inline fail open interface set into bypass mode: Access: Admin 1. 3. or if the interface card does not fail open on its own. You cannot use it with non-fail open inline interface sets. enter the correct password. If you are troubleshooting an interface set. select Operations > Configuration > Detection Engines > Interface Sets. you must know which two interfaces are included in the interface set.9. Under Available Interface Sets. The Create Interface Set page appears. 2. Log in as root onto the sensor and. You can determine this information on the Interface Sets page. Version 4. IMPORTANT! Make sure you contact Technical Support if you are having issues with the fail open interfaces on your sensor. /var/sf/bin/unbypass_cards.sh 2.Using Detection Engines and Interface Sets Inline Fail Open Interface Set Commands Chapter 6 To force a fiber inline fail open interface set out of bypass mode: Access: Admin 1. at the prompt. For example: Fiber pair has been reset by un_bypass Forcing an Inline Fail Open Interface Set into Bypass Mode Requires: 3D Sensor When the sensor with an inline fail open interface set fails. When the interfaces switch out of bypass mode. Enter the following at the command line: 3. On the appliance’s web interface. it goes into bypass mode. The Selected Interfaces column displays the names of the interfaces in the interface set.

enter the correct password. Enter the following at the command line: failopen_pair. Using Clustered 3D Sensors Requires: DC + 3D9900 You can increase the amount of traffic inspected on a network segment by connecting two fiber-based 3D9900 sensors in a clustered pair.. enter the following: failopen_pair. if the interfaces in the interface set are eth2 and eth3. For information on establishing and separating clustered pairs. Enter the following at the command line: failopen_pair. see Managing a Clustered Pair on page 140. the following message appears: No failopen interface set configured for interfaces eth2:eth3. Log in as root onto the sensor and. Version 4.Using Detection Engines and Interface Sets Using Clustered 3D Sensors Chapter 6 4.pl open eth#:eth# For example.9. Select Operation > Sensors and note that clustered sensors have a peer icon. if you specified the correct interfaces. To return an inline fail open interface set to normal mode: Access: Admin 1. shared configuration. you can identify them on the Sensor list page. 2.pl close eth2:eth3 The following message appears: Mode changed for interfaces eth2:eth3 The interfaces return to normal mode and the traffic flowing through the detection engines on the interface set is analyzed as you would expect.pl close eth#:eth# For example. Then. if the interfaces in the interface set are eth2 and eth3..1 Sourcefire 3D System Administrator Guide 227 . at the prompt. enter the following: failopen_pair. After the cluster is established. When you establish a clustered pair configuration.pl open eth2:eth3 The following message appears: NOTE: You must already have a failopen interface set and detection engine configured on the pair you are forcing open or closed for this utility to work. If you did not specify the correct interfaces. you combine the 3D9900 sensors resources into a single. the following message appears: Mode changed for interfaces eth2:eth3 The interfaces switch to bypass mode and the traffic is no longer analyzed.

When you combine two 3D9900 sensors as a clustered pair.1 Sourcefire 3D System Administrator Guide 228 .example. In a clustered pair. see: • • • Managing Clustered 3D Sensor Detection Engines Requires: DC + 3D9900 Use the managing Defense Center to create. and list the detection engines of paired 3D Sensors. and fir. fir. The format is DetectionEngineName (MasterSensorName. a clustered 3D Sensors detection engine could be: Z inline DE (birch. You use the combined detection engines as a single entity except when viewing information from the clustered pair.com).example. both sensors are listed in the interface set. Because the detection engines and interface sets are combined. Both 3D9900 sensors are listed as a part of the detection engine formed by the clustered 3D Sensors. By combining two 3D9900 sensors as a clustered pair. birch. edit. SlaveSensorName). see: • • • Using Detection Engines on Clustered 3D Sensors on page 228 Understanding Interface Sets on Clustered 3D Sensors on page 229 Managing Information from a Clustered 3D Sensor on page 230 Using Detection Engines on Clustered 3D Sensors Requires: DC + 3D9900 For information about using detection engines with clustered 3D9900s.com is the name of the master in the pair.example.9.Using Detection Engines and Interface Sets Using Clustered 3D Sensors Chapter 6 You can see if the sensor is a master or slave. where Z inline DE is the name of the detection engine. the Edit page is replaced with an informational page. For more information.com is the name of the slave in the pair of 3D9900 sensors. You cannot manage detection engines on the local GUI of a paired 3D Sensor. the slave’s ethb0 and ethb1 connect to the master and the its ethb2 and ethb3 are not connected. the Defense Center displays the single interface set of the master sensor. see: • • • Managing Clustered 3D Sensor Detection Engines on page 228 Using Clustered 3D Sensor Detection Engines in Policies on page 229 Managing Information from a Clustered 3D Sensor on page 230 Creating a Detection Engine on page 193 Editing a Detection Engine on page 194 Deleting a Detection Engine on page 197 For information about how to manage detection engines. Version 4. you can only manage them from a Defense Center and not from one of the clustered sensors. and which sensor it is paired with. you can combine their detection engines. When you create a detection for a clustered pair.com. when you hover over the peer icon.example. For example.

The slave’s ethb2 and ethb3 pair are not functional and must not be connected when you establish the clustered pairing.example.com is the name of the slave in the pair of 3D9900 sensors.Using Detection Engines and Interface Sets Using Clustered 3D Sensors Chapter 6 When you create or edit a detection engine formed by the clustered 3D Sensors. Using Clustered 3D Sensor Detection Engines in Policies Requires: DC + 3D9900 Use the managing Defense Center to manage policies and responses of paired 3D Sensors. a master/slave relationship is established between the two 3D9900 sensors.example.com. The master’s ethb0 and ethb1 pair are used for sensing connections.1 Sourcefire 3D System Administrator Guide 229 . IMPORTANT! You cannot use the Policy & Response menu on the local GUI of a paired 3D Sensor. and fir.example. The master’s ethb2 and ethb3 pair connect to the slave’s ethb0 and ethb1 pair. Understanding Interface Sets on Clustered 3D Sensors Requires: DC + 3D9900 After you set up the clustered pair. Clustered 3D Sensors detection engines present their names in the form DetectionEngineName (MasterSensorName. SlaveSensorName) when you use them in: • • • • IPS policies PEP policies RNA detection policies compliance rules For example.com). the detection resources are listed as from both sensors.example. where Z inline DE is the name of the detection engine. birch. a clustered 3D Sensors detection engine could be: Z inline DE (birch.com is the name of the master in the pair. fir. Version 4.9. those pages are replaced with an informational page.

in the form DetectionEngineName/MasterSensorName and DetectionEngineName/SlaveSensorName.example.com.example. it is listed as from both Z inline DE / birch.1 Sourcefire 3D System Administrator Guide 230 . For information about using interface sets in the detection engines of clustered 3D9900s.example.Using Detection Engines and Interface Sets Using Clustered 3D Sensors Chapter 6 To view the clustered pair interface sets: Access: Admin Select Operations > Configuration > Detection Engines > Interface Sets. birch. see Using Detection Engines on Clustered 3D Sensors on page 228.com and from Z inline DE / fir. A Select Detection Engines list from the Intrusion Event Statistics page is show below.com is the slave sensors. Managing Information from a Clustered 3D Sensor Requires: DC + 3D9900 Clustered sensors report information from each of the sensors. For example.9.example. the clustered 3D Sensors detection engine could be: Z inline DE (birch. and fir. Analysis & Reporting tools display the information from each half of the detection engine independently. These reports include: • • • intrusion event statistics intrusion events event graphs Version 4.com. The Interface Sets page appears. IMPORTANT! If you collect statistics from clustered 3D9900s. A clustered pair interface set displays both the master and the slave in the Sensor column. When you examine information from the clustered pair. Do not attempt to change the interface settings while a clustered sensor is paired. add data from both sensor of the detection engine to measure the total.com).example. fir.com is the master sensor.example. where Z inline DE is the detection engine.

The eStreamer settings are not automatically synchronized over the pair. Version 4. collect the data from both 3D9900s and ensure that you configure each 3D9900 identically.1 Sourcefire 3D System Administrator Guide 231 .9.Using Detection Engines and Interface Sets Using Clustered 3D Sensors Chapter 6 • • • • dashboards RNA statistics network map searches IMPORTANT! If you use eStreamer to stream event data from a clustered pair of 3D9900s to an external client application.

You can run the report on the 3D Sensor or on the Defense Center that manages the sensor.1 Sourcefire 3D System Administrator Guide 232 . Similarly. Report Types Report Intrusion Events with Destination Criticality Intrusion Events with Source Criticality Intrusion Events SEU Import Log Host Attributes Report Category IPS or RNA IPS or RNA IPS IPS RNA Requires DC + RNA + IPS DC + RNA + IPS DC + IPS DC + IPS DC + RNA Version 4. and you must configure the RNA component for that sensor to collect RNA events. For example.9. Event reports include the data that you see on the event view pages for each type of event presented in a report format. You must have an RNA host license on the Defense Center managing your 3D Sensor. the Intrusion Events report appears under the IPS report category and requires the IPS component on a 3D Sensor.Working with Event Reports Chapter 7 Sourcefire 3D System Administrator Guide The Sourcefire 3D System provides a flexible reporting system that you can use to generate a variety of event reports. the RNA Events report appears under the RNA report category on the Report Designer page. The Report Types table describes the reports you can create and the components required for producing them.

see Editing Report Profiles on page 263.1 Sourcefire 3D System Administrator Guide 233 . You can create a new report profile through the use of the Report Designer. or use it as a template for an event report profile which can be customized by modifying field settings as appropriate and saving the report with the new values. Version 4.Working with Event Reports Chapter 7 Report Types (Continued) Report RNA Hosts Scan Results RNA Client Applications RNA Events RNA Services Vulnerabilities Hosts with Services Flow Data RUA Events Users White List Violations Compliance Events White List Events Remediation Status Health Events Audit Log Events Report Category RNA RNA RNA RNA RNA RNA RNA RNA RUA RUA Compliance Compliance Compliance Compliance Health Monitoring Audit Log Requires DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RUA DC + RUA DC + RNA DC + RNA DC + RNA DC + RNA DC Any You can use a predefined report profile to generate your report. For more information on how to create and save report profiles.9. For information on modifying a predefined or existing report profile. see Understanding Report Profiles on page 241.

see Running Remote Reports on page 240. see Managing Generated Reports on page 237.1 Sourcefire 3D System Administrator Guide 234 . if you use a Defense Center to manage your sensors. You can run reports remotely from the Defense Center using the data on the sensors for the report. For information on how to modify a report profile. You can view. see Editing Report Profiles on page 263. see Managing Remote Storage on page 393. or delete previously generated reports. For more information on how to configure a Defense Center to store reports in a remote location using SSH. For information on how to generate a report from a report profile view. For information on how to generate a report for the data that appears in an event view. Working with Report Profiles Requires: IPS or DC/ MDC You can use a predefined report profile to generate your report.9. For more information on how to how to generate reports on managed sensors and view the results on the Defense Center. Version 4. You can store reports locally or remotely.Working with Event Reports Working with Event Reports Chapter 7 See the following sections for more information: • • • • • • • • Working with Event Reports on page 234 Working with Report Profiles on page 234 Managing Generated Reports on page 237 Understanding Report Profiles on page 241 Working with Report Information on page 248 Working with Report Sections on page 255 Working with Report Options on page 258 Using a Report Profile on page 260 Working with Event Reports Requires: IPS or DC/ MDC You can generate reports manually or automatically on any subset of events in an event view. For more information on how to create and save report profiles. You can create a new report profile through the use of the Report Designer. For more information on how to manage your reports. see Using a Report Profile on page 260. You can use a predefined report profile as a template for an event report which can be customized by modifying field settings as appropriate and saving the report with the new values. see Generating Reports from Event Views on page 235. as well as move reports to a remote storage location. see Creating a Report Profile on page 246. NFS. You can also specify which detection engine to use when generating the report. or SMB. download.

9. and include custom options such as a corporate logo or footers.Working with Event Reports Generating Reports from Event Views Chapter 7 You can include a summary report for intrusion events and RNA events by selecting the appropriate radio button in your report profile. For details on using the event search. see Understanding and Using Workflows in the Analyst Guide. You can also specify how you want the report formatted: PDF HTML.1 Sourcefire 3D System Administrator Guide 235 . Version 4. see Understanding Report Profiles on page 241. • TIP! In addition to generating reports in an event view. To generate a report for a specific set of events: Access: Any Analyst/ Admin 1. values (CSV). You can do this several ways: • Use an event search to define the type of events you want to view. You can generate reports in PDF HTML or comma-separated value (CSV) formats. see Searching for Events in the Analyst Guide. Generating Reports from Event Views Requires: IPS or DC/ MDC You can generate reports on any subset of events in an event view. Drill down through a workflow until you have the proper events in your event view. For more information. or as comma-separated . as described in this section. For more information on each of the summary reports. Populate an event view with the events you want to include in the report. . and a short description of the report. see Using Summary Reports on page 255. see Working with Report Options on page 258. For information on how to incorporate these options into your reports. you can also create a report profile and then either use it to generate a report or save it to use later. For details on using workflows and constraining events within a workflow.

The settings on the page reflect the parameters that you selected for the search or through the drill-down pages. click Return to Calling Page at the bottom of the Report Designer page. Select the check boxes next to the output options you want in the report: PDF . HTML. TIP! If you need to go back to the drill-down page where you opened the Report Designer. Click Generate Report.Working with Event Reports Generating Reports from Event Views Chapter 7 2. For details on the parameters for a report. Version 4.9. 3. Change any of the parameters as necessary to meet your needs. The Report Designer page appears. Click Report Designer in the toolbar.1 Sourcefire 3D System Administrator Guide 236 . see Creating a Report Profile on page 246. or CSV. Note that you may select more than one format. The following graphic shows the Defense Center version of the page. 5. 4.

for scheduled tasks).pdf for PDF reports . for local. or delete reports. download.9. and SMB storage. or whether the generation failed (for example. which indicates whether it has yet to be generated (for example. The default location for report storage is listed at the top of the page. it has already been generated. click Reports in the toolbar. To view the report. who generated it. If you are using a Series 2 Defense Center. To configure remote storage. In addition. 7. you can move reports to a remote storage location. the appliance lists the status of each of the reports. Note that only Series 2 Defense Centers support remote storage of reports. Managing Generated Reports Requires: IPS or DC/ MDC Manage previously generated reports on the Reporting page. NFS.csv for comma-separated value reports . click Remote Storage on the toolbar.Working with Event Reports Managing Generated Reports Chapter 7 6. see Managing Remote Storage on page 393. You can view. then click the report name on the Reporting page that appears. the appliance provides the disk usage of the storage device. Version 4. Each report has one of the following file extensions appended to the report name: • • • . the Defense Center hides any previously generated remotely stored reports. and whether it is stored locally or remotely. Click OK to confirm that you want to save the current parameters as a report profile. the Defense Center hides reports not stored in the new location. If you disable remote storage. You can enable or disable remote storage using the Enable Remote Storage for Reports check box. Each report is listed with the report name as defined in the report profile plus the date and time the report was generated.zip for HTML reports (HTML reports are zipped along with the necessary graphics) Finally. The report appears. The report profile is saved and the report generates in the output formats you selected. due to lack of disk space). if you change the remote storage location.1 Sourcefire 3D System Administrator Guide 237 . For more information.

2. TIP! You can also save reports locally. Downloading Generated Reports.9. You have two options: • • Enable the check box next to the report you want to view. Select Analysis & Reporting > Report Profiles. In either case. For more information. see the next section. then click View. Note that users with Admin access can view all reports generated on the appliance. Select Analysis & Reporting > Report Profiles. see the following topics: • • • • • Viewing Generated Reports on page 238 Downloading Generated Reports on page 238 Deleting Generated Reports on page 239 Moving Reports to a Remote Storage Location on page 239 Running Remote Reports on page 240 Viewing Generated Reports Requires: IPS or DC/ MDC Use the following procedure to view generated reports. 2. click Reports. On the toolbar. Downloading Generated Reports Requires: IPS or DC/ MDC Access: Any Analyst/ Admin Use the following procedure to download generated reports. the report opens. The Reporting page appears. Version 4. Click the name of the report. On the toolbar. To view a generated report: Access: Any Analyst/ Admin 1. 3. You can view one report at a time.Working with Event Reports Managing Generated Reports Chapter 7 For information on managing reports. click Reports. To download generated reports: 1.1 Sourcefire 3D System Administrator Guide 238 . The Report Profiles page appears. other users can only view reports that they generated themselves. The Report Profiles page appears. The Reporting page appears.

Deleting Generated Reports Requires: IPS or DC/ MDC Access: Any Analyst/ Admin Use the following procedure to delete generated reports. a second check box appears that you can enable to download all reports on all pages. The Report Profiles page appears. then click Delete. then click Download.Working with Event Reports Managing Generated Reports Chapter 7 3. Confirm that you want to delete the reports.zip file. Note that after you move a report to a remote location. you cannot move it back. Enable the check boxes next to the reports you want to delete. 4. If you have multiple pages of reports. To move generated reports: Access: Any Analyst/ Admin 1. On the toolbar. The Reporting page appears. Version 4. Follow your browser’s prompts to download the reports. click Reports. Select Analysis & Reporting > Report Profiles. TIP! Enable the check box at the top left of the page to download all reports on the page. 2. Moving Reports to a Remote Storage Location Requires: DC/MDC On Series 2 Defense Centers. For information on configuring a remote storage location and enabling remote storage of reports. The reports are downloaded in a single . Select Analysis & Reporting > Report Profiles. you can move locally stored reports to a remote storage location. Enable the check boxes next to the reports you want to download.9. If you have multiple pages of reports. The reports are deleted. To delete generated reports: 1. 3. On the toolbar. click Reports. TIP! Enable the check box at the top left of the page to delete all reports on the page. The Reporting page appears. 4. a second check box appears that you can enable to delete all reports on all pages.1 Sourcefire 3D System Administrator Guide 239 . see Managing Remote Storage on page 393. 2. The Report Profiles page appears.

Select Analysis & Reporting > Report Profiles. Create the report that you want to run on the managed sensor. then click Move. TIP! Enable the check box at the top left of the page to move all reports on the page. if you use your Defense Center to manage a 3D Sensor with IPS. If your report uses a logo or image file. and you store IPS data on the sensor in addition to sending it automatically to the Defense Center. 3. a second check box appears that you can enable to move all reports on all pages. The reports are moved. Enable the check boxes next to the reports you want to move. select the sensor where you want to run the report and click Run Remote Report. There are several limitations that you need to keep in mind: • • If you do not store data on the sensor. • • To run a remote report: Access: Any Analyst/ Admin 1. Click OK. You cannot run incident reports remotely on managed 3D Sensors with IPS. Click Create Report Profile. The report is run on the sensor that you selected.Working with Event Reports Managing Generated Reports Chapter 7 3. you have the option of running reports remotely from the Defense Center using the data on the sensors. Running Remote Reports Requires: DC + 3D Sensor If you use a Defense Center to manage your sensors. you can run the report on the data that is resident on the sensor. Confirm that you want to move the reports. 2. The Report Designer page appears. If you have multiple pages of reports. For example. A prompt appears asking you to confirm that you want to run the report remotely. 4. 5. Version 4. 4. You cannot run remote reports on 3Dx800 or Crossbeam-based software sensors. then the remote report will be empty. the logo or image file must exist on both the Defense Center and the managed sensor where you run the report. The Report Profiles page appears.1 Sourcefire 3D System Administrator Guide 240 .9. See Generating Reports from Event Views on page 235 for details. From the drop-down list at the bottom of the page.

search query.Working with Event Reports Understanding Report Profiles Chapter 7 6. Note that remote. Understanding Report Profiles Requires: IPS or DC/ MDC Report profiles provide the structure for the generated report. See the following sections for more information: • • • • Understanding the Predefined Report Profiles on page 242 Modifying a Predefined Report Profile on page 246 Creating a Report Profile on page 246 Working with Report Information on page 248 Version 4. see Scheduling Tasks on page 425). see Working with Report Sections on page 255. Report Information defines the basic nature of the report profile by first giving the report profile a name. In the toolbar. and Report Options. such as a drill down of events. Additionally. The Reporting page appears. TIP! You can also use report profiles as the basis for remote reports by creating a profile as described in Creating a Report Profile on page 246.1 Sourcefire 3D System Administrator Guide 241 .is prepended to the name of the report. adds a custom footer. You can use a predefined report profile to either generate your report. Reports Sections. you will have other options to define.9. make sure you select the name of the sensor and click Run Report Remotely. or use as a template for a new report profile by modifying field settings as appropriate and saving the report with the new values. Report Options specifies the outputs of the report format (PDF HTML. Report Sections identifies which sections to include in the report. Whether you use a predefined report profile or create your own. table view of events. When you run the report. click Reports. For more information. You can then manually run these reports or schedule them to run automatically (for information about scheduling tasks. 7. For more information. You can view or download the remote report as you would with any other locally generated report. such as detection engine. all report profiles contain the same three configurable areas: Report Information. or . listing the report you just generated on the managed sensor. inserts a logo. Depending upon your choices. or the inclusion of an image file. and provides an option to email the report. see Working with Report Information on page 248. and then selecting the report category and type. Note that not all options are available for all categories or types. see Working with Report Options on page 258. comma-separated (CSV format). For more information. a new report profile can be created through the use of the Report Designer. and workflow.

9. Version 4. save the report with the new values.1 Sourcefire 3D System Administrator Guide 242 . As with custom report profiles that you create (see Creating a Report Profile on page 246).Working with Event Reports Understanding Report Profiles Chapter 7 • • • • • Working with Report Sections on page 255 Working with Report Options on page 258 Using a Report Profile on page 260 Generating a Report using a Report Profile on page 261 Deleting Report Profiles on page 263 Understanding the Predefined Report Profiles Requires: IPS or DC/ MDC A predefined report profile provides you with predefined setting for event reports. you can use a predefined report profile as a template for an event report. You can modify field settings as appropriate. and run the report manually or automatically.

Note that if you modify the default settings. Version 4.1 Sourcefire 3D System Administrator Guide 243 . High Priority Events. you have created a new report profile. The following graphic shows the Blocked Events report profile on the Defense Center version of the page. The following tables provide the default settings for each of the predefined report profiles. and Host Audit. The Report Options area is not included in these charts.Working with Event Reports Understanding Report Profiles Chapter 7 Predefined reports are provided by the Sourcefire system: Blocked Events. you must save the report profile with a new name to preserve your new settings.9.

This report profile is available on the Defense Center or on a 3D Sensor with IPS. Default Settings for the Blocked Events Report Profile Field Report Category Report Type Detection Engine Search Query Workflow Setting IPS Intrusion Events All Blocked Events Impact and Priority (on the Defense Center) Destination Port (on the 3D Sensor) Time Add Summary Report Impact Based Event Summary (on the Defense Center) Drill Down of Source and Destination IPS (on the Defense Center) Drill Down of Destination Port (on the 3D Sensor) Drill Down of Events (on the 3D Sensor) Table View of Events Packets (limit 50 pages) Last day.1 Sourcefire 3D System Administrator Guide 244 . sliding time window Quick Enabled Enabled Enabled Enabled Disabled Disabled The High Priority Events report profile provides information on intrusion events as well as the host criticality of hosts involved in the intrusion events for the past Version 4.9.Working with Event Reports Understanding Report Profiles Chapter 7 The Blocked Events report profile provides information on blocked intrusion events for all detection engines for the past twenty-four hours.

This report profile is available only on a Defense Center that manages 3D Sensors with RNA and IPS. Priority.1 Sourcefire 3D System Administrator Guide 245 . Default Settings for the High Priority Events Report Profile Field Report Category Report Type Detection Engine Search Query Workflow Time Add Summary Report Impact to Criticality Summary Source Destination Drill Down Intrusion Events with Destination Criticality Packets (limit 50 pages) Setting IPS Intrusion Events with Destination Criticality All High Priority Events Events by Impact.9.Working with Event Reports Understanding Report Profiles Chapter 7 twenty-four hours. and Host Criticality Last day. sliding time window Quick Enabled Enabled Enabled Disabled The Host Audit report profile provides operating system details for the past week on systems less than two network hops away from 3D Sensors with RNA. This report profile is available only on the Defense Center that manages 3D Sensors with RNA. Default Settings for the Host Audit Report Profile Field Report Category Report Type Detection Engine Search Query Setting RNA RNA Hosts All Local Systems Version 4.

Creating a Report Profile Requires: IPS or DC/ MDC You can create the report profile by defining category and type. Working with Report Sections on page 255 explains how to specify which the sections to be included in the report. sliding time window summary Enabled Enabled Enabled Disabled Disabled Modifying a Predefined Report Profile Requires: IPS or DC/ MDC You can use a predefined report profile as a template to create a new report profile by modifying the field settings as appropriate.9. Criticality Table View of Events Packets (limit 50 pages) Setting Operating System Summary Last week.Working with Event Reports Understanding Report Profiles Chapter 7 Default Settings for the Host Audit Report Profile (Continued) Field Workflow Time Add Summary Report Summary of OS Names Summary of OS Versions OS Details with IP NetBIOS. queries. Report Sections. the criteria for the search. create the report profile in the system. and which workflows to examine. and saving the report with the new values. finally. see Editing Report Profiles on page 263. in the IPS report category. and. Version 4. and workflows to apply. configure the options in each of three report areas (Report Information. Note that all reports contain the option for a summary report and an image file. You perform three steps to create the a report profile: first.1 Sourcefire 3D System Administrator Guide 246 . For example. second. selecting the Intrusion Events with Source Criticality report type does not provide that option. but not all options are available for all reports. selecting the Intrusion Events report type gives you the option to select which detection engines to search. such as a drill down of events. . Working with Report Information on page 248 explains how to set the type of report and how to specify which detection engines. save the report profile. and Report Options). table view of events. Not all options are available for all reports. and then specifying which detection engines to search. or an image file. For more information on how to modify a predefined report profile.

Working with Event Reports Understanding Report Profiles Chapter 7 Working with Report Options on page 258 section explains how to set the output of the report (PDF HTML or comma-separated value (CSV) format). 3. adds a custom . 2. Version 4. The following graphic shows the Defense Center version of the page. Continue with Defining Report Information on page 254. To create a report profile: Access: Any Analyst/ Admin 1. Click Create Report Profile. TIP! You can also reach the Report Designer page from any event view by clicking Report Designer on the toolbar. The Report Profiles page appears.9. The Report Designer page appears. and how to use the option which emails the report.1 Sourcefire 3D System Administrator Guide 247 . Select Analysis & Reporting > Report Profiles. footer or logo.

periods. The following graphic is an example of the Report Information section.Working with Event Reports Working with Report Information Chapter 7 Working with Report Information Requires: IPS or DC/ MDC You define the basic nature of the report profile by first giving the report profile a name.1 Sourcefire 3D System Administrator Guide 248 . such as detection engine. dashes. Depending upon your choices. and then selecting the report category and type. search query. you will have other options to define. and spaces. and workflow. parentheses. The Report Name can be any name using 1-80 alphanumeric characters. Note that not all options are available for all categories or types. Version 4.9.

you can create a report which searches for IP-specific high impact intrusion events on a specified detection engine.. RNA client applications. Options vary depending upon Report Type. Report Categories Select. you can create a report which searches selected detection engines for RUA events. RNA events. compliance events. For information on IPS Report Type options. you can create a report which searches selected detection engines for RNA client applications. are using a Defense Center with an RNA host license and you want to report on white list violations. report types are limited and self-explanatory. RUA are using a Defense Center with an RUA host license and you want to search one or more detection engines to examine the RUA Events and users. For example. remediation status. For more information on RNA Report Type options.9. RNA hosts. For example. are using a Defense Center and you want to report on the health of your sensors. intrusion events with source criticality. IPS If you.1 Sourcefire 3D System Administrator Guide 249 . See Using Report Types on page 250 for more information. RNA services. see IPS Category Report Types on page 251. RNA are using a Defense Center with an RNA host license and you want to report on host attributes. see RNA Category Report Types on page 252. want to report on audit log events. Select from the Report Categories table . hosts with services. such as the Compliance or Audit Log report categories.Working with Event Reports Working with Report Information Chapter 7 The Report Category defines which system feature is examined in the report. vulnerabilities. common concerns. The Report Type is a subset of the Report Category and provides a greater level of detail to the report. or the SEU import log. high impact or high priority events. For example. have an IPS license and you want to report on intrusion events with or without source or destination criticality. you can create a report which searches a selected detection engine for RNA compliance events. public or private addresses only. However IPS and RNA report types options are extensive and provide detailed options for defining your report profile..For example. Compliance Health Monitoring Audit Log Version 4. Use this option to search hosts for blocked or high priority events... Use this option to select a workflow on one or more detection engines to search for blocked events. In many cases. or scan results. or various services. or white list events. or exploits that target client/server issues. and generate a report which can include sections with a Table View of Events and Users.

See the following sections for more information: • • IPS Category Report Types on page 251 RNA Category Report Types on page 252 Version 4.Working with Event Reports Working with Report Information Chapter 7 The Detection Engine allows you to select which detection engines are to be searched for the report. See the following sections for more information: • • Using Report Types on page 250 Defining Report Information on page 254 Using Report Types Requires: IPS or DC/ MDC The Report Type is a subset of the Report Category and provides a greater level of detail to the report. see Setting Event Time Constraints in the Analyst Guide. and Search Query. RNA. For more information. host attributes. or sliding time frame. client applications. Options vary depending upon Report Type. However. Some report categories. expanding. Options for the report type vary depending upon which Report Category is selected. and health monitoring. white list. or compliance events. Detection Engine. have limited report types and are self-explanatory. Click in the current time field to open a pop-up window from which you can select a static.9. Options vary depending upon which options you selected for Report Type. or when searching the network for RNA hosts. and IP-Specific or Impact and Priority. and can include a list of exploits (such as Sasser Worm Search or non-standard service attempts) or areas of concern such as IRC Events or Kerberos Client/Server issues. The Workflow allows you to select which workflow to examine. such as the Compliance or Audit Log report categories. The Search Query identifies the search criteria for the report.1 Sourcefire 3D System Administrator Guide 250 . This option is available when searching for events. The Time option allows you to define the period of time for which the report is generated. such a intrusion. the report types available to the IPS and RNA report categories are extensive and provide detailed options for defining your report profile. and can include such options as Network Services by Count or Host Violations.

Working with Event Reports Working with Report Information

Chapter 7

IPS Category Report Types
You can choose from the following IPS Category Report Types
:

IPS Category Report Types Select... Intrusion Events To... search one or more detection engines using user-specified search queries and workflows to generate a report which can include sections with a drill down of the destination port and events, a table view of events, and the packets. Search queries include: Blocked Events, Bootstrap Client/Server, Common Concerns, DNS Service, DirectX Service, FTP Service, Finger Service, High Impact Events, High Priority Events, IRC Events, Impact1/Not Dropped Events, Kerberos Client/Server, LDAP Services, Mail Services, Oracle Service, Private Addresses Only, Public Addresses Only, RPC Services, and Reserved Port TCP Scan. Workflows include: Destination Port, Event-Specific, Events by Priority and Classification, Events to Destinations, IP-Specific, Impact and Priority, Impact and Source, Impact to Destination, Source Port, and Source and Destination. Intrusion Events with Source Criticality search using the Blocked Events or High Priority events search queries to generate a report on the Intrusion Events with Source Criticality default workflow which can include sections on Intrusion Events with Source Criticality, and the packets. search using the Blocked Events or High Priority Events search queries on your choice of three workflows: Events by Impact, Priority, and Host Criticality, which can include sections on Impact to Criticality Summary, Source Destination Drill Down, Intrusion Events with Destination Criticality, and the packets. Events with Destination, Impact, and Host Criticality, which can include sections on Current Events Monitor, Intrusion Events with Destination Criticality, and the packets. Intrusion Events with Destination Criticality default workflow, which can include sections on Intrusion Events with Destination Criticality, and the packets. SEU Import Log generate a report on the SEU Detail View workflow.

Intrusion Events with Destination Criticality

Version 4.9.1

Sourcefire 3D System Administrator Guide

251

Working with Event Reports Working with Report Information

Chapter 7

RNA Category Report Types
You can choose from the following RNA Category Report Types: RNA Category Report Types Select... Host Attributes To... search one or more detection engines to examine the Attributes workflow, and generate a report which can include sections with a table view of host attributes and the packets. search one or more detection engines to examine the Client Application Summaries or RNA Client Applications workflows, and generate a report which can include sections with a table view of client applications and the packets. examine the Vulnerabilities workflow and generate a report which can include sections with a table view of vulnerabilities, vulnerabilities on the network, and the packets. search using the Blocked Events or High Priority events search queries on the Intrusion Events with Source Criticality default workflow, and generate a report which can include sections on Intrusion Events with Source Criticality, and the packets. examine the Hosts with Services Default Workflow or the Service and Host Details, and generate a report which can include sections on Hosts with Services and the hosts. search one or more detection engines to examine the operating system summary or RNA hosts for local, remote, unidentified, or unknown systems, and generate a report which can include sections with a Summary of Operating System Names, Summary of Operating System Versions, Operating System Details with IP NetBIOS Criticality, Table View of Hosts, and Hosts. , generate a report on the Scan Results workflow. search one or more detection engines using the NetSky.S Worm Search, New Events, Sasser Worm Search, Subseven Trojan Search, Timeout Events, and Update Events, and generate a report which can include sections with a Table View of Events, and Hosts.

RNA Client Applications

Vulnerabilities

Intrusion Events with Source Criticality

Host with Services

RNA Hosts

Scan Results RNA Events

Version 4.9.1

Sourcefire 3D System Administrator Guide

252

Working with Event Reports Working with Report Information

Chapter 7

RNA Category Report Types (Continued) Select... RNA Services To... search one or more detection engines for non-standard service events (such as non-standard HTML, non-standard mail, non-standard SSH) in Network Services by Count, Network Services by Hit, and RNA Services workflows, and to generate a report which can include sections with Active Services, Service Application Activity, Service Version Audit, Service by Host, and Hosts. search using the Blocked Events, Events to High Criticality Hosts, or High Priority Events search queries, and generate a report on your choice of three workflows: Events by Impact, Priority, and Host Criticality, which can include sections on Impact to Criticality Summary, Source Destination Drill Down, Intrusion Events with Destination Criticality, and the packets. Events with Destination, Impact, and Host Criticality, which can include sections on Current Events Monitor, Intrusion Events with Destination Criticality, and the packets. Intrusion Events with Destination Criticality default workflow, which can include sections on Intrusion Events with Destination Criticality, and the packets. Flow Data search one or more detection engines using user-specified search queries and workflows, and generate a report which can include sections with the Top Ten workflows, Table View of Flow Summary Data, Table View of Flow Data drill down of the destination port and events, a table view of events, and the packets. Search queries include: Possible Database Access, Standard HTTP Standard , Mail, Standard SSL, and Unauthorized SMTP . Workflows include: Flow Summaries, Flows by Detection Engine, Flows by Initiator, Flows by Port, Flows by Responder, Flows by Service, Flows Over Time, RNA Flows, Traffic by Detection Engine, Traffic by Initiator, Traffic by Port, Traffic by Responder, Traffic by Service, Traffic Over Time, Unique Initiators by Responder, and Unique Responders by Initiator.

Intrusion Events with Destination Criticality

Version 4.9.1

Sourcefire 3D System Administrator Guide

253

Working with Event Reports Working with Report Information

Chapter 7

Defining Report Information
Requires: IPS or DC/ MDC Access: Any Analyst/ Admin After you have determined which options you need for your report, use the following procedure to define the report information options. To define the Report Information: 1. From the Report Category drop-down list, select the report category for which you want to create a report.

You can choose from: • • • • • • IPS (with an IPS license) RNA (on a Defense Center with an RNA host license) RUA (on a Defense Center with an RUA host license) Compliance (on a Defense Center with an RNA host license) Health Monitoring (on a Defense Center) Audit Log

2. From the Report Type drop-down list, select the type of report you want to create. 3. Optionally, if the report type you selected includes the Detection Engine option, select a specific Detection Engine on which to report. 4. Requires: DC Optionally, if you are reporting on health events, select a specific sensor or sensor group from the Sensor drop-down list. 5. From the Search Query drop-down list, either use the Use Current Query option (which retains any query parameters you specified on the search page or event page) or select one of the existing search queries. Note that if you did not previously specify a search query, the Use Current Query option places no constraints on the events. 6. From the Workflows list, select the workflow you want to use to build the report. For information on workflows, see Understanding and Using Workflows in the Analyst Guide.

Version 4.9.1

Sourcefire 3D System Administrator Guide

254

Working with Event Reports Working with Report Sections

Chapter 7

7.

Specify the time range for the report. Depending on your default time window, the time range matches either the time window for the event view you are using to building the report profile, or the global time window. You can change time range by clicking it and using the Date/Time pop-up window to select a new time range. For more information, see Setting Event Time Constraints in the Analyst Guide.

8. Continue with Defining the Report Sections on page 258. IMPORTANT! For report profiles that you plan to use multiple times, such as in scheduled tasks, Sourcefire strongly recommends that you use a sliding time range. If you create a report profile with a static time range, the appliance will generate a report using the same time range (and therefore the same events) every time you use the report profile.

Working with Report Sections
Requires: IPS or DC/ MDC The Report Sections area is populated based on the workflow you selected. Select the check box for each report section you want to include in the report. Reports can include up to 10,000 records for each report section you select. See the following sections for more information: • • • Using Summary Reports on page 255 Including an Image File on page 257 Defining the Report Sections on page 258

Using Summary Reports
Requires: IPS or DC/ MDC Depending on the components you are licensed to use in your Sourcefire 3D System deployment, you can include summary reports for intrusion events and RNA events. You can append these summary reports to the beginning of any report by selecting the appropriate radio button in the report profile. Intrusion event reports require the IPS component. If your deployment includes IPS, you can include either a Quick Summary or a Detail Summary report in your report profile definition.

Version 4.9.1

Sourcefire 3D System Administrator Guide

255

Working with Event Reports Working with Report Sections

Chapter 7

The Comparison of Quick Summary and Detail Summary Reports table shows which information is included in the reports
.

Comparison of Quick Summary and Detail Summary Reports Report Information Pie chart showing the percentage of events in each event type (which maps to the rule category for the rule that generated the event) List of the 10 most active and 10 least active events Graph showing the number of events over time Pie charts showing the percentage of events by protocol (for example, TCP , UDP or ICMP) and event classification (which maps to the value for the , classtype keyword in the rule that generated the event) Tables listing the 50 most active and least active events Tables listing the 50 most active source and destination ports Tables listing the 25 most active source and destination hosts and host combinations. Tables listing the 25 most active source and destination hosts as well as the 25 most active source and host combinations Tables listing the most active events for each of the 25 most active destination hosts Tables listing the most active events for the 25 most active source and destination host combinations Quick Summary X X X X Detail Summary X X X X

X X X

X X X X X X

IMPORTANT! On the Defense Center, the report includes summary information for all the managed 3D Sensors with IPS that you include in the report. RNA-related event reports require the RNA component. If your deployment includes 3D Sensors with RNA and a Defense Center that manages the sensors,

Version 4.9.1

Sourcefire 3D System Administrator Guide

256

Working with Event Reports Working with Report Sections

Chapter 7

you can add the RNA Summary to RNA event, host, client application, service, and flow data reports. The RNA Summary includes: • RNA event statistics including total number of events, events in the last day and hour, total services, total hosts, total routers, total bridges, and host limit usage a list of events divided by event type with counts for the last hour and total number within the report range pie charts showing the percentage of events by protocol (for example, TCP , UDP or ICMP), service, and operating system ,

• •

Including an Image File
Requires: IPS or DC/ MDC You can add an image to your report which will be displayed after the summary report and before the drill down or table views. This can be useful for providing information best displayed in a visual, non-graphical format, or simply as a break between sections. You can use JPEG, PNG, and TIFF files as image files, but only JPEG and PNG graphics are supported in most browsers.

Version 4.9.1

Sourcefire 3D System Administrator Guide

257

Working with Event Reports Working with Report Options

Chapter 7

Defining the Report Sections
Requires: IPS or DC/ MDC Access: Any Analyst/ Admin After you have determined which options you need for your report, use the following procedure to define the report section options. To define the Report Sections: 1. If a summary is available for the report type you selected, specify whether you want to include it as part of your report.

To include a summary with intrusion event-based reports, select quick or detailed. For a full description of the information provided in Quick and Detailed summaries, see Using Summary Reports on page 255. On a Defense Center with an RNA host license, to include a summary with an RNA-based report, select summary. For a full description of the information provided in the RNA summary, see Using Summary Reports on page 255. To exclude the summary, select none, which is the default.

2. If you want to include an image in the report, type the path to the image in the Include Image File text box, or navigate to a JPEG, PNG, or TIFF file. 3. Select the check boxes next to the sections of the workflow you want to include in the report. The options in this section depend on the workflow you selected in step 6. 4. Continue with Working with Report Options on page 258. TIP! Note that if you select a table view of events, the report is limited to 10,000 records as noted in step 6, regardless of the number of events.

Working with Report Options
Requires: IPS or DC/ MDC Report Options define the look of the report, and provide the option to email the report You can generate a report in PDF HTML or comma-separated value (CSV) format. , You can also generate the same report in multiple formats. Note that graphics are not available in the CSV format.

Version 4.9.1

Sourcefire 3D System Administrator Guide

258

Working with Event Reports Working with Report Options

Chapter 7

You can include a logo on your report. In PDF formats, the logo is included on every page. In HTML formats, the logo is included at the top of the report. You can add a description which will be included on the front page summary of the report. Access: Any Analyst/ Admin To define the report options: 1. Select the check boxes next to one or more output options for your report: PDF HTML, or CSV. ,

2. Optionally, for PDF and HTML reports, select a logo from the list of image files that were previously added to the system. See Including an Image File on page 257 for information about how to make more logos available to the report designer. 3. Optionally, for PDF and HTML reports, type a description in the Description field. You can use alphanumeric characters and spaces. The description appears in the report header. 4. Optionally, for PDF reports, type the text you want to include as the footer in the Custom Footer field. You can use 1 - 80 alphanumeric characters and spaces. 5. Optionally, you can specify that reports are automatically emailed after they are generated. To email a report, type one or more email addresses in a comma-separated list in the Email to field. IMPORTANT! You must make sure that the mail host is identified: Click Not available. You must set up your mail relay host. The System Policy page appears. Click Edit in the row for the system policy you want to modify. Click Email Notification. Type the name of your mail server in the Mail Relay Host field and click Save. Click Apply in the row for the system policy you changed and apply it to the appliance. The report is emailed from host_name@domain_name, where host_name is the host name of the appliance and domain_name is the name of the domain where you deployed the appliance.

Version 4.9.1

Sourcefire 3D System Administrator Guide

259

Working with Event Reports Using a Report Profile

Chapter 7

6. You have the following options: • To save the report profile, click Save Report Profile. When prompted, follow the instructions for your browser to save the report profile. The report profile is saved with the name you specified in the Report Name field. • To generate the report and save the report profile, click Generate Report. When prompted, follow the instructions for your browser to generate the report and save the report profile. • To see a PDF preview of your report, click Preview Report. When prompted, follow the instructions for your browser to display a PDF version of the report in the browser window. • On a Defense Center, to generate the report remotely, select the sensor where you want to run the report and click Run Remote Report. When prompted, follow the instructions for your browser to generate the report and save the report profile. IMPORTANT! The PDF HTML, and CSV selections for Output Options apply to , generated reports, not to report previews. When you click Preview Report, you see a PDF version of the report.

Using a Report Profile
Requires: IPS or DC/ MDC You can use report profiles to generate reports that contain the information that is important to you and your evaluation of the events generated for your network. You can use an predefined or existing report profile as a template for a new report profile. For information on editing a report profile, see Editing Report Profiles on page 263. If you want to generate a report for a specific set of events or a specific time period, populate the event view with the events you want to see in your report before opening the report designer. For details on using the event view, see the following sections: • • • • • • Viewing RNA Network Discovery and Host Input Events in the Analyst Guide Viewing Hosts in the Analyst Guide Viewing Services in the Analyst Guide Viewing Client Applications in the Analyst Guide Working with Flow Data and Traffic Profiles in the Analyst Guide Working with Intrusion Events in the Analyst Guide

Version 4.9.1

Sourcefire 3D System Administrator Guide

260

Working with Event Reports Using a Report Profile

Chapter 7

See the following sections for more information: • • • Generating a Report using a Report Profile on page 261 Editing Report Profiles on page 263 Deleting Report Profiles on page 263

Generating a Report using a Report Profile
Requires: IPS or DC/ MDC Access: Any Analyst/ Admin You can use report profiles to generate reports that contain the information that is important to you and your evaluation of the events generated for your network. To generate a report using a report profile: 1. Select Analysis & Reporting > Report Profiles. The Report Profiles page appears.

Version 4.9.1

Sourcefire 3D System Administrator Guide

261

Working with Event Reports Using a Report Profile

Chapter 7

2. Click the name of the report profile you want to use. The Report Designer page loads the parameters defined for that selected report.

3. If necessary, click the time range to change it to include the events you want in your report. For more information, see Setting Event Time Constraints in the Analyst Guide. 4. Click Generate Report. The system generates the report. 5. Click Reports in the toolbar to display the Reporting page. The Reporting page appears, listing the report that you generated as well as any other previously generated reports. For information on managing generated reports, see Managing Generated Reports on page 237.

Version 4.9.1

Sourcefire 3D System Administrator Guide

262

The Report Profiles page appears.Working with Event Reports Using a Report Profile Chapter 7 Editing Report Profiles Requires: IPS or DC/ MDC You can create a new report profile by using a predefined or existing report profile as a template for a new report profile. Select Analysis & Reporting > Report Profiles.9. Use the following procedure to edit a report profile. 4. Select Analysis & Reporting > Report Profiles. Deleting Report Profiles Requires: IPS or DC/ MDC Access: Any Analyst/ Admin Use the following procedure to delete a report profile. 3. Make changes to the report areas as needed. 2. modifying the field settings as appropriate. The Report Profiles page appears. 2. and saving the report with the new values. follow the instructions for your browser to save the report profile. See the following sections for information: • • • Working with Report Information on page 248 Working with Report Sections on page 255 Working with Report Options on page 258 IMPORTANT! If you are creating a new report profile from a predefined or existing report profile. remember to change the name of the report profile in the Report Name field. You can also edit a report profile to make changes to the resulting report. Version 4. The report profile is deleted. Access: Any Analyst/ Admin To edit a report profile: 1. The report profile is saved with the name you specified in the Report Name field.1 Sourcefire 3D System Administrator Guide 263 . Click Delete next to the profile that you want to delete. To delete a report profile: 1. The Report Designer page appears and contains the current settings for the report profile. Click Save Report Profile. Click Edit next to the profile that you want to delete. When prompted.

such as a Lightweight Directory Version 4. If the user’s account uses internal authentication. This process is called authentication. you can also set up user authentication via an external authentication server. the authentication process checks the local database for this list. the process checks the local database to see if the user exists there and. the appliance looks for a match for the user name and password in the local list of users. For more information.9. rather than through the internal database. There are two kinds of authentication: internal and external. If the account uses external authentication.Managing Users Chapter 8 Administrator Guide If your user account has Administrator access. it queries an external server. see the following sections: • • • Understanding Sourcefire User Authentication on page 264 Managing Authentication Objects on page 269 Managing User Accounts on page 299 Understanding Sourcefire User Authentication Requires: DC/MDC or 3D Sensor When a user logs into the web interface. if the user is not found locally. you can manage the user accounts that can access the web interface on your Defense Center or 3D Sensor.1 Sourcefire 3D System Administrator Guide 264 . On the Defense Center.

Users with external authentication receive the permissions either for the group or access list they belong to. For users with either internal or external authentication. unless you change the user permissions manually.9. for a list of users.1 Sourcefire 3D System Administrator Guide 265 . you can control user permissions. or based on the default user access role you set in the server authentication object or in a system policy on the managing Defense Center.Managing Users Understanding Sourcefire User Authentication Chapter 8 Access Protocol (LDAP) directory server or a Remote Authentication Dial In User Service (RADIUS) authentication server. Version 4.

the web interface checks each authentication server to see if that user is listed.9. Understanding External Authentication Requires: DC External authentication occurs when the Defense Center or managed sensor retrieves user credentials from an external repository.Note that you can only use one form of external authentication for an appliance. When any externally authenticated user logs in. the user credentials are managed in the internal database. Because you manually create each internally authenticated user. LDAP authentication and RADIUS authentication are types of external authentication. see the following sections: • • • Understanding Internal Authentication on page 266 Understanding External Authentication on page 266 Understanding User Privileges on page 267 Understanding Internal Authentication Requires: DC/MDC or 3D Sensor By default. the Sourcefire 3D System uses internal authentication to check user credentials when a user logs in. If you want to use external authentication. Internal authentication occurs when the username and password are verified against records in the internal Sourcefire 3D System database. IMPORTANT! Note that an internally authenticated user is converted to external authentication if you enable external authentication. you set the access settings when you create the user and you do not need to set default settings. and the user logs in using the password stored for that user on the external server. You can then enable that object in a system policy on the managing Defense Center and apply the policy to an appliance to enable authentication. the same username exists for the user on the external server. you cannot revert to internal authentication for that user.Managing Users Understanding Sourcefire User Authentication Chapter 8 For more information. in the order the servers are listed in the system policy. Version 4. Once an internally authenticated user converts to an externally authenticated user. If you do not enable external authentication when you create a user.1 Sourcefire 3D System Administrator Guide 266 . The authentication object contains your settings for connecting to and retrieving user data from that server. you must configure an authentication object for each external authentication server where you want to request user information. such as an LDAP directory server or RADIUS authentication server.

the user has only the rights granted by default. After an externally authenticated user logs in for the first time. an analyst typically needs access to event data to analyze the security of monitored networks.Managing Users Understanding Sourcefire User Authentication Chapter 8 When you create a user. When you export a policy with external authentication enabled. disable it in the system policy on the managing Defense Center and re-apply the policy to the sensor. you can add or remove access rights for that user on the User Management page. you can specify whether that user is internally or externally authenticated. You can then import the policy and object on another Defense Center. If you want to disable external authentication on a managed 3D Sensor. but you cannot control the authentication object from the sensor’s web interface. TIP! You can use the Import/Export feature to export system policies. If you apply a local system policy (created on the sensor) to the sensor itself. IMPORTANT! Sourcefire does not support external authentication for RNA Software for Red Hat Linux. external authentication is also disabled. you set a default access role for all users who are externally authenticated.1 Sourcefire 3D System Administrator Guide 267 . but might never require access to administrative functions for the Sourcefire 3D System itself. see the following sections: • • Understanding LDAP Authentication on page 269 Understanding RADIUS Authentication on page 287 Understanding User Privileges The Sourcefire 3D System lets you allocate user privileges based on the user’s role. If you do not modify the user’s rights. Do not import policies with authentication objects onto 3D Sensors. Intrusion Agents. the access rights for users are based on their membership in LDAP groups. you set the access rights when you create them. If you configured management of access rights through LDAP groups. 3Dx800 sensors. They receive the Version 4. Because you create internally authenticated users manually.9. or Crossbeambased software sensors. The only configuration of external authentication on the sensor occurs when you select the type of authentication for a new user. You can grant Intrusion Event Analyst and RNA Event Analyst access privileges for analysts and reserve the Administrator role for the network administrator managing the Sourcefire 3D System. the authentication objects are exported with the policy. For example. You can push a system policy to a managed 3D Sensor to enable external authentication on that sensor. For more information on specific types of external authentication. In the system policy on the Defense Center.

and delete network change events. except that they cannot delete events. host attributes. Users with the Administrator role also have Intrusion Event Analyst. Similarly. review. analyze. the user receives that role. RNA Event Analysts can view. and delete intrusion events and compliance and RUA events. Restricted Event Analysts have the combined privileges of Intrusion Event Analysts and RNA Event Analysts. Intrusion Event Analysts can view. they receive the default user access rights configured in the authentication object for the LDAP server. analyze. manage user accounts. RNA analysts can also generate reports and view (but not delete or modify) health events. Note that on the Defense Center you cannot select Restricted Event Analyst as the default user role in the system policy. Policy & Response (P&R) Administrator. If the user does not belong to any lists and you have configured a default access role in the authentication object. listed in order of precedence. depending on the features you have licensed: • Administrators can set up the appliance’s network configuration. vulnerabilities. and RUA events. Intrusion Event Analysts (Read Only) have all the same rights as Intrusion Event Analysts. those settings override the default access setting in the system policy. except that they cannot delete events. hosts. If a user is on the lists for two mutually incompatible roles. If you configure group access. client applications. and Maintenance access rights. those settings override the default access setting in the system policy. compliance events. the user receives the role that has the highest level of access. Restricted analysts can also be assigned the Policy & Response Administrator or Maintenance User roles. generate reports. if you assign a user to specific user role lists in a RADIUS authentication object. and view (but not delete or modify) health events. • • • • • Version 4. The Sourcefire 3D System supports the following user roles. RNA Event Analysts (Read Only) have all the same rights as RNA Event Analysts. RNA Event Analyst. If you configure default access in the authentication object.Managing Users Understanding Sourcefire User Authentication Chapter 8 default access rights for the group that they belong to that has the highest level of access. configure system policies and system settings. the user receives all assigned roles. but cannot be assigned the Intrusion Event Analyst or RNA Event Analyst roles. unless one or more of those roles are mutually incompatible.9.1 Sourcefire 3D System Administrator Guide 268 . They can also create incidents. but users are limited to subsets of that data. but you can modify a user’s settings via the User Management page to grant this level of access. services. If they do not belong to any groups and you have configured group access.

you define settings that let you connect to an authentication server. and system logs) and maintenance functions (including task scheduling and backing up the system). policies. You can create.1 Sourcefire 3D System Administrator Guide 269 . You also select the directory context and search criteria you want to use to retrieve user data from the server. and responses. Multiple applications can then access those credentials and the information used to describe them. and delete authentication objects on the Defense Center. Version 4. you can configure shell access authentication. you can change them in one place. manage. When you create an authentication object. Creating LDAP Authentication Objects Requires: DC You can create LDAP authentication objects to provide user authentication services for an appliance. policies. such as user credentials. as well as compliance rules. Maintenance Administrators can access monitoring functions (including health monitoring. Managing Authentication Objects Requires: DC Authentication objects are server profiles for external authentication servers. containing connection settings and authentication filter settings for those servers. in a centralized location. Optionally. and responses. allows you to set up a . Note that maintenance administrators do not have access to the functions in the Policy & Response menu and can only access the dashboard from the Analysis & Reporting menu. performance data. directory on your network that organizes objects. If you ever need to change a user's credentials. host statistics.9. rather than having to change them on the local appliances as well as on any other application that uses them. See the following sections for details on these tasks: • • • • • • • • Understanding LDAP Authentication on page 269 Creating LDAP Authentication Objects on page 269 LDAP Authentication Object Examples on page 281 Editing LDAP Authentication Objects on page 286 Creating RADIUS Authentication Objects on page 287 RADIUS Authentication Object Examples on page 295 Editing RADIUS Authentication Objects on page 298 Deleting Authentication Objects on page 298 Understanding LDAP Authentication LDAP or the Lightweight Directory Access Protocol.Managing Users Managing Authentication Objects Chapter 8 • • Policy & Response Administrators can manage intrusion rules.

Managing Users Managing Authentication Objects Chapter 8 Note that to create an authentication object. If you select SSL encryption. Test your configuration by entering the name and password for a user who can successfully authenticate. see Configuring Attribute Mapping on page 274. the port resets to the default value. see Configuring LDAP Authentication Settings on page 271. see Identifying the LDAP Authentication Server on page 270. If you are using a Microsoft Active Directory server or if your LDAP server uses a UI access attribute or a shell access attribute other than uid. Specify a user name template to format the usernames that users enter on login. configure LDAP groups to use as the basis for default access role assignments. Configure authentication settings to build a search request that retrieves the users you want to authenticate. you need TCP/IP access from your local appliance to the authentication server where you want to connect. Version 4. 8. 7. 2. Click Create Authentication Object. Optionally. see Configuring Administrative Shell Access on page 278. configure authentication settings for shell access. see Testing User Authentication on page 280. For more information.1 Sourcefire 3D System Administrator Guide 270 . you first specify the primary and backup server and server port where you want the local appliance (3D Sensor or Defense Center) to connect for authentication. For more information. Select Operations > Configuration > Login Authentication. Your changes are saved. To create an authentication object: Access: Admin 1. For more information. Optionally. 6. The Create Authentication Object page appears.9. For more information. For more information. 4. Note that if you change the encryption method after specifying the port. see Configuring Access Settings by Group on page 275. the port uses the default of 636. The Login Authentication page appears. Identifying the LDAP Authentication Server Requires: DC When you create an authentication object. Identify the authentication server where you want to retrieve user data for external authentication. 3. see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324. For more information. For more information. specify the appropriate attributes for your server. Remember that you have to apply a system policy with the object enabled to an appliance before the authentication changes take place on that appliance. the port uses the default value of 389. 5. For none or TLS.

the host name in the certificate must match the host name used in this field. the appliance then queries the backup server. Type the IP address or host name for the primary server where you want to obtain authentication data in the Primary Server Host Name/IP Address field. If LDAP is running on the port of the primary LDAP server and for some reason refuses to service the request (due to misconfiguration or other issues). Select LDAP from the Authentication Method drop-down list. If. the appliance would query the backup server.Managing Users Managing Authentication Objects Chapter 8 To identify an LDAP authentication server: Access: Admin 1.9. Type a name and description for the authentication server in the Name and Description fields. type the IP address or host name for the backup server where you want to obtain authentication data in the Backup Server Host Name/IP Address field. you can set a timeout for the connection attempt to the primary server. Configuring LDAP Authentication Settings Requires: DC If you specify a backup authentication server. the primary server has LDAP disabled. modify the port used by the primary authentication server in the Backup Server Port field. IPv6 addresses are not supported. the failover to the backup server does not occur. 7. Version 4. IMPORTANT! If you are using a certificate to connect via TLS or SSL. If the number of seconds indicated in the Timeout field (or the timeout on the directory server) elapses without a response from the primary authentication server. 4. 6. Optionally. Continue with Configuring LDAP Authentication Settings. 2. 3. for example. however. Optionally. In addition.1 Sourcefire 3D System Administrator Guide 271 . modify the port used by the primary authentication server in the Primary Server Port field. 5. Optionally.

For example. LDAP usernames can include underscores (_). the name of the LDAP server in the certificate must match the name that you use to connect. to filter for only users with a common name starting with F use the . You can choose no encryption. To test your base filter more specifically by entering a test username and password.com in the certificate.com causes the connection to succeed. If one of the objects has a matching username and password. and hyphens (-) but otherwise only alphanumeric characters are supported. Examples of syntax are provided throughout this procedure. You can also add a base filter that sets a specific value for a specific attribute.10.250 as the server and computer1.dc=com when using Microsoft Active Directory Server.com rather than the equivalent user distinguished name of cn=JoeSmith. For example. Version 4. or directory tree. you need to select the encryption method for the connection. to refer to a user object. Note that when you set up an authentication object to connect to a Microsoft Active Directory Server. The base filter focuses your search by only retrieving objects in the base DN that have the attribute value set in the filter. you must supply user credentials for a user with appropriate rights to the authentication objects you want to retrieve. filter (cn=F*). Enclose the base filter in parentheses.dc=example. or Secure Sockets Layer (SSL) encryption. the connection fails. Typically. the local appliance queries using the base filter to test it and indicates whether or not the filter appears to be correct.10.1 Sourcefire 3D System Administrator Guide 272 .example. When the local appliance searches the LDAP directory server to retrieve user information on the authentication server. it needs a starting point for that search. you can use the address specification syntax documented in the Internet RFC 822 (Standard for the Format of ARPA Internet Text Messages) specification when referencing a user name that contains a domain. the base DN will have a basic structure indicating the company domain and operational unit. For example. see Testing User Authentication on page 280. If your LDAP Server uses a Pluggable Authentication Module (PAM) login attribute of uid. the user login request is authenticated. Transport Layer Security (TLS).dc=com. RFC 3377 . periods (.9. Changing the name of the server in the authentication profile to computer1. the local appliance checks the uid attribute value for each object in the directory tree indicated by the base DN you set. that the local appliance should search by providing a base distinguished name.example. For example. You can specify the namespace. or base DN.ou=security. When you save the authentication object. Remember that the distinguished name for the user you specify must be unique to the directory information tree for the directory server. To allow the local appliance to access the user objects. dc=example. the Security organization of the Example company might have a base DN of ou=security. Note that if you are using a certificate to authenticate when connecting via TLS or SSL.example. if you enter 10. you can use the LDAP naming standards and filter and attribute syntax defined in the RFCs listed in the Lightweight Directory Access Protocol (v3): Technical Specification.).Managing Users Managing Authentication Objects Chapter 8 To allow an appliance to connect to the LDAP server. you might type JoeSmith@security. For the authentication method specific parameters.

For none or TLS. type ou=security.dc=example. The user name template is the format for the distinguished name used for authentication. For example. If you select SSL encryption. A message appears. To connect without encryption. select SSL. Version 4.9. Type the number of seconds that should elapse before rolling over to the backup connection in the Timeout field. To connect using Transport Layer Security (TLS).example. the port uses the default value of 389. to authenticate names in the Security organization at the Example company. IMPORTANT! Note that if you change the encryption method after specifying a port.1 Sourcefire 3D System Administrator Guide 273 . 4. if you selected TLS or SSL encryption and you want to use a certificate to authenticate. Select one of the following encryption modes: • • • To connect using Secure Sockets Layer (SSL). click Browse to browse to the location of a valid TLS or SSL certificate or type the path to the certificate in the SSL Certificate Upload Path field. When a user enters a user name into the login page. select TLS.com. the name is substituted for the string conversion character and the resulting distinguished name is used to search for the user credentials. to set a user name template for the Security organization of the Example company. To configure the authentication method for a server: Access: Admin 1.Managing Users Managing Authentication Objects Chapter 8 Selecting a user name template lets you indicate how user names entered on login should be formatted. the port uses the default of 636. Type the base distinguished name for the LDAP directory you want to access in the Base DN field. select None. you reset the port to the default value for that method. by mapping the string conversion character (%s) to the value of the shell access attribute for the user. For example.dc=com. 3. indicating a successful certificate upload. 2. Optionally. you would enter %s@security.

you do not need to specify a UI access attribute.1 Sourcefire 3D System Administrator Guide 274 . into the User Name Template field. Type the distinguished name and password for the user whose credentials should be used to validate access to the LDAP directory in the User Name and Password fields. when a user logs in. you would type uid=%s. If your LDAP server uses uid. and the attribute value you want to use as a filter. with the string conversion character (%s) in place of the shell access attribute value. Configuring Attribute Mapping Requires: DC If your LDAP Server uses a default UI access attribute of uid. The Pluggable Authentication Module (PAM) login attribute of your LDAP Server acts as a shell access attribute. 7. to retrieve only users in the New York office. in the Base Filter field.9. If you want to filter on uid. For example.Managing Users Managing Authentication Objects Chapter 8 5. the local appliance checks the user name entered on login against the attribute value of uid.dc=com. if the user objects in a directory tree have a physicalDeliveryOfficeName attribute and users in the New York office have an attribute value of NewYork for that attribute. For example. to authenticate all users who work in the Security organization of our example company by connecting to an OpenLDAP server where the shell access attribute is uid. you would type uid=NetworkAdmin. 6.com. You can use any attribute.example. enclosed in parentheses. Continue with Configuring Attribute Mapping. 9.dc=com in the User Name Template field.dc=example. you could type %s@security. type the attribute type. have no spaces and no periods in them. 8. Version 4. Valid user names are unique. if you are connecting to an OpenLDAP Server where user objects have a uid attribute and the object for the administrator in the Security division at our example company has a uid value of NetworkAdmin. if the value of the attribute is a valid user name for either the Sourcefire 3D System web interface or for shell access. For a Microsoft Active Directory server.dc=example. you must explicitly set the Shell Access Attribute to match the attribute value. and do not begin with a numeral. However. To set a filter that retrieves only specific objects within the namespace you specified as the Base DN. If the shell access attribute for a server is something other than uid. a comparison operator. the local appliance (3D Sensor or Defense Center) checks the value of the uid attribute for each user record on the LDAP Server to see if it matches the user name. Type the user distinguished name.ou=security.ou=security. For example. Re-type the password in the Confirm Password field. you can map a different attribute for the local appliance to search. type (physicalDeliveryOfficeName=NewYork). Setting a UI access attribute tells the local appliance to match the value of that attribute rather than the value of the uid attribute.

For the next step. If you are not using LDAP groups for authentication. type the attribute type you want to filter on in the Shell Access Attribute field. You can reference static LDAP groups or dynamic LDAP groups. Static LDAP groups are groups where membership is determined by group object attributes that point to specific users. Group access settings for a role only affect users who are members of the group. you have two choices: • • If you want to configure user default roles based on LDAP group membership. For example. To retrieve users for shell access. Version 4. Instead. Any group you reference must exist on the LDAP server. To retrieve users based on an attribute instead of the Base DN and Base Filter. and dynamic LDAP groups are groups where membership is determined by creating an LDAP search that retrieves group users based on user object attributes. you can search the userPrincipalName attribute by typing userPrincipalName in the UI Access Attribute field. 2. you can configure a default access setting for those users detected by LDAP that do not belong to any specified groups. type the attribute type in the UI Access Attribute field. For example. because there may not be a uid attribute on Active Directory Server user objects.1 Sourcefire 3D System Administrator Guide 275 . Configuring Access Settings by Group Requires: DC If you prefer to base default access settings on a user’s membership in an LDAP group.Managing Users Managing Authentication Objects Chapter 8 To configure attribute mapping for a server: Access: Admin 1. continue with Configuring Access Settings by Group. sAMAccountName shell access attribute to retrieve shell access users by typing sAMAccountName in the Shell Access Attribute field.9. you can specify distinguished names for existing groups on your LDAP server for each of the access roles used by your Sourcefire 3D System. When you do so. When a user logs in. on a Microsoft Active Directory Server. use the 3. the Sourcefire 3D System dynamically checks the LDAP directory and assigns default access rights according to the user’s current group membership. continue with Configuring Administrative Shell Access on page 278. you may want to use the UI Access Attribute to retrieve users. on a Microsoft Active Directory Server.

If you configure any group settings. the Sourcefire 3D System authenticates the user against the LDAP server and then grants user rights based on the default minimum access role set in the system policy. however. when a new user logs in. If a user belongs to more than one configured group. the LDAP query is used exactly as it is configured on the LDAP server. the Sourcefire 3D System limits the number of recursions of a search to four to prevent search syntax errors from causing infinite loops. new users belonging to specified groups inherit the minimum access setting for the groups where they are members. IMPORTANT! If you use a dynamic group. the default access role defined in the Group Controlled Access Roles section is granted to the user. the user is assigned the default minimum access role specified in the Group Controlled Access Roles section of the authentication object. assign additional rights. If a new user does not belong to any specified groups. Version 4.9.Locally Modified. When you modify the access rights for an externally authenticated user. the Authentication Method column on the User Management page provides a status of External . If a user’s group membership is not established in those recursions. the user receives the access role for the group with the highest access as a minimum access role.Managing Users Managing Authentication Objects Chapter 8 The access rights granted when a user logs into the Sourcefire 3D System depends on the LDAP configuration: • If no group access settings are configured for your LDAP server. You can. • • • You cannot remove the minimum access rights for users assigned an access role because of LDAP group membership through the Sourcefire 3D System user management page. For this reason.1 Sourcefire 3D System Administrator Guide 276 .

dc=example. type cn=itgroup. 3.ou=groups. and all maintenance features in the Administrator Group DN field. For example. 2. For example. For example. dc=com. For example. to authenticate names in the Intrusion Event Analyst group at the Example company.ou=groups.dc=com.dc=example.dc=example.1 Sourcefire 3D System Administrator Guide 277 . Type the distinguished name for the LDAP group containing users who should at minimum have access to IPS analysis features in the Intrusion Event Analyst Group DN field. type cn=securitygroup. type cn=ipsanalystgroup. Type the distinguished name for the LDAP group containing users who should at minimum have access to monitoring and maintenance features in the Maintenance Group DN field.ou=groups. system management. Version 4.dc=com.ou=groups. dc=example. dc=com. 4. to authenticate names in the information technology organization at the Example company.9. rule and policy configuration.Managing Users Managing Authentication Objects Chapter 8 To base access defaults on LDAP group membership: Access: Admin 1. to authenticate names in the information technology organization at the Example company. Type the distinguished name for the LDAP group containing users who should at minimum have access to analysis and reporting features. type cn=itgroup. Type the distinguished name for the LDAP group containing users who should at minimum have access to rules and policy configuration in the Policy & Response Administrator Group DN field. to authenticate names in the Security organization at the Example company.

For example. Configuring Administrative Shell Access Requires: DC You can also use the LDAP directory server to authenticate accounts for shell access on your local appliance (3D Sensor or Defense Center). see Configuring Authentication Profiles on page 329. if the memberURL attribute contains the LDAP search that retrieves members for the dynamic group you specified for default Admin access. 11. TIP! Press the Ctrl key while clicking role names to select multiple roles in the list. 8.1 Sourcefire 3D System Administrator Guide 278 . For more information on managing authentication object order. see Adding New User Accounts on page 300. type memberURL. Type the distinguished name for the LDAP group containing users who should at minimum have access to RNA analysis features in the RNA Event Analyst Group DN (Read Only) field. 6. 7. 10. Type the distinguished name for the LDAP group containing users who should at minimum have access to IPS analysis features in the Intrusion Event Analyst Group DN (Read Only) field. or Crossbeam-based software sensors. Specify a search filter that will retrieve entries for users you want to grant shell access. Intrusion Agents. Version 4. Continue with Configuring Administrative Shell Access on page 278. 3Dx800 sensors. type the LDAP attribute that contains the LDAP search string used to determine membership in a dynamic group in the Group Member URL Attribute field. if the member attribute is used to indicate membership in the static group you reference for default Policy & Response Administrator access. For more information on user access roles. 9. Type the LDAP attribute that designates membership in a static group in the Group Member Attribute field. IMPORTANT! Sourcefire does not support external authentication for RNA Software for Red Hat Linux. Type the distinguished name for the LDAP group containing users who should at minimum have access to RNA analysis features in the RNA Event Analyst Group DN field. Optionally. Select the default minimum access role for users that do not belong to any of the specified groups from the Default User Role list.Managing Users Managing Authentication Objects Chapter 8 5. type member. Note that you can only configure shell access for the first authentication object in your system policy. For example.9.

but the user shell is set to /bin/false in /etc/password to disable the shell. type the attribute type. if all network administrators have a manager attribute which has an attribute value of shell. the directory remains. If the user then is re-enabled. For example. Addition and deletion of shell access users occurs only on the LDAP server. or select Same as Base Filter to use the same filter you specified when configuring authentication settings. the LDAP query to retrieve users combines the base filter with the shell access filter. To set a filter to retrieve administrative user entries based on attribute value.Managing Users Managing Authentication Objects Chapter 8 With the exception of the root account. in the Shell Access Filter field. you can set a base filter of (manager=shell). enclosed in parentheses. 2. the shell is reset. using the same home directory. and the attribute value you want to use as a filter. even after they log in. shell access is controlled entirely though the shell access attribute you set. a comparison operator. Note that a home directory for each shell user is created on login. WARNING! All shell users have sudoers privileges.1 Sourcefire 3D System Administrator Guide 279 . Version 4. Make sure that you restrict the list of users with shell access appropriately. If the shell access filter was the same as the base filter.9. and when an LDAP shell access user account is disabled (by disabling the LDAP connection). which is unnecessarily time-consuming. Normally. The Same as Base Filter check box allows you to search more efficiently if all users qualified in the base DN are also qualified for shell access privileges. Shell users are not configured as local users on the appliance. Shell users should log in using usernames with all lowercase letters. and the filter you set here determines which set of users on the LDAP server can log into the shell. Continue with Testing User Authentication. IMPORTANT! If you choose not to specify a shell access filter. the same query would be run twice. To configure shell account authentication: Access: Admin 1. You can use the Same as Base Filter option to run the query only once for both purposes. a warning displays when you save the authentication object to confirm that you meant to leave the filter blank.

If the test succeeds. you can enter the value for the uid attribute for the user you want to test with. You can also specify a fully-qualified distinguished name for the user. type JSmith. you can specify user credentials for a user who should be able to authenticate to test those settings. see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324. to test to see you can retrieve the JSmith user credentials at our example company. Test the server configuration without the additional test parameters first. If you are connecting to a Microsoft Active Directory Server and supplied a shell access attribute in place of uid in Configuring Attribute Mapping on page 274. To enable LDAP authentication using the object on an appliance. select Show Details. use the value for that attribute as the user name. Note that testing the connection to servers with more than 1000 users only returns 1000 users because of UI page size limitations. the test fails even if the server configuration is correct. For example. The Login Authentication page appears. To view details of test output. you must apply a system policy with that object enabled to the appliance. TIP! If you mistype the name or password of the test user. 2. with the new object listed. type the uid value or shell access attribute value and password for the user whose credentials should be used to validate access to the LDAP directory. If that succeeds supply a user name and password to test with the specific user. click Save.1 Sourcefire 3D System Administrator Guide 280 . A message appears. In the User Name and Password fields. To test user authentication: Access: Admin 1. either indicating success of the test or detailing what settings are missing or need to be corrected. For more information. 3.9. For the user name.Managing Users Managing Authentication Objects Chapter 8 Testing User Authentication Requires: DC After you configure LDAP server and authentication settings. 4. Version 4. Click Test.

9. This example illustrates important aspects of LDAP configuration. Note that the connection uses port 389 for access and that connections to the server time out after 30 seconds of disuse. • OU=security. with a backup server that has an IP address of 10.DC=it.1 Sourcefire 3D System Administrator Guide 281 .3. Version 4.10.DC=example.DC=com for the security organization in This example shows a connection using a base distinguished name of the information technology domain of the Example company.5.Managing Users Managing Authentication Objects Chapter 8 LDAP Authentication Object Examples Requires: DC For sample configurations showing how different configuration options might be used for connections to specific directory server types.4.10.3. see the following sections: • • • OpenLDAP Example on page 281 Microsoft Active Directory Server Example on page 282 Sun Directory Server Example on page 284 OpenLDAP Example Requires: DC The following figures illustrate parts of a sample LDAP login authentication object for an OpenLDAP directory server with an IP address of 10.

Version 4. the user name template for the connection uses CN=%s. • • • To support shell access. Like the OpenLDAP server.Managing Users Managing Authentication Objects Chapter 8 • Because this is an OpenLDAP server that uses CN as a part of each user’s name.3.3. Because the user names to be retrieved are contained in the default uid attribute. no UI access attribute is specified. A shell access filter has been applied to this configuration.1 Sourcefire 3D System Administrator Guide 282 . the connection uses port 389 for access and connections to the server time out after 30 seconds of disuse (or the timeout period set on the LDAP server). the CN attribute is set as the shell access attribute. Note that all objects in the directory are checked because no base filter is set. with a backup server that has an IP address of 10.11. allowing only those users who have a common name attribute value of jsmith to log into the appliance using a shell account. Aspects of this example illustrate important differences in this LDAP configuration from the configuration discussed in the OpenLDAP Example on page 281. The Sourcefire 3D System checks the uid attribute of each object in the directory indicated by the distinguished name against the username for each user who logs into the system.11. Microsoft Active Directory Server Example Requires: DC The following figure illustrates a sample LDAP login authentication object for a Microsoft Active Directory Server with an IP address of 10. followed by the base distinguished name for the server directory. to indicate the template used to format user names retrieved from the server.9.5.4.

because no base filter is applied to this server.DC=it.DC=com for the security organization in the information technology domain of the Example company.DC=example. the user name template for the connection uses address specification syntax documented in RFC 822 rather than the typical LDAP naming syntax. Again. a Shell Access Attribute of sAMAccountName causes each sAMAccountName attribute to be checked for all objects in the directory for matches when a user logs into a shell account on the appliance. Note that the configuration includes a UI Access Attribute of userPrincipalName.1 Sourcefire 3D System Administrator Guide 283 . this example shows a connection using a base distinguished name of OU=security. • Because this is a Microsoft Active Directory Server. Version 4.9. the Sourcefire 3D System checks the userPrincipalName attribute for each object for matching user names when a user attempts to log into the Sourcefire 3D System. because this server is a Microsoft Active Directory server. it uses the userPrincipalName attribute to store user names rather than the uid attribute. the Sourcefire 3D System checks attributes for all objects in the directory indicated by the base distinguished name. • • In addition.Managing Users Managing Authentication Objects Chapter 8 • Like the OpenLDAP server. However. As a result.

with a backup server that has an IP address of 10.DC=com.1 Sourcefire 3D System Administrator Guide 284 .3. Version 4. as noted above. • As in the OpenLDAP server. allowing only those users who have a common name attribute value of jsmith to log into the appliance using a shell account. a shell access filter has been specified for this server. a shell access attribute value of sAMAccountName must be set for shell access to work on a Microsoft Active Directory server.9.DC=it.4.Managing Users Managing Authentication Objects Chapter 8 • This example also has group settings in place.12. Sun Directory Server Example Requires: DC The following figure illustrates a sample LDAP login authentication object for a Sun Directory Server with an IP address of 10.3.DC=example. The maintenance role is automatically assigned to all members of the group with a member group attribute and the base domain name of CN=maintenance. However.5.12.

The Sourcefire 3D System checks the uid attribute of each object in the directory indicated by the distinguished name against the user name for each user who logs into the system.DC=it. no UI access attribute is specified. The filter restricts the users retrieved from the server to those with a common name ending in smith. Using Same as Base Filter allows a more efficient search query if and only if all users qualified in the base DN are also qualified for shell access privileges.9. the Server Port is set to 636.DC=com for the security organization in the information technology domain of the Example company. Version 4. Note that all objects in the directory are checked because no base filter is set. allowing all users with a common name ending in smith to log in using a shell account as well. A certificate has been uploaded to allow the SSL connection.DC=example. However. • This example shows a connection using a base distinguished name of OU=security. • • The user name template shown uses the uid attribute value as the user name.1 Sourcefire 3D System Administrator Guide 285 . • To allow shell access on the server.Managing Users Managing Authentication Objects Chapter 8 Settings in the example illustrate important differences in this LDAP configuration from the configuration discussed in Microsoft Active Directory Server Example on page 282: • Because the Encryption for the connection is set to SSL. note that this server does have a base filter of (cn=*smith). the uid attribute is named as the Shell Access Attribute and the Same as Base Filter option for the shell access filter is set. Because user names can be retrieved from the uid attribute on this server.

the settings in place at the time the policy was applied stay in effect until you re-apply the policy.1 Sourcefire 3D System Administrator Guide 286 . Version 4. The Login Authentication page appears. 2. upload the new certificate and re-apply the system policy to your appliances to copy over the new certificate.9. If the object is in use in a system policy. For more information. Modify the object settings as needed. see the following topics: • • • • • Creating LDAP Authentication Objects on page 269 Configuring LDAP Authentication Settings on page 271 Configuring Attribute Mapping on page 274 Configuring Administrative Shell Access on page 278 Testing User Authentication on page 280 IMPORTANT! If you previously uploaded a certificate and want to replace it. Click Edit next to the object you want to edit. Select Operations > Configuration > Login Authentication. To edit an authentication object: Access: Admin 1. 3. The Create Authentication Object page appears.Managing Users Managing Authentication Objects Chapter 8 Editing LDAP Authentication Objects Requires: DC You can edit an existing authentication object.

Click Save. When you configure authentication by a server using SecurID. and account for user access to network resources. the system policy. the user receives the roles specified for that user in the authentication object. As long as SecurID is configured correctly to authenticate users outside the Sourcefire 3D System. if needed. The Create Authentication Object page appears. You can create an authentication object for any RADIUS server that conforms to RFC 2865. Understanding RADIUS Authentication Requires: DC The Remote Authentication Dial In User Service (RADIUS) is an authentication protocol used to authenticate. Version 4. Optionally. authorize. You can modify a user’s roles. The Sourcefire 3D System implementation of RADIUS supports the use of SecurID® tokens. unless the settings are granted through the user lists in the authentication object. For more information. users authenticated against that server append the SecurID token to the end of their SecurID pin and use that as their password when they log into a Sourcefire appliance. Creating RADIUS Authentication Objects Requires: DC When you create a RADIUS authentication object. those users can log into a Sourcefire 3D System appliance using their pin plus the SecurID token without any additional configuration on the appliance. To create an authentication object: Access: Admin 1. Your changes are saved and the Login Authentication page re-appears. Click Create Authentication Object. The Login Authentication page appears. see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324. you can also configure shell access authentication. You also grant user roles to specific and default users. or if the user is not listed for any of the user roles.Managing Users Managing Authentication Objects Chapter 8 4. Remember that you have to apply a system policy with the object enabled to an appliance before the authentication changes take place on that appliance.9. you need TCP/IP access from your local appliance to the authentication server where you want to connect. When a user authenticated on a RADIUS server logs in for the first time. the default access role you selected in the authentication object. you define settings that let you connect to an authentication server.1 Sourcefire 3D System Administrator Guide 287 . Note that to create an authentication object. Select Operations > Configuration > Login Authentication. 2. or failing that. you need to define those custom attributes. If your RADIUS server returns custom attributes for any users you plan to authenticate.

After the appliance re-queries the primary authentication server the number of times indicated by the Retries field and the number of seconds indicated in the Timeout field again elapses without a response from the primary authentication server. 5. for example. Optionally.1 Sourcefire 3D System Administrator Guide 288 . define those attributes. 4.9. see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324. see Configuring RADIUS Connection Settings on page 288. 6. If the number of seconds indicated in the Timeout field (or the timeout on the directory server) elapses without a response from the primary authentication server. the appliance would query the backup server. For more information. Set the default user role. you need to open both ports 1812 and 1813 on your firewall and on the FreeRADIUS server. For more information. For more information.Managing Users Managing Authentication Objects Chapter 8 3. you can set a timeout for the connection attempt to the primary server. configure administrative shell access. see Configuring RADIUS User Roles on page 290. For more information. Identify the primary and backup authentication servers where you want to retrieve user data for external authentication and set timeout and retry values. IMPORTANT! For FreeRADIUS to function correctly. Remember that you have to apply a system policy with the object enabled to an appliance before the authentication changes take place on that appliance. For more information. Your changes are saved. the appliance then re-queries the primary server. For more information. Configuring RADIUS Connection Settings Requires: DC When you create a RADIUS authentication object. specify the users or user attribute values for users that you want to receive specific Sourcefire 3D System access roles. If RADIUS is running on the port of the primary RADIUS server and for some reason refuses to service the request (due to Version 4. Test your configuration by entering the name and password for a user who should successfully authenticate. 7. see Testing User Authentication on page 294. you first specify the primary and backup server and server port where you want the local appliance (3D Sensor or Defense Center) to connect for authentication. see Configuring Administrative Shell Access on page 292. If the profiles for any of the users to authenticate return custom RADIUS attributes. If. the appliance then rolls over to the backup server. the primary server has RADIUS disabled. see Defining Custom RADIUS Attributes on page 293. Optionally. If you specify a backup authentication server.

4. however. 5. 9. Type the IP address or host name for the backup RADIUS authentication server where you want to obtain authentication data in the Backup Server Host Name/IP Address field.Managing Users Managing Authentication Objects Chapter 8 misconfiguration or other issues). Version 4. 6. 8. Type the secret key for the primary RADIUS authentication server in the RADIUS Secret Key field. 3. IMPORTANT! IPv6 addresses are not supported. 7. 2. Optionally. modify the port used by the backup RADIUS authentication server in the Backup Server Port field.9. To identify a RADIUS authentication server: Access: Admin 1. modify the port used by the primary RADIUS authentication server in the Primary Server Port field. Select RADIUS from the Authentication Method drop-down list. the failover to the backup server does not occur.1 Sourcefire 3D System Administrator Guide 289 . Type the secret key for the backup RADIUS authentication server in the RADIUS Secret Key field. Type the number of seconds that should elapse before retrying the connection in the Timeout field. Type the IP address or host name for the primary RADIUS server where you want to obtain authentication data in the Primary Server Host Name/IP Address field. Optionally. Type a name and description for the authentication server in the Name and Description fields.

WARNING! If you want to change the minimum access setting for a user. When a user logs in. You can select multiple roles on the Default User Role list. For more information on the user roles supported by the Sourcefire 3D System.Managing Users Managing Authentication Objects Chapter 8 10. the Sourcefire 3D System authenticates the user against the RADIUS server and then grants user rights based on the default access role (or roles) set in the system policy. For example. the user is assigned those access roles. you can type User-Category=Analyst in the RNA Analyst List field to grant that role to those users. you must not only move the user from one list to another in the RADIUS Specific Parameters section or change the user’s attribute on the RADIUS server. you must reapply the system policy. You can. You can assign a default user role (or roles) to be assigned to any users that are authenticated externally but not listed for a specific role. to identify users who should receive a particular user role. Version 4. see Defining Custom RADIUS Attributes on page 293. Configuring RADIUS User Roles Requires: DC You can specify the access roles for existing users on your RADIUS server by listing the user names for each of the access roles used by your Sourcefire 3D System.1 Sourcefire 3D System Administrator Guide 290 . if you know all users who should be RNA Analysts have the value Analyst for their User-Category attribute. you can also configure a default access setting for those users detected by RADIUS that are not specified for a particular role. assign additional rights. when a new user logs in. If a new user is not specified on any lists and default access roles are selected in the Default User Role list of the authentication object. • • You can also use attribute-value pairs. Note that you need to define any custom attributes before you use them to set user role membership. For more information. When you do so. see Configuring User Roles on page 304. Type the number of times the primary server connection should be tried before rolling over to the backup connection in the Retries field. You cannot remove the minimum access rights for users assigned an access role because of RADIUS user list membership through the Sourcefire 3D System user management page. that user receives all assigned access roles. If you add a user to the list for one or more specific role. Continue with Configuring RADIUS User Roles. however. the Sourcefire 3D System checks the RADIUS server and grants access rights depending on the RADIUS configuration: • If specific access settings are not configured for a user and a default access role is not selected. and you must remove the assigned user right on the user management page.9. 11. rather than usernames.

4. 5. separated by commas. type jsmith.Managing Users Managing Authentication Objects Chapter 8 To base access on user lists: Access: Admin 1.9. 3. User-Category value of Maintenance. separated by commas. who should at minimum receive access to analysis and reporting features. separated by commas. separated by commas. Type the name of each user or each identifying attribute-value pair.who should at minimum receive access to rules and policy configuration in the Policy & Response Administrator List field. Type the name of each user or each identifying attribute-value pair. rule and policy configuration. 2. Type the name of each user or each identifying attribute-value pair. who should at minimum receive access to IPS analysis features in the Intrusion Event Analyst List field. jdoe in the Administrator List field.1 Sourcefire 3D System Administrator Guide 291 . For example. to grant the Administrator role to the users jsmith and jdoe. who should at minimum receive access to monitoring and maintenance features in the Maintenance List field. Type the name of each user or each identifying attribute-value pair. separated by commas. type User-Category=Maintenance For example. who should at minimum receive access to IPS analysis features in the Intrusion Event Analyst (Read Only) List field. Version 4. Type the name of each user or each identifying attribute-value pair. system management. to grant the Maintenance role to all users with a in the Maintenance List field. and all maintenance features in the Administrator List field.

Note that you can only configure shell access for the first authentication object in your system policy. see Configuring User Roles on page 304. TIP! Press the Ctrl key while clicking role names to select multiple roles in the list. see Configuring Authentication Profiles on page 329. Make sure that you restrict the list of users with shell access appropriately.1 Sourcefire 3D System Administrator Guide 292 . Configuring Administrative Shell Access Requires: DC You can also use the RADIUS server to authenticate accounts for shell access on your local appliance (3D Sensor or Defense Center). Type the name of each user or each identifying attribute-value pair. separated by commas. the directory remains. 7. using the same home directory. With the exception of the root account. the shell is reset. If the user then is re-enabled. the shell access list you set on the RADIUS authentication object entirely controls shell access on the appliance. and when an RADIUS shell access user account is disabled (by disabling the RADIUS connection). WARNING! All shell users have sudoers privileges. but the user shell is set to /bin/false in / etc/password to disable the shell. Version 4. Specify user names for users you want to grant shell access. Continue with Configuring Administrative Shell Access.Managing Users Managing Authentication Objects Chapter 8 6.9. For more information on user access roles. separated by commas. For more information on managing authentication object order. 8. Note that a home directory for each shell user is created on login. who should at minimum receive access to RNA analysis features in the RNA Event Analyst (Read Only) List field. Type the name of each user or each identifying attribute-value pair. Select the default minimum access role for users that do not belong to any of the specified groups from the Default User Role list. Shell users should log in using usernames with all lowercase letters. who should at minimum receive access to RNA analysis features in the RNA Event Analyst List field. 9. Shell users are configured as local users on the appliance when the system policy is applied.

Managing Users Managing Authentication Objects

Chapter 8

To configure shell account authentication: Access: Admin 1. Type the usernames, separated by commas, in the Administrator Shell Access User List field. IMPORTANT! If you choose not to specify a shell access filter, a warning displays when you save the authentication object to confirm that you meant to leave the filter blank. 2. Continue with Defining Custom RADIUS Attributes on page 293.

Defining Custom RADIUS Attributes
Requires: DC
dictionary file in /etc/radiusclient/ and you plan to use those attributes to

If your RADIUS server returns values for attributes not included in the

set user roles for users with those attributes, you need to define those attributes in the login authentication object. You can locate the attributes returned for a user by looking at the user’s profile on your RADIUS server. When you define an attribute, you provide the name of the attribute, which consists of alphanumeric characters. Note that words in an attribute name should be separated by dashes rather than spaces. You also provide the attribute ID, which should be an integer and should not conflict with any existing attribute IDs in the etc/radiusclient/dictionary file. You also specify the type of attribute: string, IP address, integer, or date. As an example, if a RADIUS server is used on a network with a Cisco router, you might want to use the Ascend-Assign-IP-Pool attribute to grant a specific role to all users logging in from a specific IP address pool. Ascend-Assign-IP-Pool is an integer attribute that defines the address pool where the user is allowed to log in, with the integer indicating the number of the assigned IP address pool. To declare that custom attribute, you create a custom attribute with an attribute name of Ascend-IP-Pool-Definition, an attribute ID of 218, and an attribute type of integer. You could then type Ascend-Assign-IP-Pool=2 in the Intrusion Event Analyst (Read Only) field to grant read-only intrusion event analyst rights to all users with an Ascend-IP-Pool-Definition attribute value of 2. When you create a RADIUS authentication object, a new dictionary file for that object is created on the Sourcefire 3D System appliance in the /var/sf/ userauth directory. Any custom attributes you add to the authentication object are added to the dictionary file.

Version 4.9.1

Sourcefire 3D System Administrator Guide

293

Managing Users Managing Authentication Objects

Chapter 8

To define a custom attribute: Access: Admin 1. Click the arrow to expand the Define Custom RADIUS Attributes section. The attribute fields appear.

2. Type an attribute name consisting of alphanumeric characters and dashes, with no spaces, in the Attribute Name field. 3. Type the attribute ID, in integer form, in the Attribute ID field. 4. Select the type of attribute from the Attribute Type drop-down list. 5. Click Add to add the custom attribute to the authentication object. TIP! You can remove a custom attribute from an authentication object by clicking Delete next to the attribute. 6. Continue with Testing User Authentication on page 294.

Testing User Authentication
Requires: DC After you configure RADIUS connection, user role, and custom attribute settings, you can specify user credentials for a user who should be able to authenticate to test those settings. For the user name, you can enter the user name for the user you want to test with. Note that testing the connection to servers with more than 1000 users only returns 1000 users because of UI page size limitations. TIP! If you mistype the name or password of the test user, the test fails even if the server configuration is correct. To verify that the server configuration is correct, click Test without entering user information in the Additional Test Parameters first. If that succeeds supply a user name and password to test with the specific user.

Version 4.9.1

Sourcefire 3D System Administrator Guide

294

Managing Users Managing Authentication Objects

Chapter 8

To test user authentication: Access: Admin 1. In the User Name and Password fields, type the user name and password for the user whose credentials should be used to validate access to the RADIUS server. For example, to test to see you can retrieve the jsmith user credentials at our example company, type jsmith.

2. Select Show Details and click Test. A message appears, either indicating success of the test or detailing what settings are missing or need to be corrected. 3. If the test succeeds, click Save. The Login Authentication page appears, with the new object listed. To enable RADIUS authentication using the object on an appliance, you must apply a system policy with that object enabled to the appliance. For more information, see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324.

RADIUS Authentication Object Examples
Requires: DC This section provides examples of RADIUS server authentication objects to show how Sourcefire 3D System RADIUS authentication features can be used. See the following sections for more information: • • Authenticating a User using RADIUS on page 295 Authenticating a User with Custom Attributes on page 296

Authenticating a User using RADIUS
Requires: DC The following figure illustrates a sample RADIUS login authentication object for a server running freeRadius with an IP address of 10.10.10.98. Note that the connection uses port 1812 for access and that connections to the server time out after 30 seconds of disuse and will retry three times before attempting to connect to a backup authentication server.

Version 4.9.1

Sourcefire 3D System Administrator Guide

295

Managing Users Managing Authentication Objects

Chapter 8

This example illustrates important aspects of RADIUS user role configuration: • Users ewharton and gsands are granted administrative access to Sourcefire 3D System appliances where this authentication object is enabled. The user jaustin is granted Intrusion Event Analyst access to Sourcefire 3D System appliances where this authentication object is enabled. The user cbronte is granted RNA Event Analyst access to Sourcefire 3D System appliances where this authentication object is enabled. The user ewharton can log into the appliance using a shell account.

• • •

The following graphic depicts the role configuration for the example:

Authenticating a User with Custom Attributes
Requires: DC You can use an attribute-value pair to identify users who should receive a particular user role. If the attribute you use is a custom attribute, you must define the custom attribute.

Version 4.9.1

Sourcefire 3D System Administrator Guide

296

Managing Users Managing Authentication Objects

Chapter 8

The following figure illustrates the role configuration and custom attribute definition in a sample RADIUS login authentication object for the same freeRadius server as in the previous example. In this example, however, the MS-RAS-Version custom attribute is returned for one or more of the users because a Microsoft remote access server is in use. Note the MS-RAS-Version custom attribute is a string. In this example, all users logging in to RADIUS through a Microsoft v. 5.00 remote access server should receive the Intrusion Event Analyst (Read Only role), so you type the attribute-value pair of MS-RAS-Version=MSRASV5.00 in the Intrusion Event Analyst (Read Only) field.

Version 4.9.1

Sourcefire 3D System Administrator Guide

297

Managing Users Managing Authentication Objects

Chapter 8

Editing RADIUS Authentication Objects
Requires: DC You can edit an existing authentication object. If the object is in use in a system policy, the settings in place at the time the policy was applied stay in effect until you re-apply the policy. To edit an authentication object: Access: Admin 1. Select Operations > Configuration > Login Authentication. The Login Authentication page appears. 2. Click Edit next to the object you want to edit. The Create Authentication Object page appears. 3. Modify the object settings as needed. For more information, see the following topics: • • • • • Creating RADIUS Authentication Objects on page 287 Configuring RADIUS Connection Settings on page 288 Configuring RADIUS User Roles on page 290 Configuring Administrative Shell Access on page 292 Testing User Authentication on page 294

4. Click Save. Your changes are saved and the Login Authentication page re-appears. Remember that you have to apply a system policy with the object enabled to an appliance before the authentication changes take place on that appliance. For more information, see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324.

Deleting Authentication Objects
Requires: DC You can delete an authentication object if it is not currently enabled in a system policy. To delete an authentication object: Access: Admin 1. Select Operations > Configuration > Login Authentication. The Login Authentication page appears. 2. Click Delete next to the object you want to delete. The object is deleted and the Login Authentication page appears.

Version 4.9.1

Sourcefire 3D System Administrator Guide

298

Managing Users Managing User Accounts

Chapter 8

Managing User Accounts
If you have Admin access, you can use the web interface to view and manage user accounts on a Defense Center or a 3D Sensor, including adding, modifying, and deleting accounts. User accounts without Admin access are restricted from accessing management features. The navigation menu differs in appearance for each type of user. See the following sections for more information about managing user accounts: • Viewing User Accounts on page 299 explains how to access the User Management page, where you can add, activate, deactivate, edit, and delete user accounts. Adding New User Accounts on page 300 describes the different options you can use when you add a new user account. Managing Externally Authenticated User Accounts on page 302 explains how externally authenticated users are added and what aspects of the user configuration you can manage within the Sourcefire 3D System. Modifying User Privileges and Options on page 306 explains how to access and modify an existing user account. Modifying Restricted Event Analyst Access Properties on page 307 explains how to restrict the data available to a user account with restricted data access. Deleting User Accounts on page 312 explains how to delete user accounts. User Account Privileges on page 312 contains tables that list the menus and options each type of user account can access.

• •

• •

• •

Viewing User Accounts
Requires: DC/MDC or 3D Sensor From the User Management page, you can view, edit, and delete existing accounts. You can determine the type of authentication for a user from the Authentication Method column. The Password Lifetime column indicates the days remaining on each user’s password. The Action column allows you to set users active or inactive. Note that for externally authenticated users, if the authentication object for the server is disabled, the Authentication Method column displays External (Disabled). To access the User Management page: Access: Admin Select Operations > User Management. The User Management page appears, showing each user, with options to activate, deactivate, edit, or delete the user account.

Version 4.9.1

Sourcefire 3D System Administrator Guide

299

Managing Users Managing User Accounts

Chapter 8

See the following sections for information about the actions you can perform on the User Management page: • • • • • Adding New User Accounts on page 300 Modifying User Privileges and Options on page 306 Modifying Restricted Event Analyst Access Properties on page 307 Modifying User Passwords on page 311 Deleting User Accounts on page 312

Adding New User Accounts
Requires: DC/MDC or 3D Sensor When you set up a new user account, you can control which parts of the system the account can access. To add a new user: Access: Admin 1. Select Operations > User Management. The User Management page appears.

Version 4.9.1

Sourcefire 3D System Administrator Guide

300

Managing Users Managing User Accounts

Chapter 8

2. Click Create User. The Create User page appears.

3. In the User Name field, type a name for the new user. New user names must contain alphanumeric or hyphen characters with no spaces, and must be no more than 32 characters. 4. Requires: DC/MDC If you want this user to authenticate to an external directory server on login, select Use External Authentication Method. IMPORTANT! If you select this option, the password management options below disappear. Configure access settings and click Add User to complete configuration of the externally authenticated user. You must also create an authentication object for the external authentication server you want to use for authentication on your Defense Center, and apply a system policy with authentication enabled to your appliance before users can log in using credentials from an external server. For more information, see Managing Authentication Objects on page 269 and Configuring Authentication Profiles on page 329.

Version 4.9.1

Sourcefire 3D System Administrator Guide

301

Managing Users Managing User Accounts

Chapter 8

5. In the Password field, type a password (up to 32 alphanumeric characters). If you enable password strength checking, the password must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. It cannot be a word that appears in a dictionary or include consecutive repeating characters. 6. In the Confirm Password field, type the password again. 7. Configure the remaining password user account options. For more information, see the User Account Password Options table on page 304. 8. Select user roles to grant to the user. For more information, see the User Roles table on page 305. 9. Optionally, for users with event analyst roles, click Restrict Deletion Rights - User Cannot Delete Bookmarks, Searches, Reports, Report Profiles, Custom Workflows or Custom Tables Created by Other Users to restrict the user to deletion of reports, report profiles, searches, bookmarks, custom tables, and custom workflows created by the user. 10. Click Add User. A message appears, indicating that the user was added. The username appears on the User Management page. IMPORTANT! Click Deactivate next to the name of an internally authenticated user on the User Management page to disable that user login without deleting it. To reactivate a user, click Activate next to the username.

Managing Externally Authenticated User Accounts
Requires: DC/MDC or 3D Sensor When an externally authenticated user logs into an appliance that has external authentication enabled, the appliance grants the user the default access role you set by specifying group membership in the authentication object. If you did not configure access group settings, the appliance grants the default user role you set in the system policy. However, if you add users locally before they log into the appliance, the user privileges you configure on the User Management page override the default settings. An internally authenticated user is converted to external authentication when all of the following conditions exist: • • • You enable LDAP or RADIUS authentication. The same username exists for the user on the LDAP or RADIUS server. The user logs in using the password stored for that user on the LDAP or RADIUS server.

Version 4.9.1

Sourcefire 3D System Administrator Guide

302

Managing Users Managing User Accounts

Chapter 8

Once an internally authenticated user converts to an externally authenticated user, you cannot revert to internal authentication for that user. For more information on selecting a default user role, see Configuring Authentication Profiles on page 329 and Understanding User Privileges on page 267. Note that you can only enable external authentication in a system policy on a Defense Center. You must use the Defense Center to apply the policy to managed sensors if you want to use external authentication on them. For more information on associating an external user with a set of permissions on your appliance, see Logging into the Appliance to Set Up an Account on page 23. For more information on modifying user access, see Modifying User Privileges and Options on page 306. Note that you cannot manage passwords for externally authenticated users or deactivate externally authenticated users through the Sourcefire 3D System interface. For externally authenticated users, you cannot remove the minimum access rights through the Sourcefire 3D System user management page for users assigned an access role because of LDAP group or RADIUS list membership or attribute values. On the Edit User page for an externally authenticated user, rights granted because of settings on an external authentication server are marked with a status of Externally Modified. You can, however, assign additional rights. When you modify the access rights for an externally authenticated user, the Authentication Method column on the User Management page provides a status of External - Locally Modified.

Managing User Password Settings
You can also control how and when the password for each user account is changed, as well as when user accounts are disabled. The User Account

Version 4.9.1

Sourcefire 3D System Administrator Guide

303

Managing Users Managing User Accounts

Chapter 8

Password Options table describes some of the options you can use to regulate passwords and account access. IMPORTANT! After you enable Use External Authentication Method, password options no longer appear. Use the external authentication server to manage password settings. User Account Password Options Option Use External Authentication Method Description Select this option if you want this user's credentials to be externally authenticated. IMPORTANT! If you select this option for the user and the external authentication server is unavailable, that user can log into the web interface but cannot access any functionality. Enter an integer, without spaces, that determines the maximum number of times each user can try to log in after a failed login attempt before the account is locked. The default setting is five tries; use 0 to allow an unlimited number of failed logins. Enter the number of days after which the user’s password will expire. The default setting is 0, which indicates that the password never expires. Enter the number of warning days users have to change their password before their password actually expires. The default setting is 0 days. WARNING! The number of warning days must be less than the number of days before the password expires Force Password Reset on Login Check Password Strength Select this option to force the user to change his password the first time the user logs in. Select this option to require strong passwords. A strong password must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. It cannot be a word that appears in a dictionary or include consecutive repeating characters.

Maximum Number of Failed Logins

Days Until Password Expiration Days Until Expiration Warning

Configuring User Roles
The User Roles table contains a synopsis of each access type. For a full list of the menus available to each access type, see User Account Privileges on page 312.

Version 4.9.1

Sourcefire 3D System Administrator Guide

304

system management. incidents. You can. assign additional rights. You cannot remove minimum access rights through the Sourcefire 3D System user management page for users assigned an access role because of LDAP group or RADIUS list membership or attribute values . and all maintenance features.Managing Users Managing User Accounts Chapter 8 Note that you cannot change the authentication type for a user after you create the user account. RNA Event Analysts see the main toolbar and analysisrelated options on the Analysis & Reporting and Operations menus. RNA Event Analysts see the main toolbar and RNA analysis-related options on the Analysis & Reporting and Operations menus. host profiles. rule and policy configuration. User Roles User Role Administrator Access Privileges Provides access to analysis and reporting features. however. Maintenance users see the main toolbar and maintenancerelated options on the Operations top-level menu. network maps. In addition. custom tables.9. Note that you can restrict an event analyst user’s deletion rights to only allow deletion of report profiles. searches. Administrator users see the main toolbar as well as all the menu options. externally authenticated users cannot authenticate unless the external authentication server is available. RNA Event Analyst (Read Only) Access Version 4. client applications. WARNING! If you want to change the minimum access setting for a user.User Cannot Delete Items Created by Other Users to restrict the user’s deletion rights. vulnerabilities. services. services. network maps. and custom workflows created by that user.1 Sourcefire 3D System Administrator Guide 305 . host profiles. Select Restrict Deletion Rights . client applications. and reports. Note that you should limit use of the Administrator role for security reasons. you must reapply the system policy. Provides access to RNA analysis features. bookmarks. you must not only move the user from one list to another in the authentication object or change the user's attribute value or group membership on the external authentication server. including event views. including event views. Maintenance User Access RNA Event Analyst Access Provides access to monitoring and maintenance features. and you must remove the assigned user right on the user management page. and reports. vulnerabilities. Provides read-only access to analysis features.

See Modifying Restricted Event Analyst Access Properties on page 307 for more information. Intrusion Event Analysts see the main toolbar and IPS analysis-related options on the Analysis & Reporting and Operations menus. You can. including those that are externally authenticated. however. Version 4. incidents. assign additional rights. Note that password management options do not apply to users who authenticate to an external directory server. account options. you cannot remove the minimum access rights through the Sourcefire 3D System user management page for users assigned an access role because of LDAP group or RADIUS list membership or attribute values. Note that if you change the authentication for a user from externally authenticated to internally authenticated. you must configure access rights for all accounts.9. Provides access to the same features as Intrusion Event Analyst or RNA Event Analyst access.Managing Users Managing User Accounts Chapter 8 User Roles (Continued) User Role Intrusion Event Analyst Access Intrusion Event Analyst (Read Only) Access Restricted Event Analyst Access Privileges Provides access to IPS analysis features. and reports. including intrusion event views. For externally authenticated users. or passwords at any time. including intrusion event views. Policy & Response Administrator Access Modifying User Privileges and Options Requires: DC/MDC or 3D Sensor After adding user accounts to the system. you can modify access privileges. Restricted event analyst users see only the main toolbar and analysis-related options on the Analysis & Reporting and Operations menus. Intrusion Event Analysts see the main toolbar and IPS analysis-related options on the Analysis & Reporting and Operations menus. You manage those settings on the external server. you must supply a new password for the user. However. Provides access to rules and policy configuration. Policy & Response Administrators have access to the main toolbar and rule and policy-related options on the Policy & Response and Operations menus. incidents. You can restrict access by allowing access to only for those events that match specified search criteria or you can turn off access for an entire category of events. When you modify the access rights for an externally authenticated user. and reports. the Authentication Method column on the User Management page provides a status of External . Provides read-only access to IPS analysis features.Locally Modified.1 Sourcefire 3D System Administrator Guide 306 .

See Managing User Password Settings on page 303 for information on changing password settings for internally authenticated users. The Edit User page appears. Optionally. See Adding New User Accounts on page 300 for information about adding new user accounts. 2. for users with event analyst roles. Click Edit next to the user you want to modify. The User Management page appears. Select Operations > User Management.Managing Users Managing User Accounts Chapter 8 To modify user account privileges: Access: Admin 1. select or clear the Only delete items created by user option to manage the user’s ability to delete of items not created by that user. Version 4. • • • Modifying Restricted Event Analyst Access Properties Requires: DC/MDC or 3D Sensor User accounts with Restricted Event Analyst access use saved searches to specify which events a user can view.1 Sourcefire 3D System Administrator Guide 307 .9. You can specify this information only after the user is added. See Configuring User Roles on page 304 for more information on configuring roles to grant access for Sourcefire 3D System functions. 3. Modify the account or accounts as needed: • See Managing Externally Authenticated User Accounts on page 302 for a description of how users can be authenticated through external servers.

.included in the base set of rights for the restricted analyst role Version 4..Managing Users Managing User Accounts Chapter 8 Restricted event analyst users have access to only a few sections of the web interface. DC + RNA Set this data set or data sets to Show All or to a specific search One or more of the following: • Host Attributes Data • RNA Client Applications Data • RNA Hosts Data • RNA Services Data • Vulnerabilities Data view network discovery events view hosts view host attributes view services view vulnerabilities view client applications view flow data view compliance events view white list events view white list violations view users or user events view intrusion events use the clipboard DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RNA DC + RUA IPS IPS RNA Events Data RNA Hosts Data Host Attributes Data RNA Services Data Vulnerabilities Data RNA Client Applications Data Flow Data Compliance Events Data White List Events Data White List Violations Data Users Data Intrusion Events Data N/A ..9..1 Sourcefire 3D System Administrator Guide 308 . view the network map When these platforms are present. Restricted Event Analyst Settings To allow the restricted event analyst to. The Restricted Event Analyst Settings table shows the correlation between platform and access requirements for the restricted event analyst.

Managing Users Managing User Accounts Chapter 8 Restricted Event Analyst Settings (Continued) To allow the restricted event analyst to.1 Sourcefire 3D System Administrator Guide 309 . Version 4. custom tables create and manage bookmarks view events from a custom table When these platforms are present. Searches must be private. Click Edit next to the user to whom you want to grant restricted event analyst rights... Select Operations > User Management. one for each of the event types. create multiple private saved searches.included in the base set of rights for the restricted analyst role DC/MDC or 3D Sensor All data sets for which the user will create custom workflows DC/MDC or 3D Sensor Platforms required to view custom table All data sets for which the user will need to create or access bookmarks All data sets for the applicable custom tables If you want to ensure that a user only sees data for a specific subnet. 2. restricted event analyst users could delete the searches and enhance their access privileges. To restrict event analyst access to events: Access: Admin 1. IMPORTANT! You must have saved private searches available before you can add restricted event analyst values to a user account. time zone. If they are saved as public. and event view settings create custom workflows and. The User Management page appears. on the Defense Center.. See Searching for Events in the Analyst Guide for more information.. IPS IPS DC/MDC or 3D Sensor Set this data set or data sets to Show All or to a specific search All data sets for which the user will generate reports All data sets for which the user will create incident reports N/A .9. and then apply each saved search to the account as described in the following procedure. generate (but not view) reports create (but not modify) incident reports change user-specific preferences such as the account password.

The Restrictions section of the page appears. Intrusion Event Analyst.1 Sourcefire 3D System Administrator Guide 310 . IMPORTANT! You cannot select Restricted Event Analyst if Administrator. select Show All Data. 5. To grant access to events that match a specific saved search. The Defense Center version of the page is shown below. or RNA Event Analyst (Read Only) access is enabled. IMPORTANT! If you created any custom tables on the Defense Center. For each row. select the search that you want to use to restrict the user account. select Restricted Event Analyst. select Hide Data.9. you have three choices: • • • To grant access to all events for a category. To deny access to all events in a category. Click Save to save your changes and return to the User Management page. they appear on this page. If the user you want to modify does not already have the Restricted Event Analyst option enabled.Managing Users Managing User Accounts Chapter 8 3. RNA Event Analyst. Intrusion Event Analyst (Read Only). Version 4. 4.

To change a user’s password: Access: Admin 1. Version 4. Note that you must manage externally authenticated user passwords on the LDAP or RADIUS server. type the new password (up to 32 alphanumeric characters).1 Sourcefire 3D System Administrator Guide 311 . The Edit User page appears. 2. click Reset Password next to the user account on the User Management page. TIP! If you want to force a user to change the password on the next log-in.Managing Users Managing User Accounts Chapter 8 Modifying User Passwords Requires: DC/MDC or 3D Sensor You can modify user passwords from the User Management page for internally authenticated users. 3. The User Management page appears.9. Select Operations > User Management. In the Password field. Next to the user name. click Edit.

For more information on the access notations used in the tables that follow and throughout this documentation.Managing Users Managing User Accounts Chapter 8 4. with the exception of the admin account. For more information on user roles. IMPORTANT! If password strength checking is enabled for the user account.1 Sourcefire 3D System Administrator Guide 312 . Click Save. Make any other changes you want to make to the user configuration: • • For more information on password options. User Account Privileges Requires: DC/MDC or 3D Sensor The following sections provide a list of the menus and toolbar options in Sourcefire 3D System and the user account privileges required to access them. The password is changed and any other changes saved. 5. In the Confirm Password field. with at least one number. 6. click Delete. see Access Requirements Conventions on page 39. Select Operations > User Management. which cannot be deleted. see Managing User Password Settings on page 303. The User Management page appears. It cannot be a word that appears in a dictionary or contain consecutive repeating characters. Deleting User Accounts Requires: DC/MDC or 3D Sensor You can delete user accounts from the system at any time. 2. Next to the user whose account you want delete.9. • • • • Analysis & Reporting Menu on page 313 Policy & Response Menu on page 316 Operations Menu on page 317 Toolbar Options on page 319 Version 4. The account is deleted. To delete a user account: Access: Admin 1. the password must have at least eight alphanumeric characters of mixed case. see Configuring User Roles on page 304. re-type the new password.

Managing Users Managing User Accounts Chapter 8 Analysis & Reporting Menu Requires: IPS or DC/ MDC The Analysis & Reporting Menu table lists the user account privileges required to access each option on the Analysis & Reporting menu. Users with only Rules or Maintenance access cannot see the Analysis & Reporting menu at all. An X indicates that the user can access the option. Analysis & Reporting Menu Menu Admin Maint RNA/ RNA-RO Event Analyst X IPS/ IPS-RO Event Analyst X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Restricted Event Analyst P&R Admin Event Summary Intrusion Event Statistics Event Graphs Dashboards RNA Statistics Flow Summary IPS Events Reviewed Events Clipboard Incidents RNA Network Map | Hosts Network Map | Network Devices Network Map | Services Network Map | Vulnerabilities Network Map | Host Attributes X X X X X X X X X X X X X X X X X X Version 4.1 Sourcefire 3D System Administrator Guide 313 .9.

9.1 Sourcefire 3D System Administrator Guide 314 .Managing Users Managing User Accounts Chapter 8 Analysis & Reporting Menu (Continued) Menu Admin Maint RNA/ RNA-RO Event Analyst X X X X X X X X X X X X X X X X X X X X X X X X IPS/ IPS-RO Event Analyst Restricted Event Analyst P&R Admin RNA Events Hosts Host Attributes Services Client Applications Flow Data Vulnerabilities RUA Users RUA Events Compliance Compliance Events White List Events White List Violations Custom Tables Searches Audit Log Client Applications Compliance Events Flow Data Health Events X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Version 4.

9.1 Sourcefire 3D System Administrator Guide 315 .Managing Users Managing User Accounts Chapter 8 Analysis & Reporting Menu (Continued) Menu Admin Maint RNA/ RNA-RO Event Analyst X X X X IPS/ IPS-RO Event Analyst Restricted Event Analyst P&R Admin Host Attributes Hosts Intrusion Events Remediation Status RNA Events RUA Events Scan Results Services SEU Import Log Users Vulnerabilities White List Events White List Violations Custom Workflows Bookmarks Report Profiles X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Version 4.

RNA Event Analyst. Users with Intrusion Event Analyst. An X indicates that the user can access the option. Event Analyst P&R Admin IPS Intrusion Policy SEU Rule Editor Email OPSEC RNA Detection Policy Host Attributes RNA Detectors Custom Fingerprinting Custom Product Mappings User 3rd Party Mappings Network Map | Custom Topology Compliance Policy Management Rule Management X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Version 4.Managing Users Managing User Accounts Chapter 8 Policy & Response Menu Requires: IPS or DC/ MDC The Policy & Response Menu table lists the user account privileges required to access each option on the Policy & Response menu. Policy & Response Menu Menu Admin Maint RNA/ RNA-RO Event Analyst IPS/ IPS-RO Event Analyst Res.1 Sourcefire 3D System Administrator Guide 316 . or Maintenance access can not see the Policy & Response menu at all.9.

Event Analyst P&R Admin White List Traffic Profiles Responses Alerts Impact Flag Alerts RNA Event Alerts Remediations Groups X X X X X X X X X X X X X X X X Operations Menu Requires: DC/MDC or 3D Sensor The Operations Menu table lists the user account privileges required to access each option on the Operations menu.1 Sourcefire 3D System Administrator Guide 317 . Operations Menu Menu Admin Maint RNA/ RNA-RO Event Analyst IPS/ IPS-RO Event Analyst Res. Event Analyst P&R Admin Configuration RNA/RUA Event Purge Detection Engines High Availability eStreamer Login Authentication X X X X X X X Version 4. All users can access at least some options on the Operations menu.Managing Users Managing User Accounts Chapter 8 Policy & Response Menu (Continued) Menu Admin Maint RNA/ RNA-RO Event Analyst IPS/ IPS-RO Event Analyst Res.9. An X indicates that the user can access the option.

Managing Users Managing User Accounts Chapter 8 Operations Menu (Continued) Menu Admin Maint RNA/ RNA-RO Event Analyst IPS/ IPS-RO Event Analyst Res.9. Event Analyst P&R Admin RUA Sensors User Management System Settings System Policy Update Monitoring Statistics Performance | IPS Performance | RNA Audit Task Status Syslog Health Tools Scheduling Backup/Restore Import/Export Whois Scan Results Scanners X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Version 4.1 Sourcefire 3D System Administrator Guide 318 .

An X indicates that the user can access the option. All users can access at least some of the options on the toolbar. Event Analyst P&R Admin Health Preferences Preferences | Home Page Preferences | Event View Settings Preferences | Change Password Preferences | Time Zone Settings Help Logout X X X X X X X X X X X Version 4.9. Event Analyst X X X X X P&R Admin Help About Online Email Support Support Site X X X X X X X X X X X X X X X Toolbar Options Requires: DC/MDC or 3D Sensor The Toolbar Options table lists the user account privileges required to access each option on the toolbar and its sub-menus.1 Sourcefire 3D System Administrator Guide 319 . Toolbar Options Menu Admin Maint RNA/ RNA-RO Event Analyst X X X X X X X X X X X X IPS/ IPS-RO Event Analyst X X X X X X X X X X X X X X X X X X X X X Res.Managing Users Managing User Accounts Chapter 8 Operations Menu (Continued) Menu Admin Maint RNA/ RNA-RO Event Analyst X X X X X IPS/ IPS-RO Event Analyst X X X X X Res.

For example. including multiple fingerprint and subnet detection settings RUA settings synchronizing time serving time from the Defense Center mapping vulnerabilities for services You can use a system policy to control the aspects of your Defense Center that are likely to be similar for other Sourcefire 3D System appliances in your deployment. your organization’s security policies may require that Version 4.Managing System Policies Chapter 9 Administrator Guide A system policy allows you to manage the following on your Defense Center or 3D Sensor: • • • • • • • • • • • • • • • • access control lists audit log settings authentication profiles dashboard settings database event limits detection policy preferences DNS cache properties the mail relay host and notification address tracking intrusion policy changes specifying a different language custom login banners RNA settings.9.1 Sourcefire 3D System Administrator Guide 320 .

See Configuring System Settings on page 360 for more information. Version 4. which controls aspects of an appliance that are likely to be similar across a deployment.Managing System Policies Creating a System Policy Chapter 9 your appliances have a “No Unauthorized Use” message when a user logs in. you can set the login banner once in a system policy on a Defense Center and then apply the policy to all the sensors that it manages. You can also benefit from having multiple policies on a 3D Sensor. you can create several system policies and switch between them rather than editing a single policy. you can export a system policy from another appliance and then import it onto your appliance. or if you want to test different database limits. You can then edit the imported policy to suit your needs before you apply it. For more information.9. if you have different mail relay hosts that you use under different circumstances. With system policies.1 Sourcefire 3D System Administrator Guide 321 . with system settings. you assign it a name and a description. Instead of creating a new policy. see Importing and Exporting Objects on page 583. which are likely to be specific to a single appliance. See the following sections for more information: • • • • Creating a System Policy on page 321 Editing a System Policy on page 323 Applying a System Policy on page 324 Deleting System Policies on page 325 Creating a System Policy Requires: Any When you create a system policy. Next. IMPORTANT! You cannot apply system policies to Crossbeam-based software sensors or Intrusion Agents. you configure the various aspects of the policy. Contrast a system policy. each of which is described in its own section. For example.

see one of the following sections: • • • • • • • • • • • • Configuring the Access List for Your Appliance on page 325 Configuring Audit Log Settings on page 327 Configuring Authentication Profiles on page 329 Configuring Dashboard Settings on page 331 Configuring Database Event Limits on page 332 Configuring Detection Policy Preferences on page 336 Configuring DNS Cache Properties on page 337 Configuring a Mail Relay Host and Notification Address on page 338 Configuring Intrusion Policy Preferences on page 339 Specifying a Different Language on page 340 Adding a Custom Login Banner on page 341 Configuring RNA Settings on page 342 Version 4. select an existing policy to use as a template for your new system policy.1 Sourcefire 3D System Administrator Guide 322 . Select Operations > System Policy. 3.Managing System Policies Creating a System Policy Chapter 9 To create a system policy: Access: Admin 1.9. 5. The Create page appears. 4. For information about configuring each aspect of the system policy. The Applied To column indicates the number of appliances where the policy is applied and a count of out-of-date appliances where the previously applied policy has changed and should be reapplied. Type a name and description (up to 40 alphanumeric characters and spaces each) for your new policy. The Policy Name column includes its description. Click Save. The System Policy page appears. From the drop-down list. 2. Click Create Policy. Your system policy is saved and the Access List page appears.

Managing System Policies Editing a System Policy Chapter 9 • • • • • Configuring RNA Subnet Detection Settings on page 349 Configuring RUA Settings on page 352 Synchronizing Time on page 354 Serving Time from the Defense Center on page 357 Mapping Vulnerabilities for Services on page 358 Editing a System Policy Requires: Any You can edit a system policy that is currently in use. including a list of the existing system policies. 2. The System Policy page appears. appears. Select Operations > System Policy. Click Edit next to the system policy that you want to edit. Access List. With the Policy Name and Policy Description fields at the top. To edit an existing system policy: Access: Admin 1. but remember to re-apply the policy as explained in Applying a System Policy on page 324. For information about configuring each aspect of the system policy.9. the first section of the system policy.1 Sourcefire 3D System Administrator Guide 323 . see one of the following sections: • • • • • • • • • • • • • • • Configuring the Access List for Your Appliance on page 325 Configuring Audit Log Settings on page 327 Configuring Authentication Profiles on page 329 Configuring Dashboard Settings on page 331 Configuring Database Event Limits on page 332 Configuring Detection Policy Preferences on page 336 Configuring DNS Cache Properties on page 337 Configuring a Mail Relay Host and Notification Address on page 338 Configuring Intrusion Policy Preferences on page 339 Specifying a Different Language on page 340 Adding a Custom Login Banner on page 341 Configuring RNA Settings on page 342 Configuring RNA Subnet Detection Settings on page 349 Configuring RUA Settings on page 352 Synchronizing Time on page 354 Version 4. You can change the policy name and description.

the name of the policy appears in italics.9. 3. On the Defense Center. make sure you apply the updated policy when you are finished. See Applying a System Policy on page 324. the Apply page appears.Managing System Policies Applying a System Policy Chapter 9 • • Serving Time from the Defense Center on page 357 Mapping Vulnerabilities for Services on page 358 IMPORTANT! If you are editing the current system policy. or previously applied policy. On the 3D Sensor. IMPORTANT! You cannot apply system policies to Crossbeam-based software sensors or Intrusion Agents. TIP! You can sort the sensors by sensor group. You can also select an entire group. if required. including a list of the existing system policies. model. Select Operations > System Policy. select the sensors. If a policy has been updated since it was applied. type of sensor. and. To apply a system policy: Access: Admin 1. 4. 2. Click Apply next to the system policy that you want to apply. the system policy is applied. Applying a System Policy Requires: Any After you create or edit a system policy. the Defense Center itself. A message appears indicating that the task is added to the task queue. where you want to apply the system policy. The System Policy page appears. Version 4. your settings do not take effect until you apply it. On the Defense Center.1 Sourcefire 3D System Administrator Guide 324 . Click Apply.

9. 2. Select Operations > System Policy. The policy is deleted. port 443 (Hypertext Transfer Protocol Version 4. To delete a system policy: Access: Admin 1. see one of the following sections: • • • • • • • • • • • • • • • • • Configuring the Access List for Your Appliance on page 325 Configuring Audit Log Settings on page 327 Configuring Authentication Profiles on page 329 Configuring Dashboard Settings on page 331 Configuring Database Event Limits on page 332 Configuring Detection Policy Preferences on page 336 Configuring DNS Cache Properties on page 337 Configuring a Mail Relay Host and Notification Address on page 338 Configuring Intrusion Policy Preferences on page 339 Specifying a Different Language on page 340 Adding a Custom Login Banner on page 341 Configuring RNA Settings on page 342 Configuring RNA Subnet Detection Settings on page 349 Configuring RUA Settings on page 352 Synchronizing Time on page 354 Serving Time from the Defense Center on page 357 Mapping Vulnerabilities for Services on page 358 Configuring the Access List for Your Appliance Requires: Any The Access List page allows you to control which computers can access your appliance on specific ports. By default. If the policy is still in use.Managing System Policies Deleting System Policies Chapter 9 Deleting System Policies Requires: Any You can delete a system policy even if it is in use. Click Delete next to the system policy that you want to delete. Configuring the Parts of Your System Policy Requires: Any You can change various parts of your system policy. including a list of the existing system policies. Default system policies cannot be deleted. The System Policy page appears. it is used until a new policy is applied.1 Sourcefire 3D System Administrator Guide 325 . For information about configuring each aspect of the system policy.

Select Operations > System Policy. To operate the appliance in a more secure environment. click Delete.1 Sourcefire 3D System Administrator Guide 326 . To delete one of the current settings. The access list is part of the system policy. You have two options: • • To modify the access list in an existing system policy. or HTTPS). WARNING! If you delete access for the IP address that you are currently using to connect to the appliance interface (and if there is no entry for “IP=any port=443”). or SSH). WARNING! By default. In either case.9. 3. consider adding access to the appliance for specific IP addresses and then deleting the default any option. To configure the access list: Access: Admin 1. click Edit next to the system policy. 2. You can specify the access list either by creating a new system policy or by editing an existing policy. To configure the access list as part of a new system policy. access to the appliance is not restricted.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 Secure. which is used to access the web interface and port 22 (Secure Shell. which is used to access the command line. Version 4. Provide a name and description for the system policy as described in Creating a System Policy on page 321. The setting is removed. you will lose access to the system when you apply the policy. and click Save. In either case. click Create Policy. the access list does not take effect until you apply the system policy. are enabled for any IP address. the Access List page appears. The System Policy page appears.

7. then click Add. Click Save Policy and Exit. Version 4. see IP Address Conventions on page 41.1.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 4.1 Sourcefire 3D System Administrator Guide 327 . reflecting the changes you made. 5. Your changes do not take effect until you apply the system policy.9. HTTPS. to designate any IP address 6. See Applying a System Policy on page 324 for more information.1/24) For information on using CIDR in the Sourcefire 3D System.101) an IP address range using CIDR notation (for example.1. click Add. Select SSH. or both to specify which ports you want to enable for these IP addresses. The Access List page appears again. 192. • any. The system policy is updated.168. The Add IP Address page appears. Configuring Audit Log Settings Requires: Any You can configure the system policy so that the appliance streams an audit log to an external host. In the IP Address field. and an optional tag. The appliance does not send the audit log until you apply the system policy. 192. The name of the sending host is part of the sent information and you can further identify the audit log stream with a facility. a severity. TIP! You can click Add to add access for additional IP addresses or click Delete to remove access from other IP addresses. use the following syntax depending on the IP addresses you want to add: • • an exact IP address (for example.168. IMPORTANT! You must ensure that the external host is functional and accessible from the appliance sending the audit log. To add access for one or more IP addresses.

The following is an example of the output structure: Date Time Host [Tag] Sender: [User_Name]@[User_IP]. The System Policy Page appears. the appliance may the send audit log to the host. the syslog messages are sent. 5. In either case.9. To configure the audit log settings as part of a new system policy. click Edit next to the system policy. Provide a name and description for the system policy as described in Creating a System Policy on page 321. 6.1 Sourcefire 3D System Administrator Guide 328 . Your changes do not take effect until you apply the system policy to the Defense Center and its managed sensors. The default setting is Disabled. [Subsystem]. 4. insert a reference tag in the TAG field. 7. Optionally. Operations > Monitoring. and click Save. The default for Facility is USER. The default port (514) is used. WARNING! The computer you configure to receive an audit log must be set up to accept remote messages. The default for Severity is INFO.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 To configure the audit log settings: Access: Admin 1. [Action] where the local date. After you apply a policy with this feature enabled and your destination host is configured to accept the audit log. the Access List page appears. but it will not be accepted. Click Save Policy and Exit. The system policy is updated. Designate the destination host for the audit information by using the IP address or the fully qualified name of the host in the Host field.2.1. you can select any of the standard syslog facility and severity settings. Label the audit data that you are sending with a facility and severity. Select Operations > System Policy. For example: Mar 01 14:45:24 localhost [TAG] Dev-DC3000: admin@10. and hostname precede the bracketed optional tag. See Applying a System Policy on page 324 for more information. and the sending device name precedes the audit log message. You have two options: • • To modify the audit log settings in an existing system policy. 3.1. time. However. Click Audit Log Settings. Otherwise. Select Enabled next to Send Audit Log to Syslog. Page View 8. Version 4. click Create Policy. 2.

1 Sourcefire 3D System Administrator Guide 329 . see Understanding User Privileges on page 267. see Modifying User Privileges and Options on page 306. you can apply the system policy to let users logging into the Defense Center or managed sensor authenticate to that server rather than using the local database. If a user has the same username on multiple systems. However. Once you apply the policy to a Version 4. their account is listed on the User Management page. For more information on available user roles. then later modify the policy to use different default user roles and re-apply. Note. After a user attempts to log in. If no access role is selected. the appliance then checks the external server for a set of matching credentials. Note that when you create an LDAP authentication object on your Defense Center. you can set the default user role for any user whose account is externally authenticated. In addition. where you can edit the account settings to grant additional permissions. For a complete procedure for logging in initially as an externally authenticated user. When you enable authentication. if you create an authentication object referencing an external authentication server. as long as those roles can be combined. that if authentication fails on the available external authentication servers. For example. users can log in but cannot access any functionality. however.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 Configuring Authentication Profiles Requires: DC/MDC Normally. The Authentication Profiles page only displays in the system policy on a Defense Center.9. You can enable authentication in a system policy on your Defense Center and then push that policy to managed sensors. See Configuring Attribute Mapping on page 274 for more information. the appliance verifies the user credentials by comparing them to a user account stored in the Defense Center or managed sensor’s local database. the appliance verifies the user credentials against users on an LDAP or RADIUS server. if your authentication profile retrieves records for other personnel in addition to the security group. the appliance does not revert to checking the local database. You can select multiple roles. if you set up an authentication profile that retrieves only users in the Network Security group in your company. you may set the default user role to include both the Intrusion Event Analyst role and the RNA Event Analyst so users can access collected event data without any additional user configuration on your part. If you configure the system policy to use one user role and apply the policy. when a user logs into a Sourcefire 3D System Defense Center or managed sensor. When you apply a policy with authentication enabled to an appliance. For more information on modifying a user account. any user accounts created before the modification retain the first user role until you modify or delete and recreate them. you can set a filter search attribute to specify the set of users who can successfully authenticate against the LDAP server. if a user has internal authentication enabled and the user credentials are not found in the internal database. all passwords across all servers work. see Logging into the Appliance to Set Up an Account on page 23. you would probably want to leave the default role unselected. However.

the appliance checks the user against each external authentication server in the authentication order shown in the system policy. Note that you can only enable external authentication on Defense Centers and 3D Sensors. so you cannot manage them on the sensor itself. If a match is found. and click Save. If a match is found. To disable authentication on a managed sensor. an external user account is created in the local database with the default privileges for the external authentication object. the Access List page appears. the user logs in successfully. If an external user attempts to log in. If the user exists. Provide a name and description for the system policy as described in Creating a System Policy on page 321. click Edit next to the system policy. If the login fails. the appliance then checks the username and password against the local database.1 Sourcefire 3D System Administrator Guide 330 . the system policy on the sensor does not display authentication profile settings. External users cannot authenticate against the user list in the local database. To enable authentication of users on external servers: Access: Admin 1. You have two options: • • To modify the authentication profile settings in an existing system policy. select Operations > System Policy. eligible externally authenticated users can log into the sensor. The System Policy page appears. Enabling external authentication by applying a system policy is not supported on the following sensor types: • • • • 3Dx800 sensors Crossbeam-based software sensors Intrusion Agents RNA Software for Red Hat Linux If a user with internal authentication attempts to log in. However.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 sensor. On the Defense Center. you have to modify the policy on the Defense Center and then push it to the sensor again. the appliance checks the username and password against the external database. If the user is a new external user. the user login attempt is rejected. you can either disable it in a system policy on the Defense Center and push that to the sensor or apply a local system policy (which cannot contain authentication profile settings) on the sensor. the appliance first checks if that user is in the local user database. the appliance changes the user to an external user with the default privileges for that authentication object. the user logs in successfully. In either case. If the login fails. click Create Policy. however. 2. Version 4. To make changes to the authentication profile settings. and external authentication is enabled. To configure the authentication profile settings as part of a new system policy. If the username and password match results from an external server.9.

Configuring Dashboard Settings Requires: Any You can configure the system policy so that Custom Analysis widgets are enabled on the dashboard. 7. select a user role to define the default permissions you want to grant to users authenticated externally. To enable use of an authentication object.9. Remember that shell access users can only authenticate against the server whose authentication object is highest in the profile order. See Applying a System Policy on page 324 for more information. Click Save Policy and Exit. select Enabled from the Shell Authentication drop-down list. From the Status drop-down list. TIP! Press Ctrl before selecting roles to select multiple default user roles. 6. 4. The system policy is updated. Dashboards provide you with at-a-glance views of current Version 4. only the analyst role is applied. Note that although you can select both an event analyst role and the corresponding read-only event analyst role. Click Authentication Profiles.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 3. use the up and down arrows to change the order in which authentication servers are accessed when an authentication request occurs. The Authentication Profiles page appears. 9. select Enabled. 8. 5. click Enable next to the object.1 Sourcefire 3D System Administrator Guide 331 . Your changes do not take effect until you apply the system policy to the Defense Center and its managed sensors. From the Default User Role drop-down list. If you want to use the external server to authenticate shell access accounts as well. Optionally. IMPORTANT! You must enable at least one authentication object to enable external authentication.

To improve performance. By default. self-contained components that provide insight into different aspects of the Sourcefire 3D System. the minimum number of records you can store in any database is one record (or.1 Sourcefire 3D System Administrator Guide 332 . you should try to tailor the database event limit to the number of events you regularly work with. 3. Custom Analysis widget use is enabled 5. Provide a name and description for the system policy as described in Creating a System Policy on page 321. However. In either case. and click Save. user-configurable query of the events in your appliance's database. To configure the dashboard settings as part of a new system policy. Your changes do not take effect until you apply the system policy. To enable Custom Analysis widgets: Access: Admin 1. Select the Enable Custom Analysis Widgets check box to allow users to add Custom Analysis widgets to dashboards. in the case of the compliance violation history database. click Edit next to the system policy.9. Click Save Policy and Exit. one day’s history). You have two options: • • To modify the dashboard settings in an existing system policy. for some databases. clear the check box to prohibit users from using those widgets. Version 4. Click Dashboard. The system policy is updated. Select Operations > System Policy. In most cases. See Deleting System Policies on page 325for more information. The System Policy page appears. 2. click Create Policy. the Access List page appears. Configuring Database Event Limits Requires: Any You can use the Database page to specify the maximum number of events you want to store on an appliance. 4. See Understanding the Custom Analysis Widget on page 69 for more information on how to use custom widgets. you can choose not to store any events. The Dashboard Settings page appears. The Custom Analysis widget allows you to create a visual representation of events based on a flexible.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 system status through the use of widgets: small.

Note that if you apply a system policy to an appliance that does not support the maximum limit you specify (for example. Intrusion Event Database (Defense Center or Master Defense Center) Intrusion Event Database (3D Sensor) RNA Event Database RNA Flow Database Is the database that stores. or DC1000 100 million events on the DC3000 10 million events on the DC500. IMPORTANT! You cannot apply system policies to Crossbeam-based software sensors or Intrusion Agents. if you use the Defense Center to apply the same system policy to itself and the 3D Sensors it manages.. any health alert limits you set in the policy have no effect on the sensors.1 Sourcefire 3D System Administrator Guide 333 .. and health events. flow summaries.5 million events on the DC500 10 million events on the Virtual Defense Center or the DC1000 100 million events on the DC3000 2 million events RNA network discovery events on a Defense Center RNA flows on a Defense Center 10 million events 10 million events on the DC500. In addition. as well as flow events. database limits that do not apply to a particular appliance are silently ignored. 2.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 These databases include those that store RNA and RUA events. intrusion events on a Defense Center or on a Master Defense Center (which is always a DC3000) intrusion events on a 3D Sensor And can store up to... Virtual Defense Center.. Virtual Defense Center. if you specify 100 million intrusion events and apply that policy to a 3D Sensor).. the maximum limit for the appliance is silently enforced. Database Event Limits The. or DC1000 100 million events on the DC3000 1 million events RNA Flow Summary Database Compliance & White List Event Database Health Event Database RNA flow summaries (aggregated RNA flows) on a Defense Center compliance events and white list events on a Defense Center or Master Defense Center health events on a Defense Center or Master Defense Center 1 million events Version 4.9. The Database Event Limits on page 333 below describes the maximum number of records you can store in the databases on your appliance. For example.

000 records 10 million events a 30-day history of violations 10 million events 10 million user login records 1 million records Note that if the number of events in the intrusion event database exceeds the maximum. You have two options: • • To modify the database settings in an existing system policy. if the /volume disk partition reaches 85% of its capacity.9... See Configuring a Mail Relay Host and Notification Address on page 338 for information about generating automated email notifications when events are automatically pruned. see Purging the RNA and RUA Databases on page 598. For information on manually pruning the RNA and RUA databases. 2. To configure the maximum number of records in the database: Access: Admin 1. on a Defense Center RUA events on a Defense Center RUA storage of user logins on a Defense Center SEU import log records And can store up to. In either case. audit records remediation status events on a Defense Center the white list violation history of the hosts on your network... the oldest events and packet files are pruned until the database is back within limits.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 Database Event Limits (Continued) The.1 Sourcefire 3D System Administrator Guide 334 . click Edit next to the system policy.. Version 4.. click Create Policy. Provide a name and description for the system policy as described in Creating a System Policy on page 321. the Access List page appears. The System Policy page appears. Audit Event Database Remediation Status Event Database White List Violation History Database RUA Event Database RUA History Database SEU Import Log Database Is the database that stores. Select Operations > System Policy. beginning with the oldest files. To configure the database settings as part of a new system policy. In addition. 100. and click Save. unified files are deleted from the system.

see Database Event Limits on page 333.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 3. The following graphic shows the Database page on a DC1000 Defense Center. 4.1 Sourcefire 3D System Administrator Guide 335 . enter the number of records you want to store. For information on how many records each database can maintain.9. For each of the databases. Version 4. Click Database. The Database page appears.

Provide a name and description for the system policy as described in Creating a System Policy on page 321. select Yes from the drop-down list.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 5. To configure detection policy preferences: Access: Admin 1. If you enable this setting. 2. click Create Policy. The Detection Policy Preferences page appears. The system policy is updated. The System Policy page appears. You have two options: • • To modify the detection policy preferences in an existing system policy. 3. Version 4. the Access List page appears. 4.9. See Applying a System Policy on page 324 for more information. The system policy is updated. The appliance also warns you if the detection engine has a different policy applied to it than the one you are attempting to apply. Do you want to confirm your action when you apply RNA detection policies and intrusion policies? • • If yes. select No from the drop-down list.1 Sourcefire 3D System Administrator Guide 336 . Your changes do not take effect until you apply the system policy. and click Save. whenever you apply an RNA detection policy or an intrusion policy to one or more detection engines. Configuring Detection Policy Preferences Requires: Any The Detection Policy Preferences page allows you to configure whether you must confirm your action when you apply RNA detection policies and intrusion policies. If no. Your changes do not take effect until you apply the system policy. Click Detection Policy Preferences. To configure the detection policy preferences as part of a new system policy. Select Operations > System Policy. See Applying a System Policy on page 324 for more information. the appliance prompts you to confirm that you want to apply the policy. In either case. Click Save Policy and Exit. click Edit next to the system policy. 5. Click Save Policy and Exit.

To configure the DNS cache settings as part of a new system policy. For information about configuring DNS servers. 4. 3. click Create Policy. Select Operations > System Policy. The DNS Cache page appears. To configure IP address resolution on a per-user-account basis. select Enabled to enable caching or Disabled to disable it. click Edit next to the system policy. Next to DNS Resolution Caching. you can also configure basic properties for DNS caching performed by the appliance. enable Resolve IP Addresses. users must also select Event View Settings from the User Preferences menu. you can configure the appliance to resolve IP addresses automatically on the event view pages. As an administrator. This can reduce the amount of traffic on your network and speed the display of event pages when IP address resolution is enabled. The System Policy page appears. the Access List page appears. To configure the DNS cache properties: Access: Admin 1. 2. 5. Version 4.1 Sourcefire 3D System Administrator Guide 337 .9. Click DNS Cache. Configuring DNS caching allows you to identify IP addresses you previously resolved without performing additional lookups. see Configuring Network Settings on page 377. and click Save. enter the number of minutes a DNS entry remains cached in memory before it is removed for inactivity. In either case. For information about configuring event preferences. In the DNS Cache Timeout field.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 Configuring DNS Cache Properties Requires: Any If you have a DNS server configured on the Network page. see Configuring Event View Settings on page 27. Provide a name and description for the system policy as described in Creating a System Policy on page 321. You have two options: • • To modify the DNS cache settings in an existing system policy. The default setting is 300 minutes (five hours). IMPORTANT! DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups. and then click Save.

Provide a name and description for the system policy as described in Creating a System Policy on page 321. Version 4. 2. WARNING! Although DNS caching is enabled for the appliance.1 Sourcefire 3D System Administrator Guide 338 . the Access List page appears. To configure the email settings as part of a new system policy. impact flag.9. Your changes do not take effect until you apply the system policy. you can configure an email address that will receive notifications when intrusion events and audit logs are pruned from the database. See Applying a System Policy on page 324 for more information. You have two options: • • To modify the email settings in an existing system policy.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 6.requires RNA) use email for intrusion event alerting (Defense Center only . click Create Policy. To configure a mail relay host: Access: Admin 1. Configuring a Mail Relay Host and Notification Address Requires: Any If you plan to: • • • • • email event-based reports email status reports for scheduled tasks use email for RNA event. click Edit next to the system policy. IP address resolution is not enabled on a per-user basis unless it is configured on the Events page accessed from the User Preferences menu. The system policy is updated. The System Policy page appears. and compliance event alerting (Defense Center only . In addition. Click Save Policy and Exit.requires IPS) use email for health event alerting (Defense Center only) you must configure a mail host. and click Save. In either case. Select Operations > System Policy.

3. Your changes do not take effect until you apply the system policy. 5. IMPORTANT! The mail host you enter must allow access from the appliance. in the Data Pruning Notification Address field. The system policy is updated. click Edit next to the system policy. 4. 6. the Access List page appears. You can also track all changes to intrusion policies in the audit log. The Intrusion Policy Preferences page appears.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 3. type the hostname or IP address of the mail server you want to use.1 Sourcefire 3D System Administrator Guide 339 . Provide a name and description for the system policy as described in Creating a System Policy on page 321. The Configure Email Notification page appears. Configuring Intrusion Policy Preferences Requires: Any You can allow or require comments to be added to the audit log when an intrusion policy changes. Click Email Notification. Optionally. Click Intrusion Policy Preferences. click Create Policy. To configure the intrusion policy preferences as part of a new system policy. To configure intrusion policy change tracking: Access: Admin 1. 2. You have two options: • • To modify the intrusion policy preferences in an existing system policy. Select Operations > System Policy.9. enter the email address you want to receive notifications when intrusion events and audit logs are pruned from the appliance’s database. The System Policy page appears. In either case. See Applying a System Policy on page 324 for more information. and click Save. Version 4. Click Save Policy and Exit. In the Mail Relay Host field.

a Description of Changes text box appears when you commit your intrusion policy changes. To configure the language settings as part of a new system policy. 4.1 Sourcefire 3D System Administrator Guide 340 . 5. 2. Click Save Policy and Exit.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 4. To select a different language for the user interface: Access: Admin 1. select Write changes in Intrusion Policy to audit log. click Edit next to the system policy. Select Operations > System Policy. Select the language you want to use. If you select Optional or Required. Select Disabled. Your changes do not take effect until you apply the system policy. The Language page appears. 3. See Applying a System Policy on page 324 for more information. In either case. or Required from the Comments on policy change drop-down list. if you want to track changes to intrusion policies. The System Policy page appears. the Access List page appears. Optionally.9. You have two options: • • To modify the language settings in an existing system policy. 6. The system policy is updated. Version 4. Optional. and click Save. Provide a name and description for the system policy as described in Creating a System Policy on page 321. WARNING! The language you select here is used for the web interface for every user who logs into the appliance. Specifying a Different Language Requires: Any You can use the Language page to specify a different language for the web interface. click Create Policy. Click Language.

click Edit next to the system policy. enter the login banner that you want to use with this system policy. In either case. the Access List page appears. Click Save Policy and Exit. Provide a name and description for the system policy as described in Creating a System Policy on page 321. 2. Custom login banners are part of the system policy. The Login Banner page appears.9. Adding a Custom Login Banner Requires: Any You can create a custom login banner that appears when users log into the appliance using SSH and on the login page of the web interface. Banners can contain any printable characters except the less-than symbol (<) and the greaterthan symbol (>). Select Operations > System Policy. the login banner is not used until you apply the system policy.1 Sourcefire 3D System Administrator Guide 341 . In either case. and click Save. The System Policy page appears. 4. You can specify the login banner either by creating a new system policy or by editing an existing policy. See Applying a System Policy on page 324 for more information. Your changes do not take effect until you apply the system policy. In the Custom Login Banner field.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 5. To configure the login banner as part of a new system policy. 3. You have two options: • • To modify the login banner in an existing system policy. To add a custom banner: Access: Admin 1. Click Login Banner. Version 4. The system policy is updated. click Create Policy.

Service Timeout The amount of time that passes. The default setting is 10080 minutes (7 days). Configuring RNA Settings Requires: DC/ MDC + RNA You can configure several aspects of RNA behavior through the system policy. The system policy is updated. and the priority of active sources of identity data. including how RNA stores data. see Creating RNA Detection Policies in the Analyst Guide. Your changes do not take effect until you apply the system policy.1 Sourcefire 3D System Administrator Guide 342 . make sure that the service timeout value is longer than the update interval in the RNA detection policy. whether operating system and service identity conflicts are automatically resolved. Click Save Policy and Exit. which vulnerability types to use for impact assessment. IMPORTANT! To avoid premature timeout of hosts.9. IMPORTANT! To avoid premature timeout of services. Version 4. See Applying a System Policy on page 324 for more information. make sure that the host timeout value is longer than the update interval in the RNA detection policy.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 5. For more information. The default setting is 10080 minutes (7 days). before RNA drops a service from the network map due to inactivity. control the kinds of RNA data stored in the database. whether identity conflict events are logged. These settings also control how long data is retained in the network map. in minutes. and therefore determine the data that other parts of the Sourcefire 3D System can use. before RNA drops a host from the network map due to inactivity. For more information. as described in the following table. see the following sections: • • • • Understanding RNA Data Storage Settings on page 342 Understanding Vulnerability Impact Assessment Settings on page 345 Understanding Multiple Fingerprint Settings on page 345 Configuring Settings for RNA on page 347 Understanding RNA Data Storage Settings Requires: DC/ MDC + RNA RNA data storage settings. in minutes. see Creating RNA Detection Policies in the Analyst Guide. RNA Data Storage Settings Field Host Timeout Description The amount of time that passes. For more information. what RNA and host input events are logged.

Drop New Hosts When Host Limit Reached Combine Flows for Out-Of-Network Responders Select this check box if you want new hosts rather than old hosts dropped when the Defense Center reaches its host limit and the network map is full. service. Enabling this option treats flow summary data from IP addresses that are not in your list of monitored networks (as defined by your RNA detection policy) as coming from a single host. which prevents your 3D Sensors from transmitting individual flows to the Defense Center and therefore prevents you from taking advantage of any feature that requires data from individual flows.9. The Defense Center will combine flow summaries involving a host on your monitored network and one or more external hosts if the flows use the same port. Note that you can also use the RNA detection policy to force your 3D Sensors to combine flow summaries involving external hosts before they transmit the data to the Defense Center. if you enable this option and you attempt to drill down to the table view of flow data (that is. Version 4. Event views. The default setting is 10080 minutes(7 days). in minutes. and reports use external to indicate the hosts outside your monitored network. see Combining Flow Summaries from External Responders in the Analyst Guide as well as Configuring RNA Detection Policy Settings in the Analyst Guide. graphs. However.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 RNA Data Storage Settings (Continued) Field Client Application Timeout Description The amount of time that passes. and if they were detected by the same detection engine (for flows detected by 3D Sensor) or were exported by the same NetFlow-enabled device and were processed by the same detection engine. the table view contains no information. For more information. which can reduce the number of events sent to the Defense Center. However. access data on individual flows) for a flow summary that involves an external responder. This can reduce the space required to store flow data and can also speed up the rendering of flow data graphs. keep in mind that setting this option in the RNA detection policy requires that you set your flow data mode to Summary. before RNA drops a client application from the network map due to inactivity. For more information. protocol. Select this check box if you want you want to combine flow summaries involving external hosts.1 Sourcefire 3D System Administrator Guide 343 . instead of an individual IP address. IMPORTANT! Make sure that the client application timeout value is longer than the update interval in the RNA detection policy. This option is especially valuable if you want to prevent spoofed hosts from taking the place of valid hosts in the network map. see Creating RNA Detection Policies in the Analyst Guide.

if two NetFlow-enabled devices export information about the same session. In that scenario. On the other hand.1 Sourcefire 3D System Administrator Guide 344 . Note that best practices are to use only one detection policy and to not overlap network segment coverage. Just as with RNA flow events. for example. Duplicate flow events can also be created if you overlap network segment coverage with your RNA detection engines in your RNA detection policy. Version 4. each of which is monitoring a separate network segment using separate detection engines. see Drop Duplicate RNA Flow Events. if you use one policy to monitor both networks. Duplicate NetFlow events can be created.9. not following best practices can degrade performance as the Defense Center attempts to resolve the conflicts. each detection engine generates a flow event when RNA detects that a connection is terminated between a monitored host on one of the networks and a monitored host on the other network. Drop Duplicate NetFlow Events Select this check box if you want the Defense Center to drop duplicate flow events that are based on NetFlow data. best practices are to avoid creating duplicate NetFlow events. Duplicate flow events can be created if you use two RNA detection policies. For more information. only the reporting detection engine for the flow initiator generates a flow event. and can also use excessive bandwidth.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 RNA Data Storage Settings (Continued) Field Drop Duplicate RNA Flow Events Description Select this check box if you want the Defense Center to drop duplicate flow events generated by 3D Sensors with RNA.

See Understanding RNA Host Input Event Types in the Analyst Guide for information about each event type. • Select the Third Party Vulnerability Mappings check box if you want to use third-party vulnerability references to perform impact flag correlation. RNA Event Logging Expand this section and use the check boxes to specify the types of RNA network discovery events that you want to log in the database.9. Host Input Event Logging Understanding Multiple Fingerprint Settings Requires: DC + RNA RNA matches fingerprints for operating systems and services against patterns in traffic to determine what operating system and which services are running on a particular host. Note that if you clear all the check boxes.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 Understanding Vulnerability Impact Assessment Settings Requires: DC/ MDC + RNA The RNA vulnerability impact assessment settings. For more information. select this option to use the Nessus vulnerability mappings. Version 4. • Select the Use RNA Vulnerability Mappings check box if you want to use RNA vulnerability information to perform impact flag correlation. the intrusion event will be marked with the red (Vulnerable) impact flag. RNA collates fingerprint information from several sources. For more information. see Using Impact Flags to Evaluate Events in the Analyst Guide. control which vulnerability types to use for impact assessment.1 Sourcefire 3D System Administrator Guide 345 . For more information. intrusion events will never be marked with the red impact flag. • Select the Use Third Party Scanner Vulnerability Mappings check box if you are using an integrated scan capability or the AddScanResult host input API function and you want to use vulnerability lookups from the scanner to perform impact flag correlation. For example. To provide the most reliable operating system and service identity information. You can select any or all of the check boxes in this section. See Understanding RNA Network Discovery Event Types in the Analyst Guide for information about each event type Expand this section and use the check boxes to specify the types of RNA host input events that you want to log in the database. Vulnerability Impact Assessment Settings Field Vulnerabilities to use for Impact Assessment Requires: IPS Description Select the check boxes in this section to configure how the Sourcefire 3D System performs impact flag correlation with intrusion events. if IPS generates an intrusion event and the Sourcefire 3D System is able to use any of the methods you specified to determine that the host involved in the event is vulnerable to the attack or exploit. if you scan using Nessus. as described in the following table. see Mapping Third-Party Vulnerabilities in the Analyst Guide. see Understanding Nessus Scans in the Analyst Guide or the Sourcefire 3D System Host Input API Guide.

or change the priority or timeout settings for existing sources. identity conflicts are not automatically resolved and you must resolve them through the host profile or by rescanning the host or re-adding new identity data to override the RNA identity.1 Sourcefire 3D System Administrator Guide 346 . You can add new active sources through this page. identity data added by a scanner or application overrides identity data detected by RNA. If you import data from a third-party application or scanner. However. Note. You can use the Multiple Fingerprinting page to rank scanner and application fingerprint sources by priority. unless there is an identity conflict. you can set your system to always automatically resolve the conflict by keeping the passive identity or to always resolve it by keeping the active identity. For more information on current identities and how RNA selects the current identity. but does allow integration of imported application or scan results. as indicated in the Multiple Fingerprint Settings table. that user input data overrides scanner and application data regardless of priority. An identity conflict occurs when RNA detects an identity that conflicts with an existing identity that came from the active scanner or application sources listed on the Multiple Fingerprinting page or from a user. RNA retains one identity for each source. By default. Note that adding a scanner to this page does not add the full integration capabilities that exist for the Nmap and Nessus scanners. but only data from the highest priority application or scanner source is used as the current identity.9. however. remember to make sure that you map vulnerabilities from the source to the RNA vulnerabilities in the network Version 4. By default.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 RNA uses all passive data to derive operating system identities and assign a confidence value. see Enhancing Your Network Map in the Analyst Guide.

or Weeks from the Timeout drop-down list and type the appropriate duration. select Hours. Select Operations > System Policy. click Add in the Multiple Fingerprints page of the system policy. You have the following options: • To force manual conflict resolution of identity conflicts. select Passive from the Automatically Resolve Conflicts drop-down list.9. • To indicate the duration of time that should elapse between the addition of an identity to the network map by this source and the deletion of that identity.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 map. Scanner/ Application List You have several options: • To add a new source. select Scanner or Application. select Disabled from the Automatically Resolve Conflicts drop-down list.1 Sourcefire 3D System Administrator Guide 347 . Type a name for the source. The System Policy page appears. • To use the current identity from the highest priority active source when an identity conflict occurs. click the down arrow next to the source name. Version 4. For more information. Days. • To use the RNA fingerprint when an identity conflict occurs. see Mapping Third-Party Vulnerabilities in the Analyst Guide. To specify RNA settings: Access: Admin 1. from the Type drop-down list. • To promote a source and cause the operating system and service identities to be used in favor of sources below it in the list. select Active from the Automatically Resolve Conflicts drop-down list. Multiple Fingerprint Settings Option Generate Identity Conflict Event Automatically Resolve Conflicts Description Enable this option to generate an event when an identity conflict occurs on a host in the network map. click the up arrow next to the source name. • To demote a source and cause the operating system and service identities to be used only if there are no identities provided by sources above it in the list. • To change the type of source. Configuring Settings for RNA Requires: DC + RNA Use the following procedure to configure RNA settings in the system policy.

4. and click Save. In either case. See the RNA Data Storage Settings table on page 342 for more information. Specify the RNA data storage settings that you want for your Defense Center. The RNA Settings page appears. 3. the Access List page appears. Click RNA Settings. click Edit next to the system policy.1 Sourcefire 3D System Administrator Guide 348 . Version 4.9. click Create Policy. Provide a name and description for the system policy as described in Creating a System Policy on page 321. To configure the RNA settings as part of a new system policy. You have two options: • • To modify the RNA settings in an existing system policy.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 2.

See Applying a System Policy on page 324 for more information. you must revisit the detection policy after you apply it for the first time so that you can manually evaluate and apply any subnet recommendations. Optionally. Alternately. Configuring RNA Subnet Detection Settings Requires: DC + RNA Optimally. especially if your network configuration has been altered through routing or host changes. specify the RNA network discovery events that you want to log by clicking the arrow next to RNA Event Logging. Optionally. A network administrator may modify a network configuration through routing or host changes without informing you. If you do not configure the Defense Center to automatically apply subnet recommendations. Optionally.9. your RNA detection policy specifies that each RNA detection engine is configured as the reporting detection engine for the hosts that are closest to it from a network hop standpoint. 6.1 Sourcefire 3D System Administrator Guide 349 . as a time-saving and performance-maximizing measure. which can make it challenging to stay on top of proper RNA policy configurations. All the event types are enabled by default. This is because RNA only gathers secondary information Version 4. See the Multiple Fingerprint Settings table on page 347 for more information. you may not always be kept abreast of network configuration changes. Subnet detection allows RNA to make recommendations about which are the best detection engines to analyze the traffic on the various network segments in your organization. configure multiple fingerprint settings to manage operating system and service source priorities and identity conflict resolution settings. you can configure the Defense Center to automatically update those policies and apply the updated policies to your RNA detection engines. The system policy is updated. Optionally. 7. As RNA continuously monitors your network traffic. Your changes do not take effect until you apply the system policy. you can use the system policy to configure RNA to automatically generate subnet recommendations for your currently applied RNA detection policies on a daily basis. 8. it may be able to refine any subnet recommendations it has made for your RNA detection policies. All the event types are enabled by default. specify the RNA host input events that you want to log by clicking the arrow next to Host Input Event Logging. Click Save Policy and Exit. Choosing which subnets to monitor with which detection engines is an iterative process that you should revisit from time to time. See the RNA Network Discovery Event Types table in the Analyst Guide for more information. Unfortunately.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 5. See the RNA Host Input Event Types table in the Analyst Guide for more information.

including operating system and service identity data. you must explicitly assign an RNA detection engine to monitor that subnet. The following diagram illustrates the automated subnet detection process. To get detailed information about the hosts in a subnet.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 (hops and MAC address data) about hosts in subnets that are set to autodetect. Note that you can configure the Defense Center to notify you of subnet recommendations via email so that you can make the changes manually.9. to notify you of any changes made. flow data. and so on. if you configured the Defense Center to automatically apply recommendations.1 Sourcefire 3D System Administrator Guide 350 . Version 4. or.

click Create Policy. You have two options: • • To modify the RNA subnet detection settings in an existing system policy. IMPORTANT! For performance reasons.1 Sourcefire 3D System Administrator Guide 351 . you must configure a valid mail relay host.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 For more information on subnet detection. RNA only automatically generates recommendations for RNA deployments running on Version 4. 2. 3. you must manually generate and apply recommendations for your RNA detection policies. Optionally. click Edit next to the system policy. enter the email address where you want to receive notifications of new subnet recommendations.9. and click Save.9) 3D Sensor. 4. For more information. In either case. TIP! To receive email notifications. see Introduction to Sourcefire RNA in the Analyst Guide. Click RNA Subnet Detection Settings. The System Policy page appears. To configure the RNA subnet detection settings as part of a new system policy. Select Operations > System Policy. see Configuring a Mail Relay Host and Notification Address on page 338. 5. From the Generate Recommendations Daily At drop-down list. To disable daily generation of subnet recommendations. see Manually Generating Subnet Recommendations in the Analyst Guide. in the Mail Notifications To field. If your RNA deployment includes even one legacy (pre-Version 4.9 and later 3D Sensors. Provide a name and description for the system policy as described in Creating a System Policy on page 321. select the time when you want RNA to automatically generate daily subnet recommendations for all applied RNA detection policies. The RNA Subnet Detection Settings page appears. select Disabled. To configure RNA subnet detection settings: Access: Admin 1. Version 4. the Access List page appears.

The RUA feature license on the Defense Center (see Licensing RUA in the Analyst Guide) specifies the number of users you can monitor with RUA. Click Save Policy and Exit. RUA stops adding new users to the Defense Center database. and other guests. visitors. Your changes do not take effect until you apply the system policy. the Defense Center does not record them unless there is already a user with a matching email address in the database.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 6. and IMAP can introduce usernames not relevant to your organization due to network access from contractors. After you reach your licensed limit. Restricting RUA helps minimize username clutter and preserve RUA licenses. Configuring RUA Settings Requires: DC + RUA You can use the RUA settings in the system policy to filter which types of network activity cause RUA to add users to the database. When RUA detects a user login for a user who is not already in the database. Sourcefire RUA (see Using Sourcefire RUA in the Analyst Guide) is an optional component of the Sourcefire 3D System that allows you to correlate network activity with user identity information. Enable the Automatically Apply Daily Recommendations check box to automatically update and apply your RNA detection policies after RNA generates subnet recommendations. an RUA user is added to the Defense Center user database.1 Sourcefire 3D System Administrator Guide 352 . For example. obtaining usernames through protocols such as AIM. In addition. This is because these logins are not associated with any of the user metadata that RUA obtains from an LDAP server. Version 4. Note that this option has no effect unless you enable daily recommendations. POP3. RUA users are not added to the database based on SMTP logins. The system policy is updated. 7. AIM.9. and SIP logins always create duplicate user records. See Applying a System Policy on page 324 for more information. RUA can add users to the database using the following types of detected protocols: • • • • • • LDAP AIM POP3 IMAP Oracle SIP (VoIP) Note that although RUA detects SMTP logins. Oracle.

The system policy is updated. Select Operations > System Policy. Click RUA Settings. You have two options: • • To modify the RUA settings in an existing system policy. 3. 5. By default. Therefore. See Applying a System Policy on page 324 for more information. Select the check boxes that correspond to the types of logins that will create RUA users. click Edit next to the system policy. click Create Policy. The RUA Detection Settings page appears. IMPORTANT! Sourcefire RUA Agents installed on Microsoft Active Directory LDAP servers collect only LDAP user login information. filtering non-LDAP logins has no effect. Click Save Policy and Exit. see How Do I Choose an RUA Implementation? in the Analyst Guide. Version 4. Your changes do not take effect until you apply the system policy.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 nor are they associated with any of the information contained in the other types of login that your 3D Sensors detect. The System Policy page appears. To filter RUA users based on network activity type: Access: Admin 1.1 Sourcefire 3D System Administrator Guide 353 . unless your RUA implementation includes 3D Sensors with RUA. 2. the Access List page appears. 4. In either case.9. To configure the RUA settings as part of a new system policy. For more information on RUA Agents and 3D Sensors with RUA. all login types cause RUA to add users to the database. and click Save. Provide a name and description for the system policy as described in Creating a System Policy on page 321.

If you specify a remote NTP server. the current time appears in UTC at the top of the Time Synchronization page (local time is displayed in the Manual clock setting option. To synchronize time on the Defense Center: Access: Admin 1. your appliance must have network access to it. if enabled). You can choose to synchronize the time: • • manually using one or more NTP servers (one of which can be a Defense Center) Time settings are part of the system policy. • • You can synchronize the appliance’s time with an external time server. such as command line interfaces or the operating system interface. You can specify the time settings either by creating a new system policy or by editing an existing policy.9. Do not synchronize your 3D Sensors (virtual or physical) to a Virtual Defense Center. Sourcefire recommends that you synchronize your virtual appliances to a physical NTP server. In addition.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 Synchronizing Time Requires: Any You can manage time synchronization on the appliance using the Time Synchronization page. You manage time settings on an Intrusion Agent through the operating system. Select Operations > System Policy. For more information on configuring settings for RNA Software for Red Hat Linux. Each procedure is explained separately below. The System Policy page appears.1 Sourcefire 3D System Administrator Guide 354 . the time setting is not used until you apply the system policy. see Serving Time from the Defense Center on page 357. Note that time settings are displayed on most pages on the appliance in local time using the time zone you set on the Time Zone page (America/New York by default). In either case. see the Sourcefire 3D Sensor Software for X-Series Installation Guide. to manage time settings for software sensors: • For more information on configuring settings for Crossbeam Systems Switches. Connections to NTP servers do not use configured proxy settings. but are stored on the appliance itself using UTC time. You must use native applications. see the Sourcefire RNA Software for Red Hat Linux Configuration Guide. To use the Defense Center as an NTP server. The procedure for synchronizing time differs slightly depending on whether you are using the web interface on a Defense Center or a 3D Sensor. Version 4.

If you want to serve time from the Defense Center to your managed sensors.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 2.9. To receive time through NTP from a different server. 3. See Setting the Time Manually on page 389 for information about setting the time after you apply the system policy. You have two options for specifying how the time is synchronized on the appliance: • To set the time manually. select Via NTP Server from and. Version 4. Click Time Synchronization. The Time Synchronization page appears.1 Sourcefire 3D System Administrator Guide 355 . In either case. Only Defense Centers can act as NTP servers. To configure the time settings as part of a new system policy. You have two options: • • To modify the time settings in an existing system policy. the DHCP-provided NTP server will be used instead. click Create Policy. and click Save. select Manually in the System Settings. Note that if you set this option to Enabled and then apply the system policy to a sensor rather than a Defense Center. type a comma-separated list of IP addresses for the NTP servers you want to use or. • WARNING! If the appliance is rebooted and your DHCP server sets an NTP server record different than the one you specify here. the Access List page appears. Provide a name and description for the system policy as described in Creating a System Policy on page 321. type the fully qualified host and domain names. in the Serve time via NTP drop-down list. in the text box. To avoid this situation. if DNS is enabled. this value is ignored. 4. you should configure your DHCP server to set the same NTP server. 5. click Edit next to the system policy. select Enabled.

3. Select Operations > System Policy.9. click Edit next to the system policy. The System Policy page appears. You have two options: • • To modify the time settings in an existing system policy. Click Time Synchronization. The Time Synchronization page appears. In either case. Provide a name and description for the system policy as described in Creating a System Policy on page 321. Your changes do not take effect until you apply the system policy. You have two options for specifying how time is synchronized on the 3D Sensor: Version 4. To synchronize time on a 3D Sensor: Access: Admin 1.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 6. The system policy is updated. Click Save Policy and Exit. See Applying a System Policy on page 324 for more information. IMPORTANT! It may take a few minutes for the appliance to synchronize with the configured NTP servers. the Access List page appears. click Create Policy. 4. and click Save.1 Sourcefire 3D System Administrator Guide 356 . To configure the time settings as part of a new system policy. 2.

The system policy is updated. In addition. in the text box. and the Defense Center itself is configured to use an NTP server. Serving Time from the Defense Center Requires: DC/MDC You can configure the Defense Center as a time server using NTP and then use it to synchronize time between the Defense Center and managed 3D Sensors. To receive time through NTP from different servers. you should do so . and then enable Via NTP and click Save. Version 4. This is because the Defense Center must first synchronize with its configured NTP server before it can serve time to the 3D Sensor. To configure the Defense Center as an NTP server: Access: Admin 1. IMPORTANT! If you configure the Defense Center to serve time using NTP and . IMPORTANT! It may take a few minutes for the 3D Sensor to synchronize with the configured NTP servers. type a comma-separated list of IP addresses of the NTP servers or. select Manually in the System Settings. if DNS is enabled.1 Sourcefire 3D System Administrator Guide 357 . • 5. disable the Via NTP option and click Save. See Applying a System Policy on page 324 for more information. the NTP service on managed sensors will still attempt to synchronize time with the Defense Center. select Via NTP Server from and. You must disable NTP from the managed sensors’ web interfaces to stop the synchronization attempts. On the Defense Center. it may take some time for the time to synchronize.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 • To set the time manually. See Setting the Time Manually on page 389 for information about setting the time after you apply the system policy. select Operations > System Policy. type the fully qualified host and domain names. TIP! You cannot set the time manually after configuring the Defense Center to serve time using NTP If you need to manually change the time.9. Click Save Policy and Exit. before configuring the Defense Center to serve time using NTP If you need to . Your changes do not take effect until you apply the system policy. change the time manually and click Save. if you are synchronizing the 3D Sensor to a Defense Center that is configured as an NTP server. The System Policy page appears. then later disable it. change the time manually after configuring the Defense Center as an NTP server.

To configure the NTP server settings as part of a new system policy. In either case.9. See Applying a System Policy on page 324 for more information. click Edit next to the system policy. 5. you can configure whether RNA associates vulnerabilities with service traffic for vendor and versionless services. when the service has a service ID in the RNA database and the packet header for the traffic includes a vendor and version.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 2. a host receives SMTP traffic that does not have a vendor or version in the header. many services do not include vendor and version information. IMPORTANT! It may take a few minutes for the Defense Center to synchronize with its managed sensors. select Via NTP from Defense Center. In the Set My Clock option for the sensors. and click Save. all vulnerabilities associated with SMTP applications are added to the host profile for the host. For the services listed in the system policy. Click Save Policy and Exit. From the Serve Time via NTP drop-down list.1 Sourcefire 3D System Administrator Guide 358 . Provide a name and description for the system policy as described in Creating a System Policy on page 321. If you enable the SMTP service on the Vulnerability Mapping page of a system policy. You have two options: • • To modify the NTP server settings in an existing system policy. The system policy is updated. select Enabled. The Time Synchronization page appears. Mapping Vulnerabilities for Services Requires: DC/MDC RNA automatically maps vulnerabilities to a host for any service traffic received or sent by the host. However. Note that although RNA detectors collect service information and add it to host profiles. click Create Policy. the Access List page appears. the service information will not be used for vulnerability mapping because you cannot specify a vendor or version for a custom service and cannot select the service for vulnerability mapping in the system policy. Your changes do not take effect until you apply the system policy to the Defense Center and its managed sensors. then apply that policy to the Defense Center managing the sensor that detects the traffic. Version 4. Click Time Synchronization. For example. 4. 3. 6.

and click Save.1 Sourcefire 3D System Administrator Guide 359 . click Edit next to the system policy. Version 4. Click Vulnerability Mapping. You have two options: • To prevent vulnerabilities for a service from being mapped to hosts that receive service traffic without vendor or version information. See Applying a System Policy on page 324 for more information. To cause vulnerabilities for a service to be mapped to hosts that receive service traffic without vendor or version information. In either case. Provide a name and description for the system policy as described in Creating a System Policy on page 321. select the check box for that service. The Vulnerability Mapping page appears.Managing System Policies Configuring the Parts of Your System Policy Chapter 9 To configure vulnerability mapping for services: Access: Admin 1. 4.9. You have two options: • • To modify active fingerprint source settings in an existing system policy. The system policy is updated. 3. Your changes do not take effect until you apply the system policy to the Defense Center and its managed sensors. To configure active fingerprint source settings as part of a new system policy. Select Operations > System Policy. 5. clear the check box for that service. the Access List page appears. The System Policy page appears. • TIP! You can select or clear all check boxes at once using the check box next to Enable. click Create Policy. 2. Click Save Policy and Exit.

9. See Managing System Policies on page 320 for more information.Configuring System Settings Chapter 10 Administrator Guide The system settings include a series of linked pages that you can use to view and modify settings on your appliance. Version 4. Contrast the system settings. which controls aspects of an appliance that are likely to be similar across a deployment.1 Sourcefire 3D System Administrator Guide 360 . with a system policy. which are likely to be specific to a single appliance.

See Configuring the Communication Channel on page 383 for more information. Allows you to view and modify the settings for the network interfaces on your appliance. and proxy settings of the appliance that were initially set up as part of the installation. See Configuring Network Settings on page 377 for more information. enables you to specify values for the internal network and management port that the Defense Center uses to communicate with its managed sensors and high availability peer. System Settings Options Option Information Description Allows you to view current information about the appliance. See Editing Network Interface Configurations on page 380 for more information. See Configuring Remote Access to the Defense Center on page 386 for more information. License Network Network Interface Process Version 4.9. Enables you to change options such as the IP address. See Viewing and Modifying the Appliance Information on page 362 for more information. See Understanding Licenses on page 364 for more information. On the Defense Center. then you can use this page to change the time. You can also change the appliance name. If the time synchronization settings in the current system policy for the appliance is set to Manual. See Setting the Time Manually on page 389 for more information. Provides you with options for managing your current licenses and for adding additional feature licenses on the platforms that support them. Time Displays the current time.Configuring System Settings Chapter 10 The System Settings Options table describes the options you can configure in the system settings. Remote Management On the 3D Sensor. enables you to establish communications with a Defense Center from the sensor. hostname.1 Sourcefire 3D System Administrator Guide 361 . Provides options that you can use to: • shut down the appliance • reboot the appliance • restart the Sourcefire 3D System-related processes See Shutting Down and Restarting the System on page 382 for more information.

The Information page appears. On the Defense Center. the operating system and version.9. The information includes view-only information such as the product name and model number. See Blacklisting Health Modules on page 391 for more information. Viewing and Modifying the Appliance Information Requires: Any The Information page provides you with information about the Defense Center or 3D Sensor. allows you to configure remote storage for backups and reports. On Series 2 DC1000 and DC3000 Defense Centers. allows you to temporarily disable health monitoring for a 3D Sensor to prevent the Defense Center from generating unnecessary health events. See Managing Remote Storage on page 393 for more information. Version 4.1 Sourcefire 3D System Administrator Guide 362 . The page also provides you with an option to change the name of the appliance. The Series 2 DC1000 or DC3000 Defense Center version of this the page is shown below. allows you to specify the NetFlow-enabled devices you want to use to collect flow data.Configuring System Settings Viewing and Modifying the Appliance Information Chapter 10 System Settings Options (Continued) Option Health Blacklist Description On the Defense Center. with a list on the left side of the page that you can use to access other system settings. See Specifying NetFlow-Enabled Devices on page 392 for more information. NetFlow Devices Remote Storage To configure the system settings: Access: Admin Select Operations > System Settings. and the current appliance-level policies. IMPORTANT! You cannot view sensor information for Intrusion Agents.

Appliance Information Field Name Description A name you assign to the appliance.9. Note that this name is only used within the context of the Sourcefire 3D System. Enable this check box to prevent the managed sensor from sending packet data with the events. The version of the operating system currently running on the appliance. the name of the policy appears in italics. The appliance-level policies currently applied to the appliance. The operating system currently running on the appliance.Configuring System Settings Viewing and Modifying the Appliance Information Chapter 10 The Appliance Information table describes each field.1 Sourcefire 3D System Administrator Guide 363 . Clear this check box to store event data on both appliances. This number can be important for troubleshooting. Clear this check box to allow packet data to be stored on the DC with events. Enable this check box to store event data on the Defense Center. Product Model Software Version Store Events Only on Defense Center Prohibit Packet Transfer to the Defense Center Operating System Operating System Version IP Address Current Policies Model Number Version 4. Although you can use the hostname as the name of the appliance. The model number for the appliance. The version of the software currently installed. but not the managed sensor. entering a different name in this field does not change the hostname. If a policy has been updated since it was last applied. The model name for the appliance. The IP address of the appliance.

Understanding Licenses Requires: Any You can license a variety of products and features to create your optimal deployment. the 3D Sensor version of the page is shown below. 3. To change the appliance name. For comparison. WARNING! The name must be alphanumeric characters and should not be composed of numeric characters only. the Sourcefire 3D System requires that you enable IPS by applying a product license file to each appliance as part of the installation process. type a new name in the Name field. You can also add feature licenses such as RNA host licenses and Intrusion Agent licenses. click Save. The Information page appears. To save your changes.9. For Defense Centers. 2. The Defense Center version of the page is shown below. Version 4.Configuring System Settings Understanding Licenses Chapter 10 To modify the appliance information: Access: Admin 1. The page refreshes and your changes are saved.1 Sourcefire 3D System Administrator Guide 364 . Select Operations > System Settings.

9. and so on. For information on adding a product license. See Understanding the Product Licensing Widget on page 84 for more information. see Sourcefire 3D Sensor Installation Guide. see Adding Feature Licenses on page 370. use IPS on that appliance.. To understand why and when to use these licenses. Version 4.. For information on IPS. see Introduction to Sourcefire IPS in Sourcefire 3D System Analyst Guide Feature License a Defense Center at any time use additional features such as RNA. see Understanding Feature Licenses on page 366.. For information on how to use virtual appliances. a 3D Sensor or a Defense Center during installation so that you can. TIP! You can view your licenses by using the Product Licensing widget in the dashboard.. see the Sourcefire Licenses table on page 365.. RUA. see Sourcefire Virtual Defense Center and 3D Sensor Installation Guide.1 Sourcefire 3D System Administrator Guide 365 . Product License to. For information on how to add a feature license. and Sourcefire Defense Center Installation Guide. Virtual License a Defense Center at any time use virtual machines. For information on how the various features function. Sourcefire Licenses You apply a.Configuring System Settings Understanding Licenses Chapter 10 See the following for more information: • • • Understanding Feature Licenses on page 366 Verifying Your Product License on page 368 Managing Your Feature Licenses on page 370 You can use a variety of appliances and optional features in your deployment.

and network intelligence with user identity information identify the source of policy breaches. see Introduction to NetFlow in the Sourcefire 3D System Analyst Guide..9.. NetFlows.Configuring System Settings Understanding Licenses Chapter 10 Understanding Feature Licenses The Feature Licenses table describes how to determine which features to license for your deployment. endpoint. Feature Licenses If you want to. NetFlow is available not only on Cisco networking devices. or network vulnerabilities transmit events generated by open source Snort installations to the Defense Center IPS for use with Crossbeam Systems X-Series you need a license for. Standardized through the RFC process. up-to-the-minute profile of your network correlate threat. and use NetFlow data to monitor those networks. and your deployment must include at least one 3D Sensor with RNA that can communicate with your NetFlow-enabled devices.. For more information. Version 4. RUA Users. Intrusion Agents. You can deploy NetFlow-enabled devices on networks that your sensors cannot monitor. but can also be embedded in Juniper. IPS Software Sensors.. FreeBSD. NetFlow NetFlow is an embedded instrumentation within Cisco IOS Software that characterizes network operation. attacks. Although you can use NetFlow-enabled devices exclusively to monitor your network. RUA Users and either RNA Hosts or the product license (or both). and OpenBSD devices. NetFlow-enabled devices are widely used to capture and export data about the traffic that passes through those devices. You must use a Defense Center to configure NetFlow data collection and to view the collected data. capture and export data about the traffic that passes through NetFlow-enabled devices monitor hosts on your network (including hosts discovered by NetFlow-enabled devices) to observe your network traffic to analyze a complete.1 Sourcefire 3D System Administrator Guide 366 . the Sourcefire 3D System uses RNA detection engines on 3D Sensors to analyze NetFlow data. The NetFlow cache stores a record of every flow (a sequence of packets that represents a connection between a source and destination host) that passes through the devices. RNA Hosts.

If the network map on the Defense Center has entries for the target host in a given event. 3D Sensors with RNA passively observe your organization’s network traffic and analyze it to provide you with a complete. and network intelligence with user identity information. Although you cannot manage policies or rules for an Intrusion Agent from the Defense Center. endpoint. behavioral profiling. (The 3D9800 does not support RNA. You can continue to manually tune Snort rules and preprocessors with the Intrusion Agent in place. By linking network behavior. All RUA deployments require a Defense Center that has an RUA feature license installed. If your organization uses LDAP you can use the user information on your . see Using Sourcefire RUA in the Sourcefire 3D System Analyst Guide. LDAP server to augment the Defense Center’s database of user identity information with available metadata. as well as mitigate risk. you can install an Intrusion Agent to forward intrusion events to a Defense Center. However. and take action to protect others from disruption. Intrusion Agent If you have an existing installation of Snort®. traffic.Configuring System Settings Understanding Licenses Chapter 10 RNA Host Sourcefire RNA allows your organization to confidently monitor and protect your network using a combination of forensic analysis. also called RUA. to control how network intelligence is gathered and to view the resulting information. attacks. RUA can help you to identify the source of policy breaches. and events directly to individual users. allows your organization to correlate threat. or network vulnerabilities. and built-in alerting and remediation. that Defense Center must have an RNA host license installed and the 3D Sensor must have a product license installed. RUA Host Sourcefire Real-time User Awareness. you can do analysis and reporting on those events. In addition. For more information. block users or user activity. to enable RNA functionality. These capabilities also significantly improve audit controls and enhance regulatory compliance. Version 4.9. For more information. see Introduction to Sourcefire RNA in the Sourcefire 3D System Analyst Guide. see Sourcefire 3D System Intrusion Agent Configuration Guide. up-tothe-minute profile of your network. By default. For more information. you must manage 3D Sensors with RNA with a Defense Center. RNA is installed on most 3D Sensors.1 Sourcefire 3D System Administrator Guide 367 . You can then analyze the events detected by Snort alongside your other data.) Sourcefire also makes key components of RNA available in installation packages for Red Hat Linux servers and Crossbeam Systems security switches. the Defense Center assigns impact flags to the events.

Verifying Your Product License Requires: Any During installation. To verify the product license file: Access: Admin 1.9. Click License.1 Sourcefire 3D System Administrator Guide 368 . the user who sets up the appliance adds the software license as part of the process.Configuring System Settings Understanding Licenses Chapter 10 IPS Software Sensor An IPS Software Sensor allows you to use 3D Sensor Software for X-Series on a Crossbeam® Next Generation Security Platform to gather network intelligence and intrusion information. see Managing Your Feature Licenses on page 370. Select Operations > System Settings. In most cases. 2. The License page appears. viewing. see Sourcefire Crossbeam Installation Guide XOS. For more information. you do not need to re-install the license. and deleting feature licenses. For information on adding. Version 4. The Information page appears.

6. IMPORTANT! If you purchased a feature license. and the features for the appliance are available in the web interface. Copy the license file from the email. The Manage License page appears. If the license file is invalid. Click Get License. the license is added to the appliance. see Managing Your Feature Licenses on page 370. IMPORTANT! If your web browser cannot access the Internet. Click Verify License. For more information about feature licenses. you must switch to a host that can access it. • • If the license file is valid. Under Product Licenses. which will be sent to you in an email. paste it into the License field (as shown in Step 3). Do not proceed to step 5. Follow the on-screen instructions for an appliance license to obtain your license file. 4. The Licensing Center web site appears. Continue with step 5 to obtain a license and install it.Configuring System Settings Understanding Licenses Chapter 10 3. you will receive an error message. and click Submit License.1 Sourcefire 3D System Administrator Guide 369 . Copy the license key at the bottom of the page and browse to https://keyserver.9. a message appears under the License field.com/. click Add New License and add it using the Add Feature License page. Version 4. 5.sourcefire. click Edit. 7. If the license file is correct.

Before beginning. you can request it from the web interface.Configuring System Settings Understanding Licenses Chapter 10 Managing Your Feature Licenses Requires: DC The Defense Center uses feature licenses to allow for additional features. See the following sections for more information: • • • Adding Feature Licenses on page 370 Viewing Feature Licenses on page 372 Configuring Network Settings on page 377 Adding Feature Licenses Requires: DC If you need to obtain a feature license for a feature you purchased. you should have the 12-digit feature license serial number provided by Sourcefire when you purchased the licensable feature. you can find it by logging into the Sourcefire Support Site (https://support. it will not receive data from your NetFlow-enabled devices.9.1 Sourcefire 3D System Administrator Guide 370 . which allow you to use 3D Sensor Software with IPS on Crossbeam Systems security switches When you purchase license packs for any licensable feature. If you do not have the serial number. which specify the number of NetFlow-enabled devices you can use to gather flow data RNA host licenses.sourcefire. IMPORTANT! Both Defense Centers in a high-availability pair must have NetFlow licenses for at least the number of NetFlow-enabled devices you are using.com/). If one Defense Center does not have a NetFlow license. which specify the number of hosts that you can monitor with RNA RUA licenses. The serial number appears in the Sourcefire Software & Licenses section. clicking Account. which allow you to use intrusion agents 3D Virtual Sensors. you must add them to the Defense Center from the web interface. Version 4. Feature licenses include: • • • • • • NetFlow licenses. which allow you to use the RUA feature Intrusion Agent licenses. then clicking Products & Contracts. which allow you use virtual sensors in your deployment IPS licenses for Crossbeam.

Click License. Version 4.9. The Add Feature License page appears.1 Sourcefire 3D System Administrator Guide 371 . 3. Click Add New License. The Information page appears. Select Operations > System Settings. 2. The License page appears.Configuring System Settings Understanding Licenses Chapter 10 To add a license: Access: Admin 1.

connections. which will be sent to you in an email. exporters. After you receive an email with the feature license file. Follow the on-screen instructions for a feature license to obtain your license file. TIP! You can also view licenses by using the Product Licensing widget on the dashboard.sourcefire. the license is added to the appliance. virtual appliances. and expiration date. Note that there is only one product license. or users allowed by the sum of your feature or host licenses. If you have feature or host licenses installed. 6. You can repeat this process for each feature license you need to add. one or more licenses for RNA Hosts in addition to one or more licenses for Intrusion Agents. Click Get License. Copy the license key at the bottom of the page and browse to https://keyserver. If the license file is correct. See Understanding the Product Licensing Widget on page 84 for more information. paste it into the License field. you must switch to a host that can access it. A summary of your licenses appears below the itemized list. copy the license file from the email.9. and so on).1 Sourcefire 3D System Administrator Guide 372 . and provides a link that allows you to view or edit the license. and the licensed feature is available. IMPORTANT! If your web browser cannot access the Internet. and shows the total number of hosts. node (MAC address). The Licensing Center web site appears. and click Submit License. Version 4.Configuring System Settings Understanding Licenses Chapter 10 4.com/. 5. TIP! Your Defense Center can have multiple feature licenses (for example. Viewing Feature Licenses Requires: DC The licenses page displays the product and feature licenses that you have added to the Defense Center. For more information about viewing and modifying product licenses. The first license that appears shows the Defense Center’s product license which shows the license status. they appear itemized below the product license. RUA. see Verifying Your Product License on page 368. model code.

or if a temporary license has expired. Lists the number of NetFlow-enabled devices that the license allows you to use. Displays the appliance model number. Allows you to delete the feature license by clicking Delete. or if a temporary license has expired. RNA Host License Columns Column Feature ID Serial Number Status Number of Hosts Model Node Description Displays the ID number that corresponds with the feature being licensed. NetFlow License Columns Column Feature ID Serial Number Status Model Allowed NetFlow Exporters Node Expires Action Description Displays the ID number that corresponds with the feature being licensed. invalid. Lists the number of monitored hosts added by the license.1 Sourcefire 3D System Administrator Guide 373 . invalid. Displays the appliance’s MAC address. Displays the appliance model number. Indicates if the license is valid.Configuring System Settings Understanding Licenses Chapter 10 The NetFlow License Columns table describes each column that appears in a NetFlow license. Displays the date and time that the feature license expires. Displays the feature serial number. Indicates if the license is valid.9. The RNA Host License Columns table describes each column that appears in an RNA host license. Version 4. Displays the appliance’s MAC address. Displays the feature serial number.

or if a temporary license has expired. Version 4. Displays the feature serial number. Displays the appliance’s MAC address. Displays the feature serial number.1 Sourcefire 3D System Administrator Guide 374 . Allows you to delete the host license by clicking Delete. Intrusion Agent License Columns Column Feature ID Serial Number Description Displays the ID number that corresponds with the feature being licensed. Allows you to delete the feature license by clicking Delete. Lists the number of monitored users added by the license. Displays the appliance model number. The RUA License Columns table describes each column that appears in an RUA host license.9. invalid. The Intrusion Agent License Columns table describes each column that appears in an intrusion agent license. Indicates if the license is valid. RUA License Columns Column Feature ID Serial Number Status Model Number of Users Node Expires Action Description Displays the ID number that corresponds with the feature being licensed.Configuring System Settings Understanding Licenses Chapter 10 RNA Host License Columns (Continued) Column Expires Action Description Displays the date and time that the feature license expires. Displays the date and time that the feature license expires.

Displays the appliance model number. and other physical hardware constraints. 100. Virtual 3D Sensor License Columns Column Feature ID Serial Number Status Model Allowed Virtual Sensors Node Throughput Limit Description Displays the ID number that corresponds with the feature being licensed. Displays the feature serial number. The Virtual 3D Sensor License Columns table describes each column that appears in an intrusion agent license. Version 4. or if a temporary license has expired. Maximum throughput is limited by other factors such as number of Virtual Machines on your VMware server. Indicates if the license is valid.9. its connections. invalid. Displays the appliance’s MAC address. 45. Lists the maximum number of Virtual 3D Sensors allowed by the license. Lists the maximum number of software agent connections allowed by the license. or 250MB).Configuring System Settings Understanding Licenses Chapter 10 Intrusion Agent License Columns (Continued) Column Status Model Swagent Max Connections Node Expires Action Description Indicates if the license is valid. IMPORTANT! These speeds are not a guaranteed throughput for the Virtual 3D Sensor you license.1 Sourcefire 3D System Administrator Guide 375 . Allows you to delete the feature license by clicking Delete. invalid. Displays the appliance model number. Displays the appliance’s MAC address. Displays the date and time that the feature license expires. or if a temporary license has expired. Displays the maximum capacity licensed for processing by the Virtual 3D Sensor (20.

IPS Software License Columns Column Feature ID Serial Number Status Model Node Expires Action Description Displays the ID number that corresponds with the feature being licensed. Displays the feature serial number. Indicates if the license is valid.1 Sourcefire 3D System Administrator Guide 376 . The IPS Software License Columns table describes each column that appears in an IPS Software license. Displays the date and time that the feature license expires.Configuring System Settings Understanding Licenses Chapter 10 Virtual 3D Sensor License Columns (Continued) Column Expires Action Description Displays the date and time that the feature license expires. or if a temporary license has expired. Version 4. Displays the appliance’s MAC address. invalid. Select Operations > System Settings. The Information page appears. Allows you to delete the feature license by clicking Delete.9. Displays the appliance model number. To view or delete your feature licenses: Access: Admin 1. Allows you to delete the feature license by clicking Delete.

9. Click License. Version 4. see the Sourcefire RNA Software for Red Hat Linux Configuration Guide. IPv6. to manage network settings for software sensors or 3Dx800 sensors: • For more information on configuring settings for Crossbeam-based software sensors. Disabled (IPv4 or IPv6) Manual (IPv4 and IPv6) DHCP (IPv4 and IPv6) Router assigned (IPv6 only) • • • • You have the following configuration options: • • • • If you specify manual. click Delete in the Action column. or both IPv4 and IPv6 network settings in System Settings. The exceptions include software sensors or 3Dx800 sensors. see the 3D Sensor Installation Guide.Configuring System Settings Configuring Network Settings Chapter 10 2. For more information on configuring settings for Intrusion Agents. For more information on configuring settings for 3Dx800 appliances. For more information on configuring settings for RNA Software for Red Hat Linux. If you specify DHCP the appliance automatically retrieves its network settings from a . see the Sourcefire 3D Sensor Software for X-Series Installation Guide. Configuring Network Settings Requires: Any With some exceptions. showing the product license and any feature licenses you have added. For more information on configuring settings for Virtual 3D Sensors.1 Sourcefire 3D System Administrator Guide 377 . The License page appears. 3. For the feature that you want to delete. see the Virtual Defense Center and 3D Sensor Installation Guide. third-party user interfaces. see the Intrusion Agent Configuration Guide. or the operating system interface. you must manually configure all network properties. such as command line interfaces. You must use native applications. your Sourcefire 3D System provides a dual stack implementation so that you can choose IPv4.

The Information page appears. Default Network Gateway Hostname The IP address of the gateway device for your network The DNS-resolvable name for the appliance IMPORTANT! If you change the hostname.0. This is the network through which Defense Centers and sensors communicate. the appliance is configured to directly connect to the Internet. Manual Network Configuration Settings Setting Management Interface Address and either IPv4 Netmask or IPv6 Prefix Length Description The IP address for the management interface. If. in the case of IPv6. the management interface is connected to an internal. Select Operations > System Settings. Version 4. To configure network settings: Access: Admin 1. you specify Router assigned. By default. • For IPv4. you can configure a proxy server to be used when downloading updates and SEUs.1 Sourcefire 3D System Administrator Guide 378 . Domain Primary DNS Server Secondary DNS Server Tertiary DNS Server The fully-qualified domain name where the appliance resides The IP address of the DNS server for the network where the appliance resides A secondary DNS server’s IP address A tertiary DNS server’s IP address If the appliance is not directly connected to the Internet.255. you must set the address in colon-separated hexadecimal form and the number of bits in the prefix (for example: a prefix length of 112). the new name is not reflected in the syslog until after you reboot the appliance. • For IPv6. protected network.0).Configuring System Settings Configuring Network Settings Chapter 10 local DHCP server. In most installations. the appliance retrieves its network settings from a local router. you must set the address and netmask in dotted decimal form (for example: a netmask of 255.9.

Click Network. 4. Select Router assigned (an IPv6-only configuration) to allow router assigned network setting resolution. and domain servers) if you use manual or router assigned configurations. Select DHCP to allow DHCP server network setting resolution. Specify which IP version (v4. in the IPv4 section select Disabled). if your network uses only IPv6. See the Manual Network Configuration Settings table on page 378 for a full description of each field you can configure. The Network page appears. If you selected Manual. Version 4. You can change the Shared Settings (hostname. v6.Configuring System Settings Configuring Network Settings Chapter 10 2. or both) you want to use by selecting the Configuration from the IPv4 and IPv6 settings: • • • • Select Disabled to use only the alternative IP version (for example.9. domain. specify the network settings. Select Manual to manually specify network settings.1 Sourcefire 3D System Administrator Guide 379 . 3.

Click Save. Editing Network Interface Configurations Requires: DC or 3D Sensor You can use the Network Interface page to modify the default settings for each network interface on your appliance.9. To edit a network interface: Access: Admin 1. You must configure 3Dx800 interfaces on the 3Dx800 CLI.1 Sourcefire 3D System Administrator Guide 380 . It is possible to select a setting that makes it difficult to access the web interface. WARNING! Do not modify the settings for the management interface unless you have physical access to the appliance. You have two choices: • • To configure network interfaces from a 3D Sensor. then click Edit next to the 3D Sensor. the sensor drops traffic while the network interface card renegotiates its network connection. If you change the link mode for a sensing interface. The System Settings page appears. appliances are configured to connect directly to the Internet. By default. To configure network interfaces from a Defense Center. Any changes you make to the Auto Negotiate value are ignored for Gigabit interfaces. select Direct connection. you have two options: • • If you have a direct connection from the appliance to the Internet. select Operations > System Settings. Version 4. select Manual proxy configuration and enter the IP address or fully qualified domain name of your proxy server in the HTTP Proxy field and the port in the Port field. If your appliance is not directly connected to the Internet. select Operations > Sensor. If your network uses a proxy.Configuring System Settings Editing Network Interface Configurations Chapter 10 5. you can identify a proxy server to be used when downloading updates and rules. To configure a proxy server. 6. The network settings are changed.

Click Edit next to the interface that you want to modify. The Network Interface page appears.9. Click Network Interface. 3. The current settings for the interface appear: These setting include: • • • • • interface name sensor name interface type.1 Sourcefire 3D System Administrator Guide 381 .Configuring System Settings Editing Network Interface Configurations Chapter 10 2. either Sensing or Management interface description whether the interface is configured to auto-negotiate speed and duplex settings Version 4. listing the current settings for each interface on your appliance.

but does not physically shut off power. Normally. However. If you need to specify a link mode. Shutting Down and Restarting the System Requires: Any You have several options for controlling the processes on your appliance. MDIX (medium dependent interface crossover). when you set a specific link mode. Click Save. unplug it. You must configure 3Dx800 interfaces on the 3Dx800 CLI. keep the following in mind: • In the Auto Negotiate field. automatic MDI/MDIX handling is disabled. select it in the Link Mode field. • Series 2 3D Sensors only If you disable auto negotiation and specify a link mode. database. and the link mode as needed. for an appliance without a power button. MDI/MDIX is set to Auto. To shut off power to the appliance. However. N/A indicates that there is no link for the interface • You can modify the interface name and description.1 Sourcefire 3D System Administrator Guide 382 . You can: • • • • shut down the appliance reboot the appliance restart communications. MDI/MDIX settings. 4. N/A in this column indicates that the interface does not support MDI/MDIX the current link mode. or Auto mode (Series 2 3D Sensors only). Version 4.Configuring System Settings Shutting Down and Restarting the System Chapter 10 • whether the interface is configured for MDI (medium dependent interface). select Off only if you require a specific link mode setting. including the bandwidth and duplex setting (Full or Half). or. the process shuts down the operating system on the appliance. you must also set the MDI/MDIX field to the required MDI or MDIX mode. and http server processes on the appliance (this is typically used during troubleshooting) restart the RNA and Snort processes (Snort runs on the 3D Sensor only if you are licensed to use IPS) IMPORTANT! If you shut down the appliance. making it impossible for the endpoints to attain link unless you manually set the required MDI/MDIX mode. which automatically handles switching between MDI and MDIX to attain link.9. Any changes you make to the Auto Negotiate value are ignored for Gigabit interfaces. You cannot change the Auto Negotiate setting for 10Gb interfaces. you must press the power button on the appliance. The Network Interface page appears again.

click Run Command next to Restart Defense Center Console. To reboot the system. click Run Command next to Reboot Defense Center. To restart the Snort and RNA processes. and if high availability is enabled. Note that this logs you out of the Defense Center. The default address range is 172. click Run Command next to Reboot Appliance. For 3D Sensor • • • • Configuring the Communication Channel Requires: DC + 3D Sensor Version 4. The Appliance Process page appears. The default port for communications between the Defense Center. click Run Command next to Shutdown Appliance. click Run Command next to Restart Detection Engines.8 and earlier Defense Centers and sensors use a range of internal network IP addresses called the management virtual network to transmit thirdparty communications such as NTP to managed sensors and. in high availability deployments.1 Sourcefire 3D System Administrator Guide 383 .16. The Defense Center version of the page is shown below. To reboot the system. To shut down the 3D Sensor. Click Process. Note that this logs you out of the 3D Sensor.9. 3.0. Specify the command you want to perform: For DC/MDC • • • To shut down the Defense Center. its managed sensors. The Information page appears. Select Operations > System Settings. click Run Command next to Shutdown Defense Center. Enhancements in the current software eliminate the need for the management virtual network provided both the Defense Center and the sensors it manages are Version 4. Note that restarting the Defense Center may cause deleted hosts to reappear in the network map. click Run Command next to Restart Appliance Console. to its Defense Center peer. To restart the Defense Center. To restart the 3D Sensor. 2.Configuring System Settings Configuring the Communication Channel Chapter 10 To shut down or restart your appliance: Access: Admin 1. The communication on port 8305 is bi-directional.0/ 16. its high availability peer is 8305/tcp.

but make sure you do not to enter a range that overlaps other local networks.1 Sourcefire 3D System Administrator Guide 384 .0. third-party user interfaces. This is usually configured as part of the installation process.9. For more information. For more information on configuring settings for Intrusion Agents. WARNING! The IP address range you specify for the Management Virtual Network must not conflict with any other local network. You can not edit the Management Virtual Network field of a Master Defense Center. see the Sourcefire 3D Sensor Software for X-Series Installation Guide. see the Sourcefire RNA Software for Red Hat Linux Configuration Guide. you can specify different values. you will need to use a management virtual network and ensure that it does not conflict with other communications on your network. The user interface prevents you from entering the address range for the management network. see the Intrusion Agent Configuration Guide. For more information on configuring settings for RNA Software for Red Hat Linux. if your Defense Center is running the current version of the software and the sensors it manages are running an older version of the software. refer to: • • Setting Up the Management Virtual Network on page 384 Editing the Management Virtual Network on page 385 Setting Up the Management Virtual Network Requires: DC + 3D Sensor If the IP address range or the port conflicts with other communications on your network. IMPORTANT! Master Defense Centers do not currently use a Management Virtual Network. but you can change it later. see the Sourcefire 3D Sensor Installation Guide. and Intrusion Agents. or the operating system interface. For more information on configuring settings for 3Dx800 sensors. such as command line interfaces. including your management network. If both the Defense Center and all sensors have been upgraded to the current version. to manage the communication channel sensor settings for Crossbeam-based software sensors. the management virtual network is unnecessary. The field is filled with 0. 3Dx800 sensors. However. You must use native applications.Configuring System Settings Configuring the Communication Channel Chapter 10 both using the current software.0/24 to indicate that the Management Virtual Network is disabled on a Master Defense Center.0. For more information on configuring settings for Crossbeam-based software sensor. Version 4. Doing so may break communications between hosts on the local network. IMPORTANT! The management virtual network is required only when the Defense Center must communicate with sensors running an older version.

TIP! The subnet mask is fixed at /16 (sixteen bits). In the Management Port field. 5. 2. enter the port number that you want to use.0.1 Sourcefire 3D System Administrator Guide 385 . WARNING! If the Management Virtual Network is functioning properly. The Information page appears.0. You can also regenerate the Virtual IP address. 3. enter the IP address range that you want to use.9. a feature that is especially useful after network reconfigurations or appliance updates. Typically. The new values are saved. which provided enough addresses for 127 appliances. The current Version 4.0/24 to indicate that the Management Virtual Network is disabled on a Master Defense Center. it should not be edited. Past versions of Sourcefire 3D Systems used a default /24 (twenty-four bit) CIDR address space. this function is used only under the direction of Sourcefire Support. WARNING! Changing the management port on the Defense Center requires that you also manually change the management port on every managed sensor. Editing the Management Virtual Network Requires: DC + 3D Sensor You can change the host IP or host name of the connected appliance. You can not edit the Management Virtual Network field of a Master Defense Center.Configuring System Settings Configuring the Communication Channel Chapter 10 To configure the communications channel: Access: Admin 1. The field is filled with 0. Click Remote Management. Select Operations > System Settings. Click Save to save your changes for both the IP address range and the port number. The Remote Management page appears. 4. Master Defense Centers do not currently use a Management Virtual Network. In the Management Virtual Network field.

registration key Unique NAT ID . 5.Configuring System Settings Configuring Remote Access to the Defense Center Chapter 10 version uses a default /16 (sixteen bit) CIDR address space. 2. Registration Key .a unique alphanumeric ID for use when registering sensors in NAT environments.the hostname of IP address. Click Edit next to the host whose Management Virtual Network you want to change. Click Remote Management. After appropriate management virtual network edits are made. 4. Edit the name or host ID in the Name or Host fields as required.9. Configuring Remote Access to the Defense Center Requires: DC + 3D Sensor You must begin the procedure for setting up the management relationship between a Defense Center and a sensor on the sensor. which provides for a much greater number of appliances. The Information page appears. Optionally. TIP! The regenerate VIP option is useful after you reconfigure your network or change the Sourcefire 3D System to take advantage of a larger address space. Three fields are provided for setting up communications between appliances: • • • Management Host . To edit the remote management virtual network: Access: Admin 1. click Save. The Remote Management page appears. 6. The Edit Remote Management page appears. 3.1 Sourcefire 3D System Administrator Guide 386 . Version 4. click Regenerate VIP to regenerate the IP address used by the virtual network. See Working in NAT Environments on page 112 for more information. Select Operations > System Settings.

see Setting Up the Management Virtual Network on page 384. the Remote Management page displays the Unique NAT ID in the Host field. select Operations > System Settings. In the Management Host field. Sourcefire strongly recommends that you read Using the Defense Center on page 99 before you add sensors to the Defense Center. To set up sensor management from the sensor: Access: Admin 1. 4. and Unique NAT ID used on the Defense Center. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. If you must change the Management Port. 3.Configuring System Settings Configuring Remote Access to the Defense Center Chapter 10 Valid combinations include: • • • Management Host and Registration Key used on both appliances Registration Key and Unique NAT ID used on the 3D Sensor with Host. The Remote Management page appears. On the sensor’s web interface.9. 2.1 Sourcefire 3D System Administrator Guide 387 . Click Add Manager. TIP! If you register a sensor to a Defense Center using a Registration Key and Unique NAT ID. and Unique NAT ID used on the 3D Sensor with Registration Key and Unique NAT ID used on the Defense Center. Registration Key. The Add Remote Management page appears. Management Host. WARNING! Leave the Management Port field at the top of the Remote Management page in the default setting in nearly all cases. type the IP address or the hostname of the Defense Center that you want to use to manage the sensor. The Management Host or Host field (hostname or IP address) must be used on at least one of the appliances. Click Remote Management. The Information page appears. but without a hostname or IP address. Registration Key. Version 4.

the Pending Registration status appears. 10. Version 4. Optionally. 5. type the same value in the Unique NAT ID field. Click New Sensor. The Add New Sensor page appears. type the one-time use registration key that you want to use to set up a communications channel between the sensor and the Defense Center. in the Unique NAT ID field. 7. Click Save. 6. 9. If you used a unique ID in step 6. WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses. The Sensors page appears. In the Registration Key field. Access the Defense Center web interface and select Operations > Sensors. 11.Configuring System Settings Configuring Remote Access to the Defense Center Chapter 10 Note that you can leave the Management Host field empty if the management host does not have a routable address. In the Registration Key field. use both the Registration Key and the Unique NAT ID fields.1 Sourcefire 3D System Administrator Guide 388 . Type the IP address or the hostname of the sensor you want to add in the Host field.9. 12. In that case. 8. After the sensor confirms communication with the Defense Center. type the same one-time use registration key that you used in step 5. type a unique alphanumeric NAT ID that you want to use to identify the sensor.

You can store IPS data on both the Defense Center and the sensor by clearing the Store Events and Packets Only on the Defense Center check box. 14. IMPORTANT! If you elect to prohibit sending packets and you do not store events on the 3D Sensor.Configuring System Settings Setting the Time Manually Chapter 10 13.1 Sourcefire 3D System Administrator Guide 389 . Setting the Time Manually Requires: Any If the Time Synchronization setting in the currently applied system policy is set to Manual. For more information about groups. packet data is not retained. IPS data is stored only on the Defense Center and not on the sensor. IMPORTANT! In some high availability deployments where network address translation is used. It can take up to two minutes for the Defense Center to verify the sensor’s heartbeat and establish communication. You must store events on the Defense Center. By default. 16. The sensor is added to the Defense Center. Packet data is often important for forensic analysis. 15. Contact Sourcefire Support for more information. IMPORTANT! 3Dx800 sensors and Crossbeam-based software sensors cannot store IPS data locally. select the group from the Add to Group list. see Managing Sensor Groups on page 131.9. Click Add. Version 4. You can prevent packet data from leaving a sensor by checking the Prohibit Packet Transfer to the Defense Center check box. then you can manually set the time for the appliance using the Time page in the system settings. you may need to use the Add Manager feature to add the secondary Defense Center. To add the sensor to a group. Note that RNA data is never stored on the sensor.

Negative values indicate that the appliance is behind the NTP server. • Unknown indicates that the status of the NTP server is unknown. if you see larger update times such as 300 seconds. Instead. To manually configure the time: Access: Admin 1. Available. that indicates that the time is relatively stable and the NTP daemon has determined that it does not need to use a lower update increment. Version 4.Configuring System Settings Setting the Time Manually Chapter 10 If the appliance is synchronizing its time based on NTP you cannot change the . The Information page appears. • Not Available indicates that the NTP server is in your configuration but the NTP daemon is unable to use it.9. Offset The number of milliseconds of difference between the time on the appliance and the configured NTP server. For example. the NTP Status section on the Time page provides the following information: NTP Status Column NTP Server Status Description The IP address and name of the configured NTP server. time manually. The number of seconds that have elapsed since the time was last synchronized with the NTP server. Select Operations > System Settings. The NTP daemon automatically adjusts the synchronization times based on a number of conditions. Over time. The status of the NTP server time synchronization. • Pending indicates that the NTP server is new or the NTP daemon was recently restarted. Last Update See Synchronizing Time on page 354 for more information about the time settings in the system policy. and positive values indicate that it is ahead. • Available indicates that the NTP server is available for use but time is not yet synchronized. or Not Available.1 Sourcefire 3D System Administrator Guide 390 . its value should change to Being Used. The following states may appear: • Being Used indicates that the appliance is synchronized with the NTP server.

9. 6. For more information about using the time zone page. The Time page appears. The time is updated.Configuring System Settings Blacklisting Health Modules Chapter 10 2. you can blacklist the group of appliances. Once the blacklist settings take effect. click Close to close the pop-up window. For information on blacklisting individual or groups of appliances see Blacklisting Health Policies or Appliances on page 535. 5. For example. see Blacklisting a Health Policy Module on page 537 Version 4. select the following: • • • • • year month day hour minute 4. Blacklisting Health Modules Requires: DC/MDC If you want to disable health events for all appliances with a particular health policy. you can blacklist the Appliance Heartbeat module during that maintenance window. A pop-up window appears. 3. Click Apply. if an appliance is temporarily disconnected from the management network. Select your time zone and click Save and. If you need to disable the results of a group of appliances’ health monitoring. Click Time. you can blacklist the policy. after the time zone setting is saved. You can also blacklist individual health policy modules on appliances. From list boxes that appear.1 Sourcefire 3D System Administrator Guide 391 . If you want to change the time zone. see Setting Your Default Time Zone on page 34. You may want to do this to prevent events from the module from changing the status for the appliance to warning or critical. the appliances report a disabled status in the Health Monitor Summary. click the time zone link located next to the date and time. For information on blacklisting an individual policy modules.

The Information page appears. click Delete next to the device you want to remove. Click Add Device to add a NetFlow-enabled device. The NetFlow Devices page appears. see Editing an RNA Detection Policy in the Analyst Guide. 2. Click NetFlow Devices.1 Sourcefire 3D System Administrator Guide 392 . TIP! To remove a NetFlow-enabled device. For more information on using NetFlow data with the Sourcefire 3D System. For more information. 3. To add NetFlow-enabled devices for flow data collection: Access: Admin 1. The list of NetFlow-enabled devices is saved. repeat steps 3 and 4. Select Operations > System Settings. 4. To add additional NetFlow-enabled devices. 5. One of the prerequisites for using NetFlow data is to use the system settings to specify the NetFlow-enabled devices you are going to use to collect the data. Click Save. In the IP Address field. 6. see Introduction to NetFlow in the Analyst Guide. Keep in mind that if you remove a NetFlow-enabled device from the system policy. Version 4.Configuring System Settings Specifying NetFlow-Enabled Devices Chapter 10 Specifying NetFlow-Enabled Devices Requires: DC + RNA If you have enabled the NetFlow feature on your NetFlow-enabled devices). you can use the flow data that these devices collect to supplement the flow data collected by 3D Sensors with RNA by specifying the devices and the networks they monitor in your RNA detection policy. you should also remove it from your RNA detection policy. including information on additional prerequisites. enter the IP address of the NetFlow-enabled device you want to use to collect flow data. You must configure these NetFlow-enabled devices to export NetFlow version 5 data.9.

see Using SSH for Remote Storage on page 395. Select Operations > System Settings. You can use Network File System (NFS). The Information page appears. To store backups and reports locally: Access: Admin 1. Version 4. For information on backup and restore. Select one of the backup and report storage options: • • • • To disable external remote storage and use the local Defense Center for backup and report storage. or Intrusion Agents.Configuring System Settings Managing Remote Storage Chapter 10 Managing Remote Storage Requires: Series 2 DC On Series 2 Defense Centers you can use local or remote storage for backups and reports. you can switch back to local storage only if you have not increased the RNA flow database limit. Keep in mind that only Series 2 Defense Centers and not Master Defense Centers provide backup and report remote storage. see Using Backup and Restore on page 413. IMPORTANT! You cannot use remote backup and restore to manage data on Crossbeam-based software sensors.9. You must ensure that your external remote storage system is functional and accessible from the Defense Center. 3Dx800 sensors. To use SSH for backup and report storage. TIP! After configuring and selecting remote storage. see Using SMB for Remote Storage on page 396. To use NFS for backup and report storage. Secure Shell (SSH). To use SMB for backup and report storage.1 Sourcefire 3D System Administrator Guide 393 . Using Local Storage Requires: Series 2 DC You can store backups and reports on the local Defense Center. but you can choose to send either to a remote system and store the other on the local Defense Center. or Server Message Block (SMB)/Common Internet File System (CIFS) for backup and report remote storage. RNA Software for Red Hat Linux. see Using Local Storage on page 393. You cannot send backups to one remote system and reports to a another. see Using NFS for Remote Storage on page 394.

Your storage location choice is saved. 4.Configuring System Settings Managing Remote Storage Chapter 10 2. The page refreshes to display the NFS storage configuration options. The Remote Storage Device page appears. TIP! You do not use the Test button with local storage.1 Sourcefire 3D System Administrator Guide 394 . Click Save. At Storage Type.9. Add the connection information: • • Enter the IP or hostname of the storage system in the Host field. At Storage Type. 2. select Local (No Remote Storage). Click Remote Storage Device. Using NFS for Remote Storage Requires: Series 2 DC You can select Network File System (NFS) protocol to store your reports and backups. select NFS. 4. The Information page appears. The Remote Storage Device page appears. 3. Click Remote Storage Device. Enter the path to your storage area in the Directory field. Select Operations > System Settings. Version 4. To store backups and reports using NFS: Access: Admin 1. 3.

Optionally.1 Sourcefire 3D System Administrator Guide 395 . Click Save. 2. Select Enable Remote Storage for Reports to store reports on the designated host.Configuring System Settings Managing Remote Storage Chapter 10 5. At Storage Type. Your remote storage configuration is saved. The Information page appears. The page refreshes to display the SSH storage configuration options. 3. click Test. Click Remote Storage Device. The test ensures that the Defense Center can access the designated host and directory. select either or both of the following: • • 7.9. The Remote Storage Device page appears. To store backups and reports using SSH: Access: Admin 1. select SSH. 6. Using SSH for Remote Storage Requires: Series 2 DC You can select Secure Shell (SSH) protocol to store your reports and backups. 8. A Command Line Options field appears where you can enter the commands. Under System Usage. Version 4. select Use Advanced Options. Select Enable Remote Storage for Backups to store backups on the designated host. If there are any required command line options. Select Operations > System Settings.

Add the connection information: • • • • Enter the IP or hostname of the storage system in the Host field. To use SSH keys. copy the content of the SSH Public Key field and place it in your authorized_keys file. Your remote storage configuration is saved. The Remote Storage Device page appears. Optionally. Enter the path to your storage area in the Directory field. To store backups and reports using SMB: Access: Admin 1. The Information page appears. If there are any required command line options. Version 4. select either or both of the following: • • 7. Click Remote Storage Device. 6. Using SMB for Remote Storage Requires: Series 2 DC You can select Server Message Block (SMB) protocol to store your reports and backups. 5. click Test. Select Enable Remote Storage for Backups to store backups on the designated host. Select Operations > System Settings. The test ensures that the Defense Center can access the designated host and directory. Click Save. Under System Usage. 8.9. 2. Select Enable Remote Storage for Reports to store reports on the designated host. A Command Line Options field appears where you can enter the commands. Enter the storage system’s user name in the Username field and the password for that user in the Password field.Configuring System Settings Managing Remote Storage Chapter 10 4. select Use Advanced Options.1 Sourcefire 3D System Administrator Guide 396 .

Enter the user name for the storage system in the Username field and the password for that user in the Password field. 8. 5. Optionally. Version 4. The test ensures that the Defense Center can access the designated host and directory.9. Under System Usage. select SMB.Configuring System Settings Managing Remote Storage Chapter 10 3. At Storage Type. Select Enable Remote Storage for Backups to store backups on the designated host. click Test. A Command Line Options field appears where you can enter the commands. 4. The page refreshes to display the SMB storage configuration options. enter the domain name for the remote storage system in the Domain field. If there are any required command line options. select Use Advanced Options.1 Sourcefire 3D System Administrator Guide 397 . Select Enable Remote Storage for Reports to store reports on the designated host. Add the connection information: • • • • Enter the IP or hostname of the storage system in the Host field. select either or both of the following: • • 7. Enter the share of your storage area in the Share field. Optionally. Click Save. Your remote storage configuration is saved. 6.

for example. 4. Feature updates are more comprehensive than patches and generally include new features (and usually change the third digit in the version number.9 or 5.9. for example.9. Version 4. • • IMPORTANT! You cannot use the Update feature to update the SEU or Intrusion Agents. 4. 4. client applications. Sourcefire electronically distributes several different types of updates: • • Patches include a limited range of fixes (and usually change the fourth digit in the version number.Updating System Software Chapter 11 Administrator Guide Use the Update feature to update the Sourcefire 3D System. and services that RNA detects. For information on Intrusion Agents.0). see the Intrusion Agent Configuration Guide.1). For information on updating your SEU.0.1 Sourcefire 3D System Administrator Guide 398 . Major and minor version releases include new features and functionality and may entail large-scale changes to the product (and usually change the first or second digit in version number. Vulnerability database (VDB) updates affect the vulnerabilities reported by RNA as well as the operating systems. for example.9.1). see Importing SEUs and Rule Files in the Analyst Guide.

Before you update Sourcefire software. You can uninstall patches to the Sourcefire software using an appliance’s local web interface.9. as do uninstaller updates. you can take advantage of the automated update feature. they appear on the page.Updating System Software Chapter 11 You can obtain updates from the Sourcefire Support and then manually install them using the Patch Update Management page. The release notes describe supported platforms. warnings. See the following sections for more information: • • • Installing Software Updates on page 400 Uninstalling Software Updates on page 409 Updating the Vulnerability Database on page 410 Version 4.1 Sourcefire 3D System Administrator Guide 399 . It also indicates whether a reboot is required as part of the update. see Scheduling Tasks on page 425. and product compatibility. which are created when you install a patch to a Sourcefire appliance. They also contain information on any prerequisites. you must read the release notes that accompany the update. you can use it to install updates on its managed 3D Sensors. known and resolved issues. new features and functionality. the version number. However. and specific installation and uninstallation instructions. nor is it supported for appliances that do not have local web interfaces. The list of updates shows the type of each update. for major updates to software sensors. feature updates.The following graphic shows the Defense Center version of the page. you may need to uninstall the previous version and install the new version. TIP! For patches. Uploaded VDB updates also appear on the page. and VDB updates. WARNING! This chapter contains general information on updating the Sourcefire 3D System. Uninstalling from the web interface is not supported for major version upgrades. If your deployment includes a Defense Center. including software sensors. When you upload updates to your appliance. and the date and time it was generated.

Make sure that any Crossbeam Systems or Red Hat Linux platforms you are using to host Sourcefire software sensors are running the correct version of the operating system. 4. see Automating Software Updates on page 430. warnings. Version 4. If you are running an earlier version. TIP! This section explains how to plan for and perform manual software updates on your Sourcefire appliances. new features and functionality. the policies and network settings on the appliance remain intact. For patches and feature updates. To update your Sourcefire 3D System appliances: Access: Admin 1. and specific installation and uninstallation instructions. you may need to uninstall the previous version and install the new version.9. you can obtain updates from the Sourcefire Support Site. Install the latest SEU on your appliances. and product compatibility. Updating an appliance does not modify its configuration.1 Sourcefire 3D System Administrator Guide 400 . You can obtain the SEU from the Sourcefire Support Site. The release notes for the update indicate the required version. You must install the latest SEU (see Importing SEUs and Rule Files in the Analyst Guide) on your appliances before you begin the update. 3. Make sure your appliances (including software sensors) are running the correct version of the Sourcefire 3D System. known and resolved issues. Note that for major updates to software sensors (Crossbeam-based software sensors and RNA for Red Hat Linux). as described in the release notes. Available on the Sourcefire Support Site.Updating System Software Installing Software Updates Chapter 11 Installing Software Updates Requires: Any Sourcefire periodically issues updates to the Sourcefire 3D System software. Make sure the computers or appliances where you installed software sensors are running the correct versions of their operating systems. Read the release notes for the update. the release notes describe supported platforms. you can take advantage of the automated update feature. 2. see the release notes for more information. they also contain information on any prerequisites.

However.1 Sourcefire 3D System Administrator Guide 401 . see the release notes for more information. RNA for Red Hat Linux. Delete any backups that reside on the appliance. and 3Dx800 sensors.Updating System Software Installing Software Updates Chapter 11 5. The release notes for the update indicate space and time requirements. Update your unmanaged 3D Sensors. see Using Backup and Restore on page 413. After you update any Master Defense Centers in your deployment. Sourcefire strongly recommends that you delete or move any backup files that reside on your appliance. you can update the Defense Centers they manage. See Updating Unmanaged 3D Sensors on page 406. Update your Defense Centers. Note that you must use the Defense Center to update sensors that do not have a web interface. Note that when you begin to update one Defense Center in a high availability pair.9. paired Defense Centers do not receive software updates as part of the regular synchronization process. 6. Update your Master Defense Centers. Always update Master Defense Centers first. When you update a managed sensor. then back up current event and configuration data to an external location. if it is not already. then back up current event and configuration data to an external location. the paired Defense Centers stop sharing configuration information. First. see Updating a Defense Center or Master Defense Center on page 402. the update requires additional disk space on the Defense Center. 9. including the types of backups that are supported for your appliance. see Updating a Defense Center or Master Defense Center on page 402. To ensure continuity of operations. Update your managed 3D Sensors. In addition. then update the second Defense Center. do not update paired Defense Center at the same time. Sourcefire strongly recommends that you use your Defense Centers to update the sensors they manage. the other Defense Center in the pair becomes the primary. Version 4. Make sure you have enough free disk space and allow enough time for the update. you may need to uninstall the previous version and install the new version. 7. Event data is not backed up as part of the update process. you can update your managed sensors (including software sensors). see Updating Managed Sensors on page 404. for major updates to software sensors. 8. For more information on the backup and restore feature. including Crossbeam-based software sensors. After you update the Master Defense Centers and Defense Centers in your deployment. 10. complete the update procedure for one of the Defense Centers.

then update the second Defense Center. depending on the type of update and whether your Defense Center has access to the internet: • You can use the Defense Center to obtain the update directly from the Support Site. This option is not supported for major updates. Read the release notes for the update and complete any required pre-update tasks. the paired Defense Centers stop sharing configuration information. You can manually download the update from the Sourcefire Support Site and then upload it to the Defense Center. To update the Defense Center or Master Defense Center: Access: Admin 1. the other Defense Center in the pair becomes the primary. To ensure continuity of operations. complete the update procedure for one of the Defense Centers. paired Defense Centers do not receive software updates as part of the regular synchronization process. updating the Defense Center removes any existing updates and patches. • Note that when you begin to update one Defense Center in a high availability pair. making sure you have set aside adequate time to perform the update.Updating System Software Installing Software Updates Chapter 11 Updating a Defense Center or Master Defense Center Requires: DC/MDC Use the procedure in this section to update your Defense Centers and Master Defense Centers. IMPORTANT! For major updates. Choose this option if your Defense Center has access to the internet and you are not performing a major update. from the appliance. making sure you have enough free disk space to perform the update. You update the Defense Center in one of two ways. do not update paired Defense Center at the same time. you must update them before you update the Defense Centers that they manage. if it is not already.1 Sourcefire 3D System Administrator Guide 402 . backing up event and configuration data. as well as their uninstall scripts. If your deployment includes Master Defense Centers. In addition. Pre-update tasks can include making sure that the Defense Center is running the correct version of the Sourcefire software. Choose this option if your Defense Center does not have access to the internet or if you are performing a major update.9. Version 4. and so on. First.

For major releases. • For all except major releases. its version number. • IMPORTANT! Download the update directly from the Support Site. Make sure that the appliances in your deployment are successfully communicating and that there are no issues being reported by the health monitor. You must wait until any long-running tasks are complete before you begin the update. and if your Defense Center has access to the Internet. Select Operations > Update to display the Patch Update Management page. Version 4. Upload the update to the Defense Center. 4. then click Download Updates to check for the latest updates on the Support Site. or if your Defense Center does not have access to the Internet. 6. The update is uploaded to the Defense Center. Select Operations > Monitoring > Task Status to view the task queue and make sure that there are no jobs in process.Updating System Software Installing Software Updates Chapter 11 2. The Patch Update Management page shows the type of update you just uploaded. and the date and time it was generated. The Install Update page appears. The page also indicates whether a reboot is required as part of the update. select Operations > Update to display the Patch Update Management page. either manually or by clicking Update on the Patch Update Management page. depending on the type of update and whether your Defense Center has access to the internet. Click Install next to the update you uploaded. you must manually delete them from the task queue after the update completes. 5. Browse to the update and click Upload. Select Operations > Update.1 Sourcefire 3D System Administrator Guide 403 . it may become corrupted. 3. You have two options. Tasks that are running when the update begins are stopped and cannot be resumed. then click Upload Update.9. The task queue automatically refreshes every 10 seconds. If you transfer an update file by email. The Patch Update Management page appears. first manually download the update from the Sourcefire Support Site.

Clear your browser cache and force a reload of the browser. push the update to the sensors from the Defense Center. if necessary. install the software. This can cause a short pause in processing and. WARNING! Do not use the web interface to perform any other tasks until the update has completed and (if necessary) the Defense Center reboots. see Creating a Detection Engine on page 193). Under Selected Update. 8. Re-apply intrusion policies to the IPS detection engines on your managed 3D Sensors. Update the VDB on your Defense Centers and the 3D Sensors with RNA that they manage. may cause a few packets to pass through the sensor uninspected. If this occurs. select the Defense Center and click Install. see Updating the Vulnerability Database on page 410. 12.9. the user interface may exhibit unexpected behavior. Finally. applying an intrusion policy causes IPS detection engines to restart. You can monitor the update's progress in the task queue (Operations > Monitoring > Task Status). or the Defense Center may log you out. 11. confirm that you want to install the update and reboot the Defense Center. This is expected behavior. Next. do not restart the update. download the update from the Support Site and upload it to the managing Defense Center. If prompted. 10. Otherwise. Updating Managed Sensors. 9. contact Support. Updating managed sensors is a multi-step process. Sourcefire strongly recommends that you use them to update the sensors they manage.1 Sourcefire 3D System Administrator Guide 404 . 14. Instead. 13. log in again to view the task queue. Continue with the next section. to update the Sourcefire software on the sensors that the Defense Center manages. If the update is still running. the web interface may become unavailable. Updating Managed Sensors Requires: DC + 3D Sensor After you update your Defense Centers. for most detection engines with inline interface sets. log into the Defense Center. The update process begins. Verify that all managed sensors are successfully communicating with the Defense Center. If you encounter issues with the update (for example. Unless you enabled the Inspect Traffic During Policy Apply option when you created your IPS detection engines (this option is supported on many sensor models. continue to refrain from using the web interface until the update has completed. Note that you can update Version 4. After the update finishes. First.Updating System Software Installing Software Updates Chapter 11 7. if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress). Before the update completes. Select Operations > Help > About and confirm that the software version is listed correctly.

making sure you have enough free disk space to perform the update. and 3Dx800 sensors.9. 6. making sure that the 3D Sensors are running the correct version of the Sourcefire software. Pre-update tasks can include updating your managing Defense Center. RNA for Red Hat Linux. IMPORTANT! You must use the Defense Center to update sensors that do not have a web interface. for major updates to software sensors. 4. Make sure that the appliances in your deployment are successfully communicating and that there are no issues being reported by the health monitor. Download the update from the Sourcefire Support Site. The Patch Update Management page appears. select Operations > Update.Updating System Software Installing Software Updates Chapter 11 multiple 3D Sensors at once. To update managed 3D Sensors: Access: Admin 1. However. then click Upload. but only if they use the same update.1 Sourcefire 3D System Administrator Guide 405 . Version 4. Read the release notes for the update and complete any required pre-update tasks. For information on updating the 3D Sensors in your deployment. making sure software sensors are running the correct version of their operating systems. The update is uploaded to the Defense Center. 3. The Push Update page appears. including Crossbeam-based software sensors. 7. Different 3D Sensor models use different updates. see the release notes for more information. see Updating a Defense Center or Master Defense Center on page 402. and so on. its version number. IMPORTANT! Download the update directly from the Support Site. Click Upload Update to browse to the update you downloaded. see the release notes. 5. On the managing Defense Center. The Patch Update Management page shows the type of update you just uploaded. For information on the updates you can download. you have set aside adequate time to perform the update. If you transfer an update file by email. backing up event and configuration data. and date and time it was generated. you may need to uninstall the previous version and install the new version. Update the Sourcefire software on the sensors’ managing Defense Center. it may become corrupted. The page also indicates whether a reboot is required as part of the update. Click Push next to the update. 2. see the release notes.

When the push is complete. confirm that you want to install the update and reboot the 3D Sensors. Select the sensors where you pushed the update and click Install. Updating Unmanaged 3D Sensors Requires: 3D Sensor Use the procedure in this section to update unmanaged 3D Sensors only. WARNING! If you encounter issues with the update (for example. continue with the next step. see Updating Managed Sensors on page 404. Instead. contact Support. do not restart the update. The Install Update page appears. 11. applying an intrusion policy causes IPS detection engines to restart.1 Sourcefire 3D System Administrator Guide 406 . Verify that the sensors you updated are successfully communicating with the Defense Center. Under Selected Update. 12. traffic is interrupted while the sensors reboot. Select Operations > Sensors and confirm that the sensors you updated have the correct version listed. see Creating a Detection Engine on page 193). 10. select the sensors you want to update. if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress). some traffic may pass through the sensors uninspected while they reboot. your 3D Sensors use IPS detection engines with inline interface sets. If your sensors have fail-open network cards. 9. then click Push.9. Click Install next to the update you are installing. may cause a few packets to pass through the sensor uninspected. Sourcefire strongly recommends that you update managed 3D Sensors using their managing Defense Centers. This can cause a short pause in processing and. For more information. If prompted. it may take some time to push the update to all sensors. You can monitor the progress of the push in the task queue (Operations > Monitoring > Task Status). Unless you enabled the Inspect Traffic During Policy Apply option when you created your IPS detection engines (this option is supported on many sensor models.Updating System Software Installing Software Updates Chapter 11 8. If the update requires a reboot. and the sensors do not have fail-open network cards. Depending on the size of the file. Re-apply intrusion policies to the IPS detection engines on your managed 3D Sensors. You can monitor the update's progress in the Defense Center’s task queue (Operations > Monitoring > Task Status). for most detection engines with inline interface sets. Version 4. The update process begins. 13.

select Operations > Update to display the Patch Update Management page. depending on the type of update and whether your 3D Sensor has access to the internet: • You can use the 3D Sensor to obtain the update directly from the Support Site.1 Sourcefire 3D System Administrator Guide 407 . If you transfer an update file by email. Upload the update to the 3D Sensor. making sure you have set aside adequate time to perform the update. Choose this option if your 3D Sensor has access to the internet and you are not performing a major update. backing up event and configuration data. first manually download the update from the Sourcefire Support Site. The page also indicates whether a reboot is required as part of the update. You can manually download the update from the Sourcefire Support Site and then upload it to the 3D Sensor. • IMPORTANT! For major updates. either manually or by clicking Update on the Patch Update Management page. then click Upload Update. its version number. Pre-update tasks can include making sure that the 3D Sensor is running the correct version of the Sourcefire software. Choose this option if your 3D Sensor does not have access to the internet or if you are performing a major update. making sure you have enough free disk space to perform the update. depending on the type of update and whether your 3D Sensor has access to the internet. or if your 3D Sensor does not have access to the Internet. Read the release notes for the update and complete any required pre-update tasks. updating the 3D Sensor removes any existing updates and patches. • For all except major releases. This option is not supported for major updates. then click Download Updates to check for the latest updates on the Support Site. it may become corrupted. • IMPORTANT! Download the update directly from the Support Site. To update an unmanaged 3D Sensor: Access: Admin 1. For major releases. and so on. 2. Browse to the update and click Upload. You have two options. Select Operations > Update to display the Patch Update Management page.Updating System Software Installing Software Updates Chapter 11 You update the 3D Sensor in one of two ways.9. and the date and time it was generated. The Patch Update Management page shows the type of update you just uploaded. from the sensor. as well as their uninstall scripts. The update is uploaded to the 3D Sensor. Version 4. and if your 3D Sensor has access to the Internet.

Clear your browser cache and force a reload of the browser. or the 3D Sensor may log you out. Select Operations > Monitoring > Task Status to view the task queue and make sure that there are no jobs in process. the user interface may exhibit unexpected behavior. may cause a few packets to pass through the sensor uninspected. WARNING! Do not use the web interface to perform any other tasks until the update has completed and (if necessary) the 3D Sensor reboots. see Creating a Detection Engine on page 193). and the sensor does not have a fail-open network card. Select Operations > Help > About and confirm that the software version is listed correctly. Unless you enabled the Inspect Traffic During Policy Apply option when you created your IPS detection engines (this option is supported on many sensor models. If the update requires a reboot. you must manually delete them from the task queue after the update completes. Before the update completes. The update process begins. some traffic may pass through the sensor uninspected while it reboots. You must wait until any long-running tasks are complete before you begin the update. Click Install next to the update you just uploaded. Re-apply intrusion policies to your IPS detection engines. Instead. The task queue automatically refreshes every 10 seconds. If prompted. contact Support.9. continue to refrain from using the web interface until the update has completed. If the sensor has a fail-open network card. 7. 8. your 3D Sensor uses IPS detection engines with inline interface sets. applying an intrusion policy causes IPS detection engines to restart. for most detection engines with inline interface sets. 4. 9. traffic is interrupted while the sensor reboots. You can monitor the update's progress in the task queue (Operations > Monitoring > Task Status). 5. If you encounter issues with the update (for example. if necessary. Otherwise. if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress). do not restart the update. confirm that you want to install the update and reboot the 3D Sensor. log into the 3D Sensor. If this occurs. If the update is still running. Select Operations > Update.1 Sourcefire 3D System Administrator Guide 408 . After the update finishes.Updating System Software Installing Software Updates Chapter 11 3. This can cause a short pause in processing and. the web interface may become unavailable. Version 4. This is expected behavior. 6. The Patch Update Management page appears. Tasks that are running when the update begins are stopped and cannot be resumed. log in again to view the task queue.

then your Defense Centers. see the release notes. Select Operations > Update. In addition. you cannot use the Defense Center to uninstall patches from managed sensors.9.0. contact Support. If you upgraded to a new version of the appliance and need to revert to an older version. When you uninstall a patch.2 patch might result in an appliance running Version 4. and finally your Master Defense Centers.0. IMPORTANT! Uninstalling from the web interface is not supported for major version upgrades. as described by the procedure in this section.9. For information on uninstalling patches from appliances that do not have local web interfaces (Crossbeam-based software sensors. RNA for Red Hat Linux. You must use the local web interface to uninstall patches.Updating System Software Uninstalling Software Updates Chapter 11 Uninstalling Software Updates Requires: Any When you install a patch to a Sourcefire appliance. To uninstall a patch using the local web interface: Access: Admin 1. and 3Dx800 sensors).1 Sourcefire 3D System Administrator Guide 409 . Uninstalling the Version 4. the update process creates an uninstaller update that allows you to uninstall the patch from that appliances’s web interface. For information on the resulting Sourcefire software version when you uninstall an update. see the release notes.9.9.2.1. consider a scenario where you updated an appliance directly from Version 4. For example.0. the resulting Sourcefire software version depends on the update path for your appliance. That is.0.9. you must uninstall a patch from the appliances in your deployment in the reverse order of how you installed it.0 to Version 4. first uninstall the patch from your managed 3D Sensors. even though you never installed the Version 4.9. The Patch Update Management page appears.1 update. Version 4.

Clear your browser cache and force a reload of the browser. If this occurs. if necessary. do not restart the uninstall. client applications. if the task queue indicates that the uninstall has failed or if a manual refresh of the task queue shows no progress. On the 3D Sensor. In either case. If you encounter issues with the uninstall.Updating System Software Updating the Vulnerability Database Chapter 11 2. confirm that you want to uninstall the update and reboot the appliance. contact Support.9. Select Operations > Help > About and confirm that the software version is listed correctly. 3. select the Defense Center and click Install. After the uninstall finishes. there is no intervening page. the user interface may exhibit unexpected behavior. traffic is interrupted while the sensor reboots. RNA correlates the operating system and services detected on each host with the vulnerability database to help you determine whether a particular host increases your risk of network compromise. If the uninstall for a 3D Sensor requires a reboot. log in again and view the task queue. The uninstall process begins. and services. Updating the Vulnerability Database Requires: DC + RNA The Sourcefire Vulnerability Database (VDB) is a database of known vulnerabilities to which hosts may be susceptible. as well as fingerprints for RNA-detection operating systems. This is expected behavior. for example. Instead. You can monitor its progress in the task queue (Operations > Monitoring > Task Status). Under Selected Update. 6. and the sensor does not have a fail-open network card. The Sourcefire Vulnerability Research Team (VRT) issues periodic updates to the VDB.1 Sourcefire 3D System Administrator Guide 410 . the web interface may become unavailable. or the appliance may log you out. Before the uninstall completes. If the sensor has a fail-open network card. Click Install next to the uninstaller for the update you want to remove. log into the appliance. • • On the Defense Center. Otherwise. the sensor uses IPS detection engines with inline interface sets. the Install Update page appears. continue to refrain from using the web interface until the uninstall has completed. 5. some traffic may pass through the sensor uninspected while it reboots. if prompted. WARNING! Do not use the web interface to perform any other tasks until the uninstall has completed and (if necessary) the appliance reboots. 4. Verify that the appliance where you uninstalled the patch is successfully communicating with its managed sensors (for the Defense Center) or its managing Defense Center (for 3D Sensors). If the uninstall is still running. Version 4.

either manually or by clicking Update. IMPORTANT! Download the update directly from the Support Site. Because you cannot view RNA data on Master Defense Centers or on unmanaged 3D Sensors. click Download Updates to check for the latest updates on the Support site. The VDB update is saved on the Defense Center and appears in the Updates section. To update the vulnerability database: Access: Admin 1. you do not need to update the VDB on these appliances. You may want to schedule the update during low system usage times to minimize the impact of any system downtime. The Push Update page appears. 4. Version 4. The VDB Update Advisory Text includes information about the changes to the VDB made in the update. The Patch Update Management page appears. If your Defense Center does not have access to the Internet. 2. 3. Read the VDB Update Advisory Text for the update. To ensure you install the same VDB version.Updating System Software Updating the Vulnerability Database Chapter 11 You should install the same version of the VDB on all the appliances in your deployment. Select Operations > Update. You can take advantage of the automated update feature to schedule VDB updates.1 Sourcefire 3D System Administrator Guide 411 . use your Defense Centers to push and install the VDB on all managed 3D Sensors with RNA. Browse to the update and click Upload. TIP! This section explains how to plan for and perform manual VDB updates on your Sourcefire 3D System appliances. Upload the update to the Defense Center. see Automating Vulnerability Database Updates on page 437.9. • • If your Defense Center has access to the Internet. including software sensors. it may become corrupted. then click Upload Update. If you transfer an update file by email. as well as product compatibility information. manually download the update from the Sourcefire Support Site. The time it takes to update vulnerability mappings depends on the number of hosts in your network map. divide the number of hosts on your network by 1000 to determine the approximate number of minutes to perform the update. As a rule of thumb. Click Push next to the VDB update.

8. You can monitor the update's progress in the task queue (Operations > Monitoring > Task Status). continue with the next step. as well as the sensors where you pushed the VDB update. contact Support. You can monitor the progress of the push in the Defense Center’s task queue (Operations > Monitoring > Task Status). select Operations > Help > About.Updating System Software Updating the Vulnerability Database Chapter 11 5. • • To check the VDB build number on the Defense Center. it may take some time to push the VDB update to all sensors. Click Install next to the VDB update. To check the VDB build number on your managed sensors.1 Sourcefire 3D System Administrator Guide 412 .9. 7. The update process begins. Version 4. The Install Update page appears. If you encounter issues with the update. confirm that the VDB build number matches the update you installed. then click Edit next to each sensor you updated. WARNING! Do not use the web interface to perform tasks related to mapped vulnerabilities until the update has completed. select Operations > Sensors on the Defense Center. if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress. Depending on the size of the file. for example. Depending on the number of hosts in your network map. After the update finishes. Instead. Under Selected Update. then click Push. then click Install. 6. Select the Defense Center. the update may take some time. When the push is complete. select the managed 3D Sensors you want to update. do not restart the update.

system configuration files are saved in the backup file. By default. Sourcefire 3D System provides a mechanism for archiving data so that the Defense Center or 3D Sensor can be restored in case of disaster.Using Backup and Restore Chapter 12 Administrator Guide Backup and restoration is an essential part of any system maintenance plan. You can restore a backup onto a replacement appliance if the two appliances are the same model and are running the same version of the Sourcefire 3D System software. those updates are not backed up. The configuration files include information that uniquely identifies a sensor and cannot be shared.9. if applicable for the range of appliances in your deployment: • • • the entire intrusion event database the entire RNA event database additional files that reside on the appliance WARNING! If you applied any SEU updates. WARNING! Do not use the backup and restore process to copy the configuration files between sensors.1 Sourcefire 3D System Administrator Guide 413 . You can also choose to back up the following. While each organization’s backup plan is highly individualized. Version 4. You need to apply the latest SEU update after you restore.

Version 4. if you are using a Series 2 Defense Center. See the following sections for more information. the backup file can be saved to a remote location. see Managing Remote Storage on page 393. data correlation is temporarily suspended. you can use remote storage as detailed in Managing Remote Storage on page 393. When your backup task is collecting RNA events. As an alternative or if your backup file is larger than 4GB. if needed. Uploading a backup from your local computer does not work on backup files larger than 4GB since web browsers do not support uploading files that large. Additionally. See Uploading Backups from a Local Host on page 420 for information about uploading backup files from a local host. See Creating Backup Profiles on page 418 for information about creating backup profiles that you can use later as templates for creating backups. You can choose to save the backup file on the appliance or on your local computer.Using Backup and Restore Creating Backup Files Chapter 12 You can save backup files to the appliance or to your local computer. Creating Backup Files Requires: IPS or DC/ MDC To view and use existing system backups go to the System Backup Management page. See Performing Sensor Backup with the Defense Center on page 419 for information about backing up managed sensors with the Defense Center. copy it via SCP to a remote host. On Series 2 Defense Centers. You should periodically save a backup file that contains all of the configuration files required to restore the appliance.9. • • • • • See Creating Backup Files on page 414 for information about backing up files from the appliance. You may also want to back up the system when testing configuration changes so that you can revert to the saved configuration.1 Sourcefire 3D System Administrator Guide 414 . in addition to event and packet data. See Restoring the Appliance from a Backup File on page 421 for information about how to restore a backup file to the appliance.

9.1 Sourcefire 3D System Administrator Guide 415 .Using Backup and Restore Creating Backup Files Chapter 12 The Defense Center and Master Defense Center version of the page is shown below. Version 4.

2.Using Backup and Restore Creating Backup Files Chapter 12 For comparison. The System Backup Management page appears. Requires: IPS or DC/MDC To archive the configuration. Version 4. To create a backup file: Access: Maint/Admin 1. The Backup page appears. 3.1 Sourcefire 3D System Administrator Guide 416 . select Backup Configuration. 4. the 3D Sensor version of the page is shown below.9. and spaces. Click Sensor Backup on a 3D Sensor toolbar or Defense Center Backup on a Defense Center toolbar. Requires: IPS or DC/MDC To archive the entire event database. 5. In the Name field. type a name for the backup file. Select Operations > Tools > Backup/Restore. Requires: IPS To archive individual intrusion event data files. select the files that you want to include from the Unified File List. You can use alphanumeric characters. select Backup Events. 6. punctuation.

Often. Requires: IPS Ensure that the value of the compressed backup file in the Selected Sum field is less than the value in the Available Space field. TIP! You can repeat this step to add additional files. You must make sure that your mail relay host is configured as described in Configuring a Mail Relay Host and Notification Address on page 338. Optionally. Optionally. select the Copy when complete check box and then type the following information in the accompanying text boxes: • • • • the hostname or IP address of the machine where you want to copy the backup the path to the directory where you want to copy the backup the user name that you want to use to log into the remote machine the password for that user name TIP! Sourcefire recommends that you periodically save backups to a remote location so that the appliance can be restored in case of system failure.1 Sourcefire 3D System Administrator Guide 417 . 9. select the Email when complete check box and type your email address in the accompanying text box.Using Backup and Restore Creating Backup Files Chapter 12 7. Version 4. 10. to use secure copy (scp) to copy the backup archive to a different machine. to be notified when the backup is complete.9. type the full path and file name in the Additional Files field and click the plus sign (+). the file will be smaller. TIP! The compressed value that appears in the Selected Sum field is a conservative estimate of the size of the compressed file. 8. If you want to include an additional file in the backup.

• To save this configuration as a backup profile that you can use later. Click Backup Profiles on the toolbar. you can direct the backup file to a remote location. When the backup process is complete. The backup file is saved in the /var/sf/backup directory. a backup profile is automatically created.9. Creating Backup Profiles Requires: IPS or DC/ MDC You can use the Backup Profiles page to create backup profiles that contain the settings that you want to use for different types of backups. To create a backup profile: Access: Maint/Admin 1. Version 4. See Creating Backup Profiles on page 418 for more information. click Start Backup. The System Backup page appears. For information about restoring a backup file. You can modify or delete the backup profile by selecting Operations > Tools > Backup & Restore and then clicking Backup Profiles. You can later select one of these profiles when you are backing up the files on your appliance. you can view the file on the Restoration Database page. On Series 2 Defense Centers. 2. see Restoring the Appliance from a Backup File on page 421. see Managing Remote Storage on page 393.1 Sourcefire 3D System Administrator Guide 418 . 3. Select Operations > Tools > Backup/Restore. The System Backup Management page appears.Using Backup and Restore Creating Backup Profiles Chapter 12 11. TIP! When you create a backup file as described in Creating Backup Files on page 414. The Backup Profiles page appears with a list of existing backup profiles. You have the following options: • To save the backup file to the appliance. click Save As New. Click Create Profile. TIP! You can click Edit to modify an existing profile or click Delete to delete a profile from the list.

You cannot use remote backup and restore to manage data on Crossbeam-based software sensors. TIP! If you use a backup file name containing spaces or punctuation characters. In the Sensors field. select the managed sensors that you want to back up. The Remote Backup page appears.Using Backup and Restore Performing Sensor Backup with the Defense Center Chapter 12 4. 3Dx800 sensors. Performing Sensor Backup with the Defense Center Requires: DC You can use the Defense Center to back up data on managed 3D Sensors. and spaces. 4. You can use alphanumeric characters. Configure the backup profile according to your needs. select the Include All Unified Files check box. RNA Software for Red Hat Linux. Click Sensor Backup on the toolbar.9. Type a name for the backup profile. 5. To back up a managed sensor: Access: Maint/Admin 1. The Backup Profiles page appears and includes your new profile in the list. 2. Note that the unified files are binary file that the Sourcefire 3D System uses to log event data. 6. Click Save As New to save the backup profile. 3. See Creating Backup Files on page 414 for more information about the options on this page.1 Sourcefire 3D System Administrator Guide 419 . To include event data in addition to configuration data. or Intrusion Agents. The default name for the backup file uses the name of the managed 3D Sensor. Select Operations > Tools > Backup/Restore. Version 4. The System Backup Management page appears. punctuation. they change to underscores.

Select Operations > Tools > Backup/Restore. click Upload Backup.1 Sourcefire 3D System Administrator Guide 420 . you can upload it to a Defense Center. Click Upload Backup. the backup file can be saved to and retrieved from a remote location. Click Browse. After you select the file to upload. To save the backup file on the Defense Center. copy the backup via SCP to a remote host and retrieve it from there. leave this check box unselected. The Upload Backup page appears. To upload a backup from your local host: Access: Maint/Admin 1. Check the task status for progress. select the Retrieve to DC check box. TIP! To save each sensor’s backup file on the sensor itself. see Managing Remote Storage on page 393. TIP! Uploading a backup larger than 4GB from your local host does not work because web browsers do not support uploading files that large. The System Backup Management page appears.Using Backup and Restore Uploading Backups from a Local Host Chapter 12 5. When the backup is complete. On Series 2 Defense Centers. 2. Click Start Backup. and navigate to the backup file. you can view the backup file on the Restoration Database page. TIP! It can take several minutes to complete the backup.9. 3. A success messages appears and the backup task is set up. 6. As an alternative. Uploading Backups from a Local Host Requires: DC If you download a backup file to your local host using the download function described in the Backup Management table on page 421. Version 4.

you must apply the latest SEU. Note that you can only restore a backup to an identical appliance type and version. and version. Click with the backup file selected to view a list of the files included in the compressed backup file. The date and time that the backup file was created The full name of the backup file The location of the backup file The size of the backup file. the protocol. Version 4. On Series 2 Defense Centers. backup files are saved to /var/sf/backup which is listed with the amount of disk space used in the /var partition at the top of the System Backup Management page. TIP! After the Defense Center verifies the file integrity. backup system. and backup directory are listed at the top of the page. The Backup Management table describes each column and icon on the System Backup Management page. Click Backup Management on the toolbar to return to the System Backup Management page. Click with the backup file selected to restore it on the appliance. Backup Management Column System Information Date Created File Name Location Size (MB) Events? View Restore Description The originating appliance name. Restoring the Appliance from a Backup File Requires: IPS or DC/ MDC You can restore the appliance from backup files using the System Backup Management page. select Enable Remote Storage for Backups to enable or disable remote storage at the top of the System Backup Management page.Using Backup and Restore Restoring the Appliance from a Backup File Chapter 12 4. If you use remote storage.9. If you use local storage. After you complete the restoration process. refresh the System Backup Management page to reveal detailed file system information. type.1 Sourcefire 3D System Administrator Guide 421 . in megabytes “Yes” indicates the backup includes event data. The backup file is uploaded and appears in the backup list.

click to send the backup to the designated remote backup location. Click with the backup file selected to delete it. On a Series 2 Defense Center when you have a previouslycreated local backup selected. Select Operations > Tools > Backup/Restore.1 Sourcefire 3D System Administrator Guide 422 .Using Backup and Restore Restoring the Appliance from a Backup File Chapter 12 Backup Management (Continued) Column Download Delete Move Description Click with the backup file selected to save it to your local computer. The System Backup Management page appears. To restore the appliance from a backup file: Access: Admin 1. Version 4. A Series 2 Defense Center version of the page is shown.9.

all event data. 3.9. 4. its owner and permissions. On the toolbar. The manifest appears listing the name of each file. Requires: DC/MDC To restore files. The Defense Center version of the page is truncated to show a sample of the files that are backed up. WARNING! This procedure will overwrite all configuration files and. 5. Select the backup file that you want to restore and click Restore. on the 3D Sensor. and its file size and date. The Restore Screen page appears. click Backup Management to return to the System Backup Management page. select the file and click View.Using Backup and Restore Restoring the Appliance from a Backup File Chapter 12 2. Version 4. To view the contents of a backup file. select either or both: • • Replace Configuration Data Restore Event Data Then click Restore to begin the restoration.1 Sourcefire 3D System Administrator Guide 423 .

health. Requires: IPS If you want to restore intrusion event data.Using Backup and Restore Restoring the Appliance from a Backup File Chapter 12 6. and system policies to the restored system. select the files that you want to include from the Unified File List box. Apply the latest SEU to re-apply SEU rule and software updates. 8. Re-apply any intrusion. RNA detection. Version 4. TIP! To cancel the restoration.1 Sourcefire 3D System Administrator Guide 424 . 9. click Cancel.9. Click Restore to begin the restoration. The appliance is restored using the backup file you specified. 7. Reboot the appliance.

including: • • • • • • • • • • • running backups Requires: IPS applying intrusion policies generating reports Requires: DC + RNA running Nessus scans Requires: DC + RNA synchronizing Nessus plugins Requires: DC + RNA running Nmap scans Requires: DC + RNA + IPS using RNA rule recommendations Requires: IPS importing Security Enhancement Updates (SEUs) downloading and installing software updates Requires: DC + RNA downloading and installing vulnerability database updates Requires: DC pushing downloaded updates to managed sensors You can schedule tasks to run once or on a recurring schedule.1 Sourcefire 3D System Administrator Guide 425 . Version 4. You should always schedule tasks like these to run during periods of low network use.9. IMPORTANT! Some tasks (such as those involving automated software and SEU updates and those that require pushing updates or intrusion policies to managed sensors) can place a significant load on networks with low bandwidths.Scheduling Tasks Chapter 13 Administrator Guide You can schedule many different types of administrative tasks to run at scheduled times.

Automating Backup Jobs on page 428 provides procedures for scheduling backup jobs. Version 4.Scheduling Tasks Configuring a Recurring Task Chapter 13 See the following sections for more information: • • • • Configuring a Recurring Task on page 426 explains how to set up a scheduled task so that it runs at regular intervals. Viewing Tasks on page 458 describes how to view and manage tasks after they are scheduled. Automating Recommended Rule State Generation on page 456 provides procedures for scheduling automatic update of intrusion rule state recommendations based on RNA data.9. push. and installation of software updates. • • • • • • • • • • Configuring a Recurring Task Requires: IPS or DC/ MDC You set the frequency for a recurring task using the same process for all types of tasks. Synchronizing Nessus Plugins on page 452 provides procedures for synchronizing your sensor with the Nessus server. IMPORTANT! You cannot configure a recurring task schedule on the inactive Defense Center in a high availability pair of Defense Centers. and installation of software updates. Automating Reports on page 448 provides procedures for scheduling reports. Automating SEU Imports on page 444 provides procedures for scheduling rule updates. Editing Scheduled Tasks on page 461 describes how to edit an existing task. Automating Nmap Scans on page 454 provides procedures for scheduling Nessus scans. Deleting Scheduled Tasks on page 461 describes how to delete one-time tasks and all instances of recurring tasks. Automating Vulnerability Database Updates on page 437 provides procedures for scheduling the download. You must recreate the recurring task schedule on a newly activated Defense Center when it changes from inactive to active. Automating Nessus Scans on page 450 provides procedures for scheduling Nessus scans. Automating Software Updates on page 430 provides procedures for scheduling the download. Automating Intrusion Policy Applications on page 446 provides procedures for scheduling intrusion policy applications. push.1 Sourcefire 3D System Administrator Guide 426 .

and year. In the Run At field. if you create a task scheduled for 2am during standard time. 5. You can use the drop-down list to select the month. In the Repeat Every field. Further. In the Start On field. where appropriate. select the type of task that you want to schedule. specify the time when you want to start your recurring task. 6. The page reloads with the recurring task options. TIP! You can either type a number or use the arrow buttons to specify the interval. The Add Task page appears. day. Version 4. Click Add Task. For example. or months.1 Sourcefire 3D System Administrator Guide 427 . it will run at 3am during DST. select Recurring. weeks. specify how often you want the task to recur. which is determined by using the time zone you specify in your system settings. the Defense Center or 3D Sensor with IPS automatically adjusts its local time display for daylight saving time (DST). However. For the Schedule task to run option. it will run at 1am during standard time. The Scheduling page appears. specify the date when you want to start your recurring task. 2. To configure a recurring task: Access: Maint/Admin 1. 7. recurring tasks that span the transition dates from DST to standard time and back do not adjust for the transition. Each of the types of tasks you can schedule is explained in its own section. You can specify a number of hours.9. days. 3.Scheduling Tasks Configuring a Recurring Task Chapter 13 Note that the time displayed on most pages on the web interface is the local time. Select Operations > Tools > Scheduling. type 2 and select Day(s) to run the task every two days. That is. From the Job Type list. Similarly. 4. if you create a task scheduled for 2am during DST.

If you selected Month(s) in the Repeat Every field. The remaining options on the Add Task page are determined by the task you are creating. The Add Task page appears. Version 4. Click Add Task. a Repeat On field appears. a Repeat On field appears. Select the check boxes next to the days of the week when you want to run the task. see Creating Backup Profiles on page 418. If you selected Week(s) in the Repeat Every field. For information on backup profiles. See the following sections for more information: • • • • • • • • • • Automating Backup Jobs on page 428 Automating Software Updates on page 430 Automating Vulnerability Database Updates on page 437 Automating SEU Imports on page 444 Automating Intrusion Policy Applications on page 446 Automating Reports on page 448 Automating Nessus Scans on page 450 Synchronizing Nessus Plugins on page 452 Automating Nmap Scans on page 454 Automating Recommended Rule State Generation on page 456 Automating Backup Jobs Requires: IPS or DC/ MDC You can use the scheduler to automate system backups of a Defense Center or a 3D Sensor with IPS. Use the drop-down list to select the day of the month when you want to run the task. The Scheduling page appears. 9.Scheduling Tasks Automating Backup Jobs Chapter 13 8.9. 2.1 Sourcefire 3D System Administrator Guide 428 . Select Operations > Tools > Scheduling. To automate backup tasks: Access: Maint/Admin 1. TIP! You must design a backup profile before you can configure it as a scheduled task.

spaces. • For one-time tasks. • For recurring tasks. 5. 4. From the Backup Profile list. From the Job Type list.9. or dashes. use the drop-down lists to specify the start date and time. spaces. or periods. Version 4. Optionally. so you should try to keep it relatively short. type a comment using up to 255 alphanumeric characters. select the appropriate backup profile.1 Sourcefire 3D System Administrator Guide 429 . For more information on creating new backup profiles. The page reloads to show the backup options. In the Job Name field. TIP! The Current Time field indicates the current time on the appliance. Once or Recurring. type a name using up to 255 alphanumeric characters. in the Comment field. See Configuring a Recurring Task on page 426 for details. TIP! The comment field appears in the View Tasks section of the page. Specify how you want to schedule the backup. you have several options for setting the interval between instances of the task. select Backup. 7.Scheduling Tasks Automating Backup Jobs Chapter 13 3. see Creating Backup Profiles on page 418. 6.

Always allow enough time between tasks for the process to complete. You should schedule the push and install tasks to happen in succession. you can schedule Install Latest Update to download and install the latest Defense Center update. 9. type the email address (or multiple email addresses separated by commas) where you want status messages sent. it queries the Sourcefire support site for the latest updates. For example. if you want to update the software for your Defense Center. If you use your Defense Center to automate software updates for managed 3D Sensors. you must schedule two tasks: 1. The backup task is created. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. IMPORTANT! You must have a valid email relay server configured to send status messages. then install it on the sensor. Optionally. it will install the pushed update when it runs the next day. you must always push the update to the sensor first. push. the appliance automatically downloads the latest update when the installation task runs. if the scheduled installation task repeats daily. Similarly. and installation of software updates vary depending on whether you are updating an appliance directly or are using a Defense Center to perform the updates.1 Sourcefire 3D System Administrator Guide 430 . you can just schedule the Install Latest Update task. as long as the appliance has access to the Internet. the installation task will not succeed. Note that the tasks for pushing the update to managed sensors (on the Defense Center) and installing the update (on any appliance) automatically check the Version 4. 2. When automating direct software updates for an appliance. Note that when the Defense Center runs either the Push Latest Update or the Install Latest Update task.Scheduling Tasks Automating Software Updates Chapter 13 8. in the Email Status To: field. as long as it has access to the Internet. Tasks should be scheduled at least 30 minutes apart. Push the update to managed sensors. if you schedule a task to install an update and the update has not finished copying from the Defense Center to the sensor. Install the update on managed sensors.9. Click Save. So. if you want to automate software updates on your managed sensors. For example. you can schedule automatic software installation and. for example. However. Automating Software Updates The tasks you schedule to automate download. if you want to update your 3D Sensor directly and it is connected to the internet.

8 or 4. you can use the Once option to download and install updates during off-peak hours after you learn that an update has been released. Version 4. The Add Task page appears. Select Operations > Tools > Scheduling.8.1 Sourcefire 3D System Administrator Guide 431 .1). This behavior also has implications for appliances that cannot access the Support site at all. more comprehensive updates (such as 4. you can also automate vulnerability database (VDB) updates. On the Defense Center. the task does not complete. See the following sections for more information: • • • Automating Software Downloads on page 431 Automating Software Pushes on page 433 Automating Software Installs on page 435 Automating Software Downloads Requires: IPS or DC/ MDC You can create a scheduled task that automatically downloads the latest software updates from Sourcefire.8. 2. You can use this task to schedule download of updates you plan to push or install manually. Specifically. To automate software updates: Access: Maint/Admin 1. you must manually upload. If your appliance cannot access the Support site. For larger. The Scheduling page appears. push. If you want to have more control over this process. you cannot schedule either pushes to managed sensors (on the Defense Center) or installs (on any appliance). Click Add Task.9. and install the upgrade files. such as 4.9).Scheduling Tasks Automating Software Updates Chapter 13 Support site to ensure that you have the latest version of the update. TIP! The automated update process allows you to download and install software patches and feature releases (generally when the last two digits in the four-digit version number change. Instead you must manually push or install the updates as described in Updating System Software on page 398.1 or 4.2. if you manually download an update to an appliance that cannot access the Support site.

The Add Task page reloads to show the update options.1 Sourcefire 3D System Administrator Guide 432 . use the drop-down lists to specify the start date and time. Once or Recurring. Both options are selected by default.sourcefire. • For one-time tasks. TIP! The Current Time field indicates the current time on the appliance. 4.Scheduling Tasks Automating Software Updates Chapter 13 3.9. Requires: DC Select Vulnerability Database to download the most recent vulnerability database update. type a name using up to 255 alphanumeric characters. specify which updates you want to download. See Configuring a Recurring Task on page 426 for details. In the Job Name field.com/). From the Job Type list. select Download Latest Update. spaces. or dashes. Specify how you want to schedule the task. 6. Version 4. IMPORTANT! If your appliance is not directly connected to the Internet. The Defense Center version of the page is shown below. 5. you should set up a proxy as described in Configuring Network Settings on page 377 to allow it to download updates from the Sourcefire Support site (https://support. • For recurring tasks. you have several options for setting the interval between instances of the task. In the Update Items section. • • Select Software to download the most recent software patch.

See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. The task is created. Click Add Task. Version 4. spaces. 2. The Add Task page appears. information about the push process status is reported on the Tasks page. Instead you must manually push the update as described in Updating System Software on page 398. you must push the software to the managed sensors before installing. Select Operations > Tools > Scheduling. 8. Optionally. TIP! The comment field appears in the View Tasks section of the page.9. type a comment using up to 255 alphanumeric characters. Click Save. in the Email Status To: field. or periods. To push software updates to managed sensors: Access: Maint/Admin 1. you cannot schedule pushes to managed sensors. IMPORTANT! You must have a valid email relay server configured to send status messages. When you push software updates to managed sensors. make sure you allow enough time between the push task and a scheduled install task for the updates to be copied to the sensor. The Scheduling page appears. Optionally. in the Comment field. so you should try to keep it relatively short. type the email address (or multiple email addresses separated by commas) where you want status messages sent.Scheduling Tasks Automating Software Updates Chapter 13 7. See Viewing the Status of Long-Running Tasks on page 600 for more information.1 Sourcefire 3D System Administrator Guide 433 . When you create the task to push software updates to managed sensors. 9. Note that if you manually download an update to an appliance that cannot access the Support site. Automating Software Pushes Requires: DC/MDC If you are installing software or vulnerability database updates on managed 3D Sensors.

Version 4. From the Sensor list.9. • For recurring tasks. 8. 5. The page reloads to show the options for pushing updates. In the Job Name field. in the Comment field. Requires: DC + RNA Select Vulnerability Database to push the VDB update. or periods.Scheduling Tasks Automating Software Updates Chapter 13 3. use the drop-down lists to specify the start date and time. so you should try to keep it relatively short. spaces. TIP! The comment field appears in the View Tasks section of the page. select the sensor that you want to receive updates. you have several options for setting the interval between instances of the task. specify which updates you want to push to your managed sensors. select Push Latest Update. 4. Optionally. See Configuring a Recurring Task on page 426 for details. • For one-time tasks. 7. Specify how you want to schedule the task. From the Job Type list. type a comment using up to 255 alphanumeric characters. • • Select Software to push the software update. In the Update Items section. Once or Recurring.1 Sourcefire 3D System Administrator Guide 434 . TIP! The Current Time field indicates the current time on the appliance. Both options are selected by default. 6. or dashes. spaces. type a name using up to 255 alphanumeric characters.

Automating Software Installs Requires: IPS or DC/ MDC If you are using a Defense Center to create a task to install a software update on a managed sensor. IMPORTANT! You must have a valid email relay server configured to send status messages. The Scheduling page appears. The task is added. Version 4. Select Operations > Tools > Scheduling. 2. See Automating Software Pushes on page 433 for information about pushing updates to managed sensors. Optionally. To schedule a software installation task: Access: Maint/Admin 1. You can check the status of a running task on the Task Status page. Click Save. type the email address (or multiple email addresses separated by commas) where you want status messages sent. Click Add Task. make sure you allow enough time between the task that pushes the update to the sensor and the task that installs the update. you cannot schedule installation of that update. WARNING! Depending on the update being installed.9. Note that if you manually download an update to an appliance that cannot access the Support site.1 Sourcefire 3D System Administrator Guide 435 . See Viewing the Status of Long-Running Tasks on page 600 for more information. 10. Instead you must manually install the update as described in Updating System Software on page 398. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. the appliance may reboot after the software is installed. The Add Task page appears. in the Email Status To: field.Scheduling Tasks Automating Software Updates Chapter 13 9.

from the Sensor list. See Configuring a Recurring Task on page 426 for details. In the Job Name field. select Software to install the software update. 5. Specify how you want to schedule the task. you have the following options: • • 7. use the drop-down lists to specify the start date and time. Select the sensor where you want to install the update. The page reloads to show the options for installing updates. or periods. • For one-time tasks. spaces. so you should try to keep it relatively short.Scheduling Tasks Automating Software Updates Chapter 13 3. or dashes. Once or Recurring. TIP! The comment field appears in the View Tasks section of the page. select Install Latest Update.9. 6. you have several options for setting the interval between instances of the task. Optionally. Select the name of the Defense Center to install the update there. in the Comment field. • For recurring tasks. type a comment using up to 255 alphanumeric characters. Version 4. From the Job Type list.1 Sourcefire 3D System Administrator Guide 436 . If you are using a Defense Center. In the Update Items section. 4. type a name using up to 255 alphanumeric characters. spaces. 8. The Defense Center version of the page is shown below. TIP! The Current Time field indicates the current time on the appliance.

Push the VDB update to your managed 3D Sensors that are using the RNA component. Click Save. Optionally. Automating Vulnerability Database Updates Sourcefire uses vulnerability database (VDB) updates to distribute new operating system fingerprints as we expand the list of operating systems that RNA recognizes. Installing the VDB update. VDB updates also include new vulnerabilities discovered by the Sourcefire Vulnerability Research Team (VRT). you must automate two separate steps: 1. you must schedule three tasks in this order: 1. See Viewing the Status of Long-Running Tasks on page 600 for more information. 3. make sure that you download and install VDB updates and SEUs on a regular basis. if you schedule a task to install an update and the update has not fully Version 4. Downloading the VDB update. TIP! If your Sourcefire 3D System deployment includes IPS and RNA monitoring the same network segments.9. IMPORTANT! You must have a valid email relay server configured to send status messages. type the email address (or multiple email addresses separated by commas) where you want status messages sent.Scheduling Tasks Automating Vulnerability Database Updates Chapter 13 9. Install the VDB update on the Defense Center and on those managed sensors. 2. The scheduled software installation task is added.1 Sourcefire 3D System Administrator Guide 437 . When automating VDB updates for your Defense Center. When automating VDB updates for managed sensors with RNA. This ensures that your Defense Center is correctly setting the impact flag on the intrusion events generated by the traffic on your network. 2. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. 10. thereby ensuring that RNA is using the most up-to-date information to evaluate the hosts on your network. For example. Always allow enough time between tasks for the process to complete. Download the VDB update on your Defense Center. in the Email Status To: field. You can check the status of a running task on the Task Status page. You can use the scheduling feature to download and install the latest VDB updates.

Scheduling Tasks Automating Vulnerability Database Updates Chapter 13 downloaded. 2. Instead you must manually push or install the updates as described in Updating System Software on page 398. Select Operations > Tools > Scheduling. you cannot schedule either pushes to managed sensors (on the Defense Center) or installs (on any appliance). See the following sections for more information: • • • Automating VDB Update Downloads on page 438 Automating VDB Update Pushes on page 440 Automating VDB Update Installs on page 442 Automating VDB Update Downloads Requires: DC/MDC + RNA You can create a scheduled task that automatically downloads the latest vulnerability database updates from Sourcefire. If you want to have more control over this process. The Scheduling page appears. You must download the VDB on the Defense Center and push it to the sensor. Version 4.9. if the scheduled installation task repeats daily. the installation task will not succeed. Note that if you manually download an update to an appliance that cannot access the Support site. it will install the downloaded VDB update when it runs the next day. To automate VDB updates: Access: Maint/Admin 1. The Add Task page appears. you can use the Once option to download and install VDB updates during off-peak hours after you learn that an update has been released. IMPORTANT! You cannot download the VDB using a scheduled task on a sensor.1 Sourcefire 3D System Administrator Guide 438 . However. Click Add Task.

In the Job Name field. type a comment using up to 255 alphanumeric characters. type a name using up to 255 alphanumeric characters. Once or Recurring. spaces. Specify how you want to schedule the task.Scheduling Tasks Automating Vulnerability Database Updates Chapter 13 3. 4. or dashes. 7. • For recurring tasks. spaces. In the Update Items section. you have several options for setting the interval between instances of the task. select Download Latest Update. Optionally. or periods. • For one-time tasks.9.sourcefire. TIP! The Current Time field indicates the current time on the appliance. 6. Version 4. make sure Vulnerability Database is selected. in the Comment field. you should set up a proxy as described in Configuring Network Settings on page 377 to allow it to download updates from the Sourcefire Support site (https://support.1 Sourcefire 3D System Administrator Guide 439 . The Add Task page reloads to show the update options. so you should try to keep it relatively short.com/). See Configuring a Recurring Task on page 426 for details. TIP! The comment field appears in the View Tasks section of the page. Both the Software and Vulnerability Database options are selected by default. From the Job Type list. IMPORTANT! If your appliance is not directly connected to the Internet. 5. use the drop-down lists to specify the start date and time.

Scheduling Tasks Automating Vulnerability Database Updates Chapter 13 8. 9. in the Email Status To: field. WARNING! You must download vulnerability database updates before you can push them to managed sensors. IMPORTANT! You must have a valid email relay server configured to send status messages. The task is created. Click Save. When you push VDB updates to managed sensors. Version 4. Instead you must manually push the update as described in Updating System Software on page 398.1 Sourcefire 3D System Administrator Guide 440 . information about the process status is reported on the Tasks page. The Add Task page appears. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. Optionally. Click Add Task. you must push the update to the managed sensors before installing. The Scheduling page appears. 2. type the email address (or multiple email addresses separated by commas) where you want status messages sent. Note that if you manually download an update to an appliance that cannot access the Support site. you cannot schedule pushes to managed sensors. Select Operations > Tools > Scheduling. To push VDB updates to managed 3D Sensors with RNA: Access: Maint/Admin 1. See Viewing the Status of Long-Running Tasks on page 600 for more information.9. Automating VDB Update Pushes Requires: DC/MDC + 3D Sensor + RNA If you are installing vulnerability database updates on managed 3D Sensors with RNA.

type a comment using up to 255 alphanumeric characters. In the Update Items section. 4. From the Job Type list. Specify how you want to schedule the task. spaces. 8.1 Sourcefire 3D System Administrator Guide 441 . • For one-time tasks. or periods.9. Once or Recurring. Both the Software and Vulnerability Database options are selected by default. select Push Latest Update. Optionally. Version 4. 7. In the Job Name field. TIP! The comment field appears in the View Tasks section of the page. select the sensor that you want to receive updates. See Configuring a Recurring Task on page 426 for details. spaces. The page reloads to show the options for pushing updates. or dashes. TIP! The Current Time field indicates the current time on the appliance. use the drop-down lists to specify the start date and time.Scheduling Tasks Automating Vulnerability Database Updates Chapter 13 3. • For recurring tasks. you have several options for setting the interval between instances of the task. make sure Vulnerability Database is selected. From the Sensor list. so you should try to keep it relatively short. 5. 6. in the Comment field. type a name using up to 255 alphanumeric characters.

type the email address (or multiple email addresses separated by commas) where you want status messages sent. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. You should allow enough time for a scheduled VDB update to download when you set up a scheduled task to install it. Select Operations > Tools > Scheduling. Click Add Task. See Viewing the Status of Long-Running Tasks on page 600 for more information. in the Email Status To: field. If you are creating a task to install a VDB update on a managed sensor.9. Automating VDB Update Installs Requires: DC/MDC + RNA After you have downloaded a VDB update. Optionally. You can check the status of a running task on the Task Status page.Scheduling Tasks Automating Vulnerability Database Updates Chapter 13 9. you must allow enough time between the task that pushes the update to the sensor and the task that installs the update. Instead you must manually install the updates as described in Updating System Software on page 398. The Scheduling page appears.1 Sourcefire 3D System Administrator Guide 442 . See Automating VDB Update Pushes on page 440 for information about pushing updates to managed sensors. Version 4. Note that if you manually download an update to an appliance that cannot access the Support site. 10. you can schedule the installation process. you cannot schedule installation of that update. To schedule a software installation task: Access: Maint/Admin 1. IMPORTANT! You must have a valid email relay server configured to send status messages. 2. The task is added. The Add Task page appears. Click Save.

• For one-time tasks. 5. 6. type a name using up to 255 alphanumeric characters. From the Sensor list. Once or Recurring. If you want to install the update on the Defense Center. select Vulnerability Database to install the VDB update. See Configuring a Recurring Task on page 426 for details. spaces.9. TIP! The comment field appears in the View Tasks section of the page.Scheduling Tasks Automating Vulnerability Database Updates Chapter 13 3. select the name of the Defense Center from the drop-down list. so you should try to keep it relatively short. use the drop-down lists to specify the start date and time. in the Comment field. you have the following options: • • 7. type a comment using up to 255 alphanumeric characters.1 Sourcefire 3D System Administrator Guide 443 . spaces. From the Job Type list. 8. or periods. Version 4. TIP! The Current Time field indicates the current time on the appliance. Optionally. In the Update Items section. Specify how you want to schedule the task. In the Job Name field. If you want to install the update on a managed sensor. The page reloads to show the options for installing updates. select Install Latest Update. • For recurring tasks. 4. you have several options for setting the interval between instances of the task. select the name of the sensor from the drop-down list. or dashes.

Download the latest SEU. Import the SEU. the SEU does not override your change. VRT sometimes uses an SEU to change the default state of one or more rules in a default policy. type the email address (or multiple email addresses separated by commas) where you want status messages sent. The scheduled VDB installation task is added. The selected subtasks present in the Import SEU task occur in the following order: download. See Viewing the Status of Long-Running Tasks on page 600 for more information. However. that if you changed a rule state. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. however. the Sourcefire Vulnerability Research Team (VRT) releases Security Enhancement Updates (SEUs). Note. those changes are also imported. the next configured subtask begins. IMPORTANT! You must have a valid email relay server configured to send status messages.9. Note that you can only re-apply policies applied from the appliance where the scheduled task is configured. Applying an intrusion policy from a Defense Center to a managed sensor after you import an SEU does not apply the SEU to the sensor. If you allow SEUs to update your base policy. Note that on the Defense Center. An SEU contains new and updated standard text rules and shared object rules and may contain updated versions of Snort® and features such as preprocessors and decoders. rule state update. If you enable Update when a new SEU is installed for the base policy of an existing policy and the SEU contains changes to the default rule states for existing rules in that base policy. you also must re-apply your intrusion policies on your managed 3D Sensors with IPS. Automating SEU Imports Requires: IPS or DC/ MDC + IPS As new vulnerabilities are identified. You can automatically download and install SEUs. Once one subtask completes. The Import SEU task allows you to schedule the following subtasks separately or to combine them into one scheduled task: 1. You can check the status of a running task on the Task Status page. install.1 Sourcefire 3D System Administrator Guide 444 . in the Email Status To: field. 2. Optionally. and policy re-apply. 3. Re-apply your intrusion policy so that the new SEU takes effect. you also allow the Version 4. Click Save. any new rules or features provided by the SEU that are enabled in the policy you apply to the sensor are also enabled on the sensor by that policy.Scheduling Tasks Automating SEU Imports Chapter 13 9. 10.

you can also use the recurring SEU import feature on the Import SEU page. From the Job Type list. The Scheduling page appears. In addition.1 Sourcefire 3D System Administrator Guide 445 . Select Operations > Tools > Scheduling. Click Add Task. In addition to configuring SEU imports on the Scheduling page. 2. 3. see Importing SEUs and Rule Files in the Analyst Guide. Note.2 or higher to import recurring SEUs on the Import SEU page. To schedule an Import SEU task: Access: Maint/Admin 1.8. however. that if you have changed the rule state. The page reloads to show the options for importing SEUs. IMPORTANT! SEUs may contain new binaries.9. For more information on the recurring SEU import feature and a comparison of the two methods of setting up recurring imports. The Add Task page appears. so make sure you schedule downloads during periods of low network use. the SEU will not override your change. Note that you must be using Snort 2. Make sure your process for downloading and importing SEUs complies with your security policies. SEUs can be quite large. Version 4.Scheduling Tasks Automating SEU Imports Chapter 13 SEU to change the default state of a rule in your policy when the default state changes in the default policy you used to create your policy (or in the default policy it is based on). select Import SEU.

TIP! The comment field appears in the View Tasks section of the page. type a name using up to 255 alphanumeric characters. use the drop-down lists to specify the start date and time. Optionally. 7. • For recurring tasks. Specify how you want to schedule the task. Version 4. Once or Recurring. Click Save. so you should try to keep it relatively short. or dashes. spaces. See Configuring a Recurring Task on page 426 for details. or periods. select Install the latest downloaded SEU.9. To use this task to install the latest downloaded SEU. TIP! The Current Time field indicates the current time on the appliance. 11. To re-apply intrusion policies after installing an SEU. select Download the latest SEU from the support site. in the Email Status To: field.Scheduling Tasks Automating Intrusion Policy Applications Chapter 13 4. in the Comment field. 10. 9. 6. To use this task to download the latest SEU. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. IMPORTANT! You must have a valid email relay server configured to send status messages. 8. The task is created. spaces. type the email address (or multiple email addresses separated by commas) where you want status messages sent. you have several options for setting the interval between instances of the task.1 Sourcefire 3D System Administrator Guide 446 . • For one-time tasks. In the Job Name field. Optionally. type a comment using up to 255 alphanumeric characters. select Reapply intrusion policies after the SEU import completes. Automating Intrusion Policy Applications Requires: IPS or DC/ MDC + IPS You can automatically apply intrusion policies at scheduled intervals. This feature is useful if you need to use different policies during different times of the day. 5.

• For one-time tasks. Once or Recurring. Version 4. spaces. use the drop-down lists to specify the start date and time. • For recurring tasks. select the detection engine where you want to apply the policy. select Apply Policy. or dashes. 6. The Scheduling page appears.Scheduling Tasks Automating Intrusion Policy Applications Chapter 13 To automate intrusion policy application: Access: Maint/Admin 1. See Configuring a Recurring Task on page 426 for details. 7. In the Job Name field. Select Operations > Tools > Scheduling. TIP! The Current Time field indicates the current time on the appliance. From the Job Type list. 5. type a name using up to 255 alphanumeric characters.1 Sourcefire 3D System Administrator Guide 447 . select the intrusion policy you want to apply from the drop-down list or select Policy Default to apply the policy to each detection engine targeted in the policy. In the Detection Engine field. The page reloads to show the options for applying an intrusion policy. 2. 3. Click Add Task.9. you have several options for setting the interval between instances of the task. Specify how you want to schedule the task. The Add Task page appears. 4. In the Policy Name field.

To automate a report: Access: Maint/Admin 1. spaces. TIP! The comment field appears in the View Tasks section of the page. in the Email Status To: field. Select Operations > Tools > Scheduling. Click Save. The Add Task page appears. 9. Automating Reports Requires: IPS or DC/ MDC You can automate reports so that they run at regular intervals. 10. See Viewing the Status of Long-Running Tasks on page 600 for more information. However. Optionally. in the Comment field.1 Sourcefire 3D System Administrator Guide 448 . 2. IMPORTANT! You must have a valid email relay server configured to send status messages.9. See Creating a Report Profile on page 246 for more information about using the report designer to create a report profile. The Scheduling page appears. Version 4.Scheduling Tasks Automating Reports Chapter 13 8. or periods. you must design a profile for your report before you can configure it as a scheduled task. Click Add Task. Optionally. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. type a comment using up to 255 alphanumeric characters. The task is created. type the email address (or multiple email addresses separated by commas) where you want status messages sent. so you should try to keep it relatively short. You can check the status of a running task on the Task Status page.

Once or Recurring. spaces. 4.Scheduling Tasks Automating Reports Chapter 13 3. select the report profile that you want to use from the drop-down list. The Defense Center version of the page is displayed below. TIP! The Current Time field indicates the current time on the appliance. See Configuring a Recurring Task on page 426 for details. Specify how you want to schedule the task. or periods. IMPORTANT! sensors. you have several options for setting the interval between instances of the task. In the Report Profile field. 7. 6. type a comment using up to 255 alphanumeric characters. in the Remote Run field. Optionally. select the name of the sensor from the drop-down list. In the Job Name field. The page reloads to show the options for setting up a report to run automatically. You cannot run remote reports on Crossbeam-based software Requires: DC If you want to run the report on a managed sensor. or dashes. 8. TIP! The comment field appears in the View Tasks section of the page. type a name using up to 255 alphanumeric characters. Version 4. select Reports. • For recurring tasks. 5. so you should try to keep it relatively short.9. use the drop-down lists to specify the start date and time. spaces. • For one-time tasks.1 Sourcefire 3D System Administrator Guide 449 . in the Comment field. From the Job Type list.

1. You need to select this name when prompted for the Nessus Remediation name when setting up the scheduled scan. If you do not have an existing external Nessus server.Scheduling Tasks Automating Nessus Scans Chapter 13 9. IMPORTANT! Make note of the name of the scan instance you create. Automated scans allow you to test periodically to make sure that operating system updates or other changes do not introduce vulnerabilities on your enterprise-critical systems. For more information.1 Sourcefire 3D System Administrator Guide 450 . 2. in the Email Status To: field. Optionally.9. Preparing Your System to Run a Nessus Scan If you have not used the Nessus scanning capability before. Create a scan instance to define the Nessus server to be used by your scan. Automating Nessus Scans You can schedule regular Nessus scans of targets on your network. set up the Nessus server on your Defense Center. See the following sections for more information: • • Preparing Your System to Run a Nessus Scan on page 450 Scheduling a Nessus Scan on page 451 Note that a Policy & Response Administrator can also use a Nessus scan as a remediation. you need to complete several Nessus configuration steps prior to defining a scheduled scan. Click Save. IMPORTANT! You must have a valid email relay server configured to send status messages. type the email address (or multiple email addresses separated by commas) where you want status messages sent. see Configuring a Local Nessus Server on page 641. 10. For more information on setting up a Nessus server connection profile. For more information on starting the server and configuring and activating a Nessus user. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. see Nessus Scan Remediations in the Analyst Guide. The task is created. You can also schedule scans to test for recurrent vulnerabilities to attacks that have happened in the past. Version 4. see Creating a Nessus Scan Instance on page 643.

2. select Nessus Scan. Click Add Task. see Creating a Nessus Scan Target on page 645. see Creating a Nessus Remediation on page 646. To schedule Nessus scanning: Access: Maint/Admin 1. Select Operations > Tools > Scheduling. 4. The Add Task page appears.9. The page reloads to show the options for automating Nessus scans. Continue with Scheduling a Nessus Scan.1 Sourcefire 3D System Administrator Guide 451 . The Scheduling page appears. 3. For more information on setting up a remediation definition.Scheduling Tasks Automating Nessus Scans Chapter 13 3. Create a scan target to define the target hosts and host ports to scan. Scheduling a Nessus Scan Requires: DC + RNA You can automate Nessus scanning using a specific scan remediation by scheduling the scan. 5. From the Job Type list. For more information on setting up a scan target. Create a remediation definition to define what plugins and Nessus scan settings should be used when the scheduled scan runs. Version 4.

spaces. in the Comment field. See Configuring a Recurring Task on page 426 for details. 5. you have several options for setting the interval between instances of the task. select the Nessus remediation for the Nessus server where you want to run the scan. In the Nessus Target field. 6. IMPORTANT! You must have a valid email relay server configured to send status messages. in the Email Status To: field. Optionally. or periods. 9. spaces. Click Save. You may want to schedule your plugin synchronization to occur shortly before your scheduled Nessus scans to make sure that you scan with the latest list of plugins. • For recurring tasks. 10. 8. • For one-time tasks. TIP! The comment field appears in the View Tasks section of the page. so you should try to keep it relatively short. or dashes.Scheduling Tasks Synchronizing Nessus Plugins Chapter 13 4.1 Sourcefire 3D System Administrator Guide 452 . TIP! The Current Time field indicates the current time on the appliance.9. Version 4. The task is created. Optionally. use the drop-down lists to specify the start date and time. type a comment using up to 255 alphanumeric characters. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. type a name using up to 255 alphanumeric characters. Specify how you want to schedule the task. Synchronizing Nessus Plugins Requires: DC + RNA You can automate synchronization with the Nessus server to obtain an up-to-date list of plugins before you scan. select the scan target that defines the target hosts you want to scan. In the Nessus Remediation field. In the Job Name field. 7. type the email address (or multiple email addresses separated by commas) where you want status messages sent. Once or Recurring.

In the Nessus Instance field. Click Add Task. or periods. use the drop-down lists to specify the start date and time. • For recurring tasks. 3. 4. or dashes. Select Operations > Tools > Scheduling. Optionally. 6. The Scheduling page appears. 7.1 Sourcefire 3D System Administrator Guide 453 .Scheduling Tasks Synchronizing Nessus Plugins Chapter 13 To schedule Nessus plugin synchronization: Access: Maint/Admin 1. Specify how you want to schedule the task. in the Comment field. Version 4. The Current Time field indicates the current time on the appliance. type a comment using up to 255 alphanumeric characters. In the Job Name field. spaces. spaces. From the Job Type list. • For one-time tasks. See Configuring a Recurring Task on page 426 for details. 5. Once or Recurring. you have several options for setting the interval between instances of the task. so you should try to keep it relatively short. select the instances with the Nessus plugins that you want to synchronize. type a name using up to 255 alphanumeric characters. 2. select Synchronize Nessus Plugins. The Add Task page appears.9. TIP! The comment field appears in the View Tasks section of the page. The page reloads to show the Nessus plugin synchronization options.

IMPORTANT! Make note of the name of the scan instance you create. For more information on setting up a Nmap server connection profile. Version 4. Because RNA cannot update Nmap-supplied data. Create a scan instance to define the Nmap server to be used by your scan. which resolves the conflict. Create a scan target to define the target hosts and host ports to scan. type the email address (or multiple email addresses separated by commas) where you want status messages sent. you need to rescan periodically to keep that data up to date. 9. that conflict can trigger an Nmap scan. 1. Automating Nmap Scans You can schedule regular Nmap scans of targets on your network. Preparing Your System for an Nmap Scan If you have not used the Nmap scanning capability before. see Creating an Nmap Scan Instance in the Analyst Guide. see Nmap Scan Remediations in the Analyst Guide. The task is created. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. Running the scan obtains updated operating system information for the host. Click Save. see Creating an Nmap Scan Target in the Analyst Guide. when an operating system conflict occurs on a host. For example.9. you must complete several Nmap configuration steps prior to defining a scheduled scan. in the Email Status To: field. See the following sections for more information: • • Preparing Your System for an Nmap Scan Scheduling an Nmap Scan Note that a Policy & Response Administrator can also use an Nmap scan as a remediation. IMPORTANT! You must have a valid email relay server configured to send status messages. For more information. For more information on setting up a scan target.1 Sourcefire 3D System Administrator Guide 454 . Automated scans allow you to refresh operating system and service information previously supplied by an Nmap scan. You need to select this name when prompted for the Nmap Configuration name when setting up the scheduled scan. You can also schedule scans to automatically test for unidentified services on hosts in your network. 2. Optionally.Scheduling Tasks Automating Nmap Scans Chapter 13 8.

Select Operations > Tools > Scheduling. If you plan to scan a host using Nmap. For more information on setting up a remediation definition. 3. The Scheduling page appears. you may want to set up regularly scheduled scans to keep Nmap-supplied operating system and services up to date. Nmap-supplied service and operating system data remains static until you run another Nmap scan. Scheduling an Nmap Scan Requires: DC + RNA You can schedule a scan of a host or hosts on your network using the Nmap utility.1 Sourcefire 3D System Administrator Guide 455 . To schedule Nmap scanning: Access: Maint/Admin 1. Click Add Task.Scheduling Tasks Automating Nmap Scans Chapter 13 3. 4.9. RNA no longer updates the information replaced by Nmap for the host. If the host is deleted from the network map and re-added. 2. select Nmap Scan. Create a remediation definition to define what plugins and Nmap scan settings should be used when the scheduled scan runs. The page reloads to show the options for automating Nmap scans. From the Job Type list. Once Nmap replaces a host’s operating system or services detected by RNA with the results from an Nmap scan. Continue with Scheduling an Nmap Scan. see Creating an Nmap Remediation in the Analyst Guide. any Nmap scan results are discarded and RNA resumes monitoring of all operating system and service data for the host. The Add Task page appears. Version 4.

See Configuring a Recurring Task on page 426 for details. so you should try to keep it relatively short. Automating Recommended Rule State Generation Requires: DC + RNA + IPS IMPORTANT! If the system automatically generates scheduled recommendations for an intrusion policy with unsaved changes. 10. 9. select the Nmap remediation to use when running the scan. type a name using up to 255 alphanumeric characters. 7.1 Sourcefire 3D System Administrator Guide 456 . The task is created. IMPORTANT! You must have a valid email relay server configured to send status messages. use the drop-down lists to specify the start date and time. in the Comment field. TIP! The comment field appears in the View Tasks section of the page. See Committing Intrusion Policy Changes in the Analyst Guide for more information. in the Email Status To: field. or periods. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host. Optionally. you must discard your changes in that policy and commit the policy if you want the policy to reflect the automatically generated recommendations. select the scan target that defines the target hosts you want to scan. spaces. Click Save. or dashes. In the Nmap Remediation field. type a comment using up to 255 alphanumeric characters. In the Nmap Target field.Scheduling Tasks Automating Recommended Rule State Generation Chapter 13 4. Version 4. 6. • For recurring tasks. type the email address (or multiple email addresses separated by commas) where you want status messages sent. you have several options for setting the interval between instances of the task. Optionally. In the Job Name field. Once or Recurring. spaces. • For one-time tasks. Specify how you want to schedule the task. 8. 5. TIP! The Current Time field indicates the current time on the appliance.9.

where you can configure RNA Recommended Rules in a policy. Optionally.1 Sourcefire 3D System Administrator Guide 457 . The Scheduling page appears. click the policies link in the Job Type field to display the Detection & Prevention page. select RNA Recommended Rules. Version 4. Click Add Task.Scheduling Tasks Automating Recommended Rule State Generation Chapter 13 You can automatically generate rule state recommendations based on RNA data for your network using the most recently saved configuration settings in your custom intrusion policy. From the Job Type list. The Add Task page appears. See Using RNA Recommendations in the Analyst Guide for more information. When the task runs. To generate recommendations: Access: Maint/Admin 1. 2. Select Operations > Tools > Scheduling. The page reloads to show the options for generating RNA-recommended rule states. 3. the system automatically generates recommended rule states. 4.9. Modified rule states take effect the next time you apply your intrusion policy. See Managing RNA Rule State Recommendations in the Analyst Guide for more information. it also modifies the states of intrusion rules based on the criteria described in Managing RNA Rule State Recommendations in the Analyst Guide. Optionally. depending on the configuration of your policy.

7. in the Comment field. so you should try to keep it relatively short.9. in the Email Status To: field. In the Job Name field. use the drop-down lists to specify the start date and time. Specify how you want to schedule the task. or dashes. See Configuring a Recurring Task on page 426 for details. spaces.1 Sourcefire 3D System Administrator Guide 458 . • For one-time tasks. select one or more policies where you want to generate recommendations. select one or more policies. IMPORTANT! You must have a valid email relay server configured to send status messages. The View Options section of the page allows you to view scheduled tasks using a calendar and a list of scheduled tasks. Use the Shift and Ctrl keys to select multiple policies. or periods. type a name using up to 255 alphanumeric characters. type the email address (or multiple email addresses separated by commas) where you want status messages sent. Once or Recurring. spaces. you can view them and evaluate their status. Click Save. TIP! The Current Time field indicates the current time on the appliance. 6. TIP! The comment field appears in the View Tasks section of the page. Optionally. You have the following options: • • In the Policies field. The task is created. 10. Next to Policies. Click the All Policies check box to select all policies. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host.Scheduling Tasks Viewing Tasks Chapter 13 5. • For recurring tasks. type a comment using up to 255 alphanumeric characters. Viewing Tasks After adding scheduled tasks. 9. Optionally. 8. you have several options for setting the interval between instances of the task. Version 4.

9. You can perform the following tasks using the calendar view: • • Click << to move back one year.1 Sourcefire 3D System Administrator Guide 459 . Click < to move back one month. To view scheduled tasks using the calendar: Access: Maint/Admin 1. The Scheduling page appears. Version 4.Scheduling Tasks Viewing Tasks Chapter 13 See the following sections for more information: • • Using the Calendar on page 459 Using the Task List on page 460 Using the Calendar Requires: DC/MDC or 3D Sensor The Calendar view option allows you to view which scheduled tasks occur on which day. 2. Select Operations > Tools > Scheduling.

Describes the current status for a scheduled task. The task list appears at below the calendar when you open the calendar. Version 4. Displays the comment that accompanies the scheduled task. Displays the scheduled start date and time. Creator Delete Displays the name of the user that created the scheduled task. • A red ! indicates that the task failed. Using the Task List Requires: DC/MDC or 3D Sensor The Task List shows a list of tasks along with their status.9. Deletes the scheduled task.Scheduling Tasks Viewing Tasks Chapter 13 • • • • • • Click > to move forward one month. you can access it by selecting a date or task from the calendar. Click Add Task to schedule a new task. Click Today to return to the current month and year. Displays the type of scheduled task. In addition.1 Sourcefire 3D System Administrator Guide 460 .) Task List Columns Column Name Type Start Time Frequency Comment Status Description Displays the name of the scheduled task. • A question mark icon indicates that the task is in an unknown state. • A check mark icon indicates that the task ran successfully. Click >> to move forward one year. see Using the Task List on page 460. Click a specific task on a date to view the task in a task list table below the calendar. IMPORTANT! For more information about using the task list. Displays how often the task is run. Click a date to view all scheduled tasks for the specific date in a task list table below the calendar. (See Using the Calendar on page 459 for more information.

If you delete an instance of a recurring task. The Scheduling page appears. Click either the task that you want to edit or the day on which the task appears. Click Save to save your edits. after the task completes successfully. You cannot change the type of job. Later. Select Operations > Tools > Scheduling. The Task Details table containing the selected task or tasks appears. 4. the job name. If you delete a task that is scheduled to run once. Deleting Scheduled Tasks There are two types of deletions you can perform from the Schedule View page. 2. and how often the task runs. once or recurring.1 Sourcefire 3D System Administrator Guide 461 .9. 3. This feature is especially useful if you want to test a scheduled task once to make sure that the parameters are correct. To edit an existing scheduled task: Access: Maint/Admin 1. only that task is deleted. The remaining options are determined by the task you are editing. See the following sections for more information: • • • • • • • • • • Automating Backup Jobs on page 428 Automating Software Updates on page 430 Automating Vulnerability Database Updates on page 437 Automating SEU Imports on page 444 Automating Intrusion Policy Applications on page 446 Automating Reports on page 448 Automating Nessus Scans on page 450 Synchronizing Nessus Plugins on page 452 Automating Nmap Scans on page 454 Automating Recommended Rule State Generation on page 456 5. Locate the task you want to edit in the table and click Edit. including the start time. Your change are saved and the Scheduling page appears again. Version 4. Edit the task to meet your needs. The Edit Task page appears showing the details of the task you selected.Scheduling Tasks Editing Scheduled Tasks Chapter 13 Editing Scheduled Tasks Requires: DC/MDC or 3D Sensor You can edit a scheduled task that you previously created. all instances of the task are deleted. You can delete a specific one-time task that has not yet run or you can delete every instance of a recurring task. you can change it to a recurring task.

To delete a recurring task: Access: Maint/Admin 1.9. see Deleting a Recurring Task on page 462. The Scheduling page appears. All instances of the recurring task are deleted. 3. you automatically delete all instances of that task. Deleting a One-Time Task Requires: DC/MDC or 3D Sensor You can delete a one-time scheduled task or delete the record of a previously-run scheduled task using the task list. The instance of the task you selected is deleted.Scheduling Tasks Deleting Scheduled Tasks Chapter 13 The following sections describe how to delete tasks: • • To delete all instances of a task. On the calendar. A table containing the selected task or tasks appears. select an instance of the recurring task you want to delete. Locate the task you want to delete in the table and click Delete. Deleting a Recurring Task Requires: DC/MDC or 3D Sensor When you delete one instance of a recurring task. Select Operations > Tools > Scheduling. Locate an instance of the recurring task you want to delete in the table and click Delete. 2. To delete a single instance of a task. 2. see Deleting a One-Time Task on page 462. Select Operations > Tools > Scheduling. To delete a single task or. delete a task record: Access: Maint/Admin 1. The page reloads to display a table of tasks below the calendar. 3. Click the task that you want to delete or the day on which the task appears. if it has already run.1 Sourcefire 3D System Administrator Guide 462 . The Scheduling page appears. Version 4.

For example. and statistics for the Data Correlator and RNA processes for the current day. you can also use the health monitor to monitor disk usage and alert on low disk space conditions. Version 4. For more information. The following sections provide more information about the monitoring features that the system provides: • Viewing Host Statistics on page 464 describes how to view host information such as: • • • • • • system uptime disk and memory usage RNA process statistics Data Correlator statistics system processes intrusion event information On the Defense Center. on the Host Statistics page you can monitor basic host statistics. You can also monitor both summary and detailed information on all processes that are currently running on the Defense Center or 3D Sensor. all on a single page. intrusion event information.1 Sourcefire 3D System Administrator Guide 463 . see Understanding Health Monitoring on page 483.9.Monitoring the System Chapter 14 Administrator Guide The Sourcefire 3D System provides many useful monitoring features to assist you in the daily administration of your system.

Host Statistics Category Time Uptime Memory Usage Load Average Description The current time on the system. hours.requires RNA). Version 4. 5 minutes. and minutes since the system was last started.Monitoring the System Viewing Host Statistics Chapter 14 • • • • Monitoring System Status and Disk Space Usage on page 468 describes how to view basic event and disk partition information. and 15 minutes.9. see the Host Statistics table on page 464 for details Data Correlator statistics (Defense Center only .1 Sourcefire 3D System Administrator Guide 464 . The number of days (if applicable). Viewing System Process Status on page 468 describes how to view basic process status. Viewing RNA Performance Statistics on page 478 describes how to view RNA performance statistics and how to generate graphs based on these statistics. Viewing IPS Performance Statistics on page 476 describes how to view IPS performance statistics and how to generate graphs based on these statistics. see the Intrusion Event Information table on page 467 for details The Host Statistics table describes the host statistics listed on the Statistics page.requires RNA). The average number of processes in the CPU queue for the past 1 minute. see the RNA Process Statistics table on page 466 for details intrusion event information (requires IPS). Understanding Running Processes on page 471 describes the basic system processes that run on the appliance. • Viewing Host Statistics Requires: Any The Statistics page lists the current status of following: • • • • general host statistics. see the Data Correlator Process Statistics table on page 465 for details RNA process statistics (Defense Center only . The percentage of system memory that is being used.

The Data Correlator Process Statistics table describes the statistics displayed for the Data Correlator process.System (%) VmSize (KB) VmRSS (KB) Description Number of RNA events that the Data Correlator receives and processes per second Number of flows that the Data Correlator receives and processes per second Average percentage of CPU time spent on user processes for the current day Average percentage of CPU time spent on system processes for the current day Average size of memory allocated to the Data Correlator for the current day. The Data Correlator analyzes the information from the binary files. decoding. the RNA process correlates the data with the fingerprint and vulnerability databases. you can also view statistics about the Data Correlator and RNA processes for the current day. Processes If your Sourcefire 3D System deployment includes a Defense Center managing 3D Sensors with RNA. generates events. See Monitoring System Status and Disk Space Usage on page 468 for more information. and analysis. and creates the RNA network map. and then produces binary files that are processed by the Data Correlator running on the Defense Center. using statistics gathered between 12:00AM and 11:59PM for each detection engine. Data Correlator Process Statistics Category Events/Sec Flows/Sec CPU Usage . As the 3D Sensors perform data acquisition. in kilobytes Average amount of memory used by the Data Correlator for the current day. A summary of the processes running on the system. in kilobytes Version 4.Monitoring the System Viewing Host Statistics Chapter 14 Host Statistics (Continued) Category Disk Usage Description The percentage of the disk that is being used.User (%) CPU Usage . See Viewing System Process Status on page 468 for more information. Click the arrow to view more detailed host statistics.9.1 Sourcefire 3D System Administrator Guide 465 . The statistics that appear for RNA and the Data Correlator are averages for the current day.

no intrusion event information is listed on this page. This is also the case for 3D Sensors that cannot store events locally. If you manage your sensor so that intrusion events are not stored locally. RNA Process Statistics Category Packets Dropped (%) Mbits/Second Packets/Second CPU Usage . you can also view the time and date of the last intrusion event. the total number of events that have occurred in the past hour and the past day.9.1 Sourcefire 3D System Administrator Guide 466 .User (%) CPU Usage . and the total number in the database.System (%) VmSize (KB) VmRSS (KB) Description Average percentage of packets dropped by the RNA process for the current day Average number of megabits per second processed by the RNA process for the current day Average number of packets per second processed by the RNA process for the current day Average percentage of CPU time spent by user processes for the current day Average percentage of CPU time spent by system processes for the current day Average size of memory allocated to the RNA process for the current day. The information in the Intrusion Event Information section of the Statistics page is based on intrusion events stored on the sensor rather than those sent to the Defense Center. Version 4.Monitoring the System Viewing Host Statistics Chapter 14 The RNA Process Statistics table describes the statistics displayed for the RNA process. in kilobytes Average amount of memory used by the RNA process for the current day. in kilobytes On 3D Sensors with IPS and on Defense Centers that manage sensors with IPS.

The Defense Center version of the page is shown below.9.1 Sourcefire 3D System Administrator Guide 467 .Monitoring the System Viewing Host Statistics Chapter 14 The Intrusion Event Information table describes the statistics displayed in the Intrusion Event Information section of the Statistics page. Intrusion Event Information Statistic Last Alert Was Total Events Last Hour Total Events Last Day Total Events in Database Description The date and time that the last event occurred The total number of events that occurred in the past hour The total number of events that occurred in the past twenty-four hours The total number of events in the events database To view the Statistics page: Access: Maint/Admin 1. Version 4. Select Operations > Monitoring > Statistics. The Statistics page appears.

TIP! On the Defense Center you can also use the health monitor to monitor disk usage and alert on low disk space conditions. The Disk Usage section expands. From the Select Device(s) box and click Select Devices. Click the down arrow next to Disk Usage to expand it. Version 4. listing host statistics for each sensor you selected. If you are managing sensors with a Defense Center. The Statistics page is updated with statistics for the devices that you selected. On the Defense Center. you can use the Defense Center’s web interface to view the process status for any managed sensor. 2. and click Select Devices. To access disk usage information: Access: Maint/Admin 1. The Disk Usage section expands.Monitoring the System Monitoring System Status and Disk Space Usage Chapter 14 2. Select Operations > Monitoring > Statistics.9. to view disk usage information for a specific sensor: Access: Maint/Admin 1.1 Sourcefire 3D System Administrator Guide 468 . 2. Select the sensor name from the Select Device(s) box. For more information. Click the down arrow next to Disk Usage to expand it. The page reloads. Viewing System Process Status Requires: Any The Processes section of the Host Statistics page allows you to see the processes that are currently running on an appliance. you can also list statistics for managed sensors. Monitoring System Status and Disk Space Usage Requires: Any The Disk Usage section of the Statistics page provides a quick synopsis of partition status. see Understanding Health Monitoring on page 483. The Statistics page appears. You can monitor this page from time to time to ensure that enough disk space is available for system processes and the database. It provides general process information and specific information for each running process. On the Defense Center. You can use the Shift and Ctrl keys to select multiple devices at once.

which is a value that indicates the scheduling priority of a process.process is in sleep mode • T .process has a positive nice value • R . Process Status Column Pid Username Pri Nice Description The process ID number The name of the user or group running the process The process priority The nice value. Select Operations > Monitoring > Statistics.process is runnable (on queue to run) • S . which indicates megabytes) The process state: • D .1 Sourcefire 3D System Administrator Guide 469 . unless the value is followed by m.Monitoring the System Viewing System Process Status Chapter 14 The Process Status table describes each column that appears in the process list. The Statistics page appears.process is paging • X . unless the value is followed by m.process is being traced or stopped • W . which indicates megabytes) The amount of resident paging files in memory (in kilobytes.process is in uninterruptible sleep (usually Input/Output) • N . Version 4.process is defunct • < .process has a negative nice value Time Cpu Command The amount of time (in hours:minutes:seconds) that the process has been running The percentage of CPU that the process is using The executable name of the process Size Res State To expand the process list: Access: Maint/Admin 1.process is dead • Z .9. Values range between -20 (highest priority) and 19 (lowest priority) The memory size used by the process (in kilobytes.

9. indicating a higher priority) Nice values indicate the scheduled priority for system processes and can range between -20 (highest priority) and 19 (lowest priority). see Understanding Running Processes on page 471. Version 4.1 Sourcefire 3D System Administrator Guide 470 . and specific information about each running process. the current system uptime. and swap information. memory. CPU. listing general process status that includes the number and types of running tasks. On the Defense Center. • • • • • • • • • idle usage percentage total number of kilobytes in memory total number of used kilobytes in memory total number of free kilobytes in memory total number of buffered kilobytes in memory total number of kilobytes in swap total number of used kilobytes in swap total number of free kilobytes in swap total number of cached kilobytes in swap Mem lists the following memory usage information: Swap lists the following swap usage information: IMPORTANT! For more information about the types of processes that run on the appliance. the system load average. Cpu(s) lists the following CPU usage information: • • • user process usage percentage system process usage percentage nice usage percentage (CPU usage of processes that have a negative nice value. The process list expands. select the device or devices you want to view process statistics for and click Select Devices.Monitoring the System Viewing System Process Status Chapter 14 2. 3. Click the down arrow next to Processes. the current time.

and checks for working SSL and valid certificate authentication.1 Sourcefire 3D System Administrator Guide 471 . See the following sections for more information: • • Understanding System Daemons on page 471 Understanding Executables and System Utilities on page 473 Understanding System Daemons Daemons continually run on an appliance. Daemons always run.9. Understanding Running Processes There are two different types of processes that run on an appliance: daemons and executable files. They ensure that services are available and spawn processes when required. The process list collapses.Monitoring the System Understanding Running Processes Chapter 14 To collapse the process list: Access: Maint/Admin Click the up arrow next to Processes. This table is not an exhaustive list of all processes that may run on an appliance. System Daemons Daemon crond dhclient fpcollect httpd httpsd Description Manages the execution of scheduled commands (cron jobs) Manages dynamic host IP addressing Manages the collection of client and server fingerprints Manages the HTTP (Apache web server) process Manages the HTTPS (Apache web server with SSL) service. and executable files are run when required. runs in the background to provide secure web access to the appliance Manages Linux kernel event notification messages Manages the interception and logging of Linux kernel messages Manages Linux kernel swap memory keventd klogd kswapd Version 4. The System Daemons table lists daemons that you may see on the Process Status page and provides a brief description of their functionality.

only seen if Checkpoint SAM support is enabled Manages remediation responses Forwards time synchronization messages to managed sensors Provides access to the sfmb message broker process running on a remote appliance. restarts the database daemon if an error occurs and logs runtime information to a file Manages data transmission Manages connections to third-party client applications that use the Event Streamer Provides the RPC service for remotely managing and configuring an appliance using an sftunnel connection to the appliance Manages Check Point OPSEC integration. using an sftunnel connection to the appliance.Monitoring the System Understanding Running Processes Chapter 14 System Daemons (Continued) Daemon kupdated mysqld ntpd pm reportd rnareportd safe_mysqld SFDataCorrelator sfestreamer (Defense Center only) sfmgr sfreactd SFRemediateD (Defense Center only .9. sfmb) to handle the request sftroughd Version 4. Currently used only by health monitoring to send health events and alerts from a 3D Sensor to a Defense Center or.1 Sourcefire 3D System Administrator Guide 472 . between Defense Centers Listens for connections on incoming sockets and then invokes the correct executable (typically the Sourcefire message broker.requires RNA) sftimeserviced (Defense Center only) sfmbservice (requires IPS) Description Manages the Linux kernel update process. which performs disk synchronization Manages Sourcefire 3D System database processes Manages the Network Time Protocol (NTP) process Manages all Sourcefire processes. in a high availability environment. restarts any process that fails unexpectedly Manages reports Manages RNA reports Manages safe mode operation of the database. starts required processes.

Monitoring the System Understanding Running Processes Chapter 14 System Daemons (Continued) Daemon sftunnel sshd syslogd Description Provides the secure communication channel for all processes requiring communication with a remote appliance Manages the Secure Shell (SSH) process. and the network map Utility that copies files Utility that lists the amount of free space on the appliance Utility that writes content to standard output Utility that searches files and folders for specified input. System Executables and Utilities Executable awk bash cat chown chsh correlator (Defense Center only requires RNA) cp df echo egrep Description Utility that executes programs written in the awk programming language GNU Bourne-Again SHell Utility that reads files and writes content to standard output Utility that changes user and group file permissions Utility that changes the default login shell Analyzes binary files created by RNA to generate events.1 Sourcefire 3D System Administrator Guide 473 . The System Executables and Utilities table describes the executables that you may see on the Process Status page. supports extended set of regular expressions not supported in standard grep Version 4. flow data.9. runs in the background to provide SSH access to the appliance Manages the system logging (syslog) process Understanding Executables and System Utilities There are a number of executables on the system that run when executed by other processes or through user action.

Handles iptables file restoration Handles saved changes to the iptables Utility that can be used to end a session and process Utility that can be used to end all sessions and processes Public domain version of the Korn shell Utility that provides a way to access the syslog daemon from the command line Utility that prints checksums and block counts for specified files Utility that moves (renames) files Indicates database table checking and repairing Indicates a database process. multiple instances may appear Indicates authentication certificate creation Indicates a perl process iptables-restore iptables-save kill killall ksh logger md5sum mv myisamchk mysql openssl perl Version 4.1 Sourcefire 3D System Administrator Guide 474 .Monitoring the System Understanding Running Processes Chapter 14 System Executables and Utilities (Continued) Executable find grep halt httpsdctl hwclock ifconfig iptables Description Utility that recursively searches directories for specified input Utility that searches files and directories for specified input Utility that stops the server Handles secure Apache Web processes Utility that allows access to the hardware clock Indicates the network configuration executable.9. Ensures that the MAC address stays constant Handles access restriction based on changes made to the Access Configuration page. See Configuring the Access List for Your Appliance on page 325 for more information about access configuration.

heartbeat used to maintain contact between a sensor and Defense Center Indicates a message broker process. handles communication between Defense Centers and sensor. then generates binary files that the Data Correlator processes to generate the network map and to populate the database with events and flow data Utility used to edit one or more text files Identifies a heartbeat broadcast. Indicates that Snort is running Public domain version of the Korn shell Utility that shuts down the appliance Utility that suspends a process for a specified number of seconds Mail client that handles email transmission when email event notification functionality is enabled Forwards SNMP trap data to the SNMP trap server specified when SNMP notification functionality is enabled Indicates a Secure Shell (SSH) connection to the appliance Indicates a sudo process. which allows users other than root to run executables Utility that displays information about the top CPU processes Utility that can be used to change the access and modification times of specified files sed sfheartbeat sfmb sfsnort (requires IPS) sh shutdown sleep smtpclient snmptrap ssh sudo top touch Version 4.1 Sourcefire 3D System Administrator Guide 475 . correlating acquired data with the RNA fingerprint database.Monitoring the System Understanding Running Processes Chapter 14 System Executables and Utilities (Continued) Executable ps RNA (requires RNA) Description Utility that writes process information to standard output Captures packets. indicating that the appliance is active.9. decodes and performs session reassembly.

See the following sections for more information: • • Generating IPS Performance Statistics Graphs on page 476 Saving IPS Performance Statistics Graphs on page 478 Generating IPS Performance Statistics Graphs Requires: IPS or DC/MDC + IPS You can generate graphs that depict performance statistics for a Defense Center or a 3D Sensor with IPS based on the number of events per second.9. IPS performance statistics refer only to the data stored locally on the 3D Sensor. or average bytes per packet. The Defense Center version of the page is shown below. last day. last week.Monitoring the System Viewing IPS Performance Statistics Chapter 14 System Executables and Utilities (Continued) Executable vim wc Description Utility used to edit text files Utility that performs line. Graphs can be generated to reflect number of intrusion events per second. To view the IPS performance statistics: Access: Maint/Admin Select Operations > Monitoring > Performance > IPS. Version 4. megabits per second. The IPS page appears. IMPORTANT! Because of the way traffic is processed on 3Dx800 sensors. performance statistics for those sensors are under reported. or last month of operation. number of megabits per second.1 Sourcefire 3D System Administrator Guide 476 . word. and byte counts on specified files Viewing IPS Performance Statistics Requires: IPS or DC/MDC + IPS The IPS performance statistics page allows you to generate graphs that depict performance statistics for IPS over a specific period of time. average number of bytes per packet. and the percent of packets uninspected by Snort. These graphs can show statistics for the last hour.

2. Therefore. To generate IPS performance statistics graphs: Access: Maint/Admin 1. The graph only represents the total % drop when there is a single detection resource assigned to a selected detection engine.1 Sourcefire 3D System Administrator Guide 477 . The Defense Center version of the page is shown below.9. 3. select the type of graph you want to create. the data may not change until the next five-minute increment occurs. select the detection engines whose data you want to view. then an average of 50% may indicate that one segment has a 90% drop rate and the other has a 10% drop rate. Version 4. The IPS page appears. Select Operations > Monitoring > Performance > IPS. From the Select Device list. From the Select Graph(s) list.Monitoring the System Viewing IPS Performance Statistics Chapter 14 New data is accumulated for statistics graphs every five minutes. The IPS Performance Statistics Graph Types table lists the available graph types. if you reload a graph quickly. It may also indicate that both segments have a drop rate of 50%. If you assign two detection resources to a detection engine that has two interface sets and each interface set is connected to a different network segment. IPS Performance Statistics Graph Types Graph Type Events/Sec Mbits/Sec Avg Bytes/Packet Percent Packets Dropped Output Displays a graph that represents the number of events that are generated on the sensor per second Displays a graph that represents the number of megabits of traffic that pass through the sensor per second Displays a graph that represents the average number of bytes included in each packet This graph depicts the average percentage of uninspected packets across all detection resources (instances of Snort) assigned to the selected detection engine.

last week. you can save the graph as a graphic file for later use. Graphs can be generated to display: • • • • the number of events generated by the Data Correlator per second the number of megabits analyzed by the RNA process per second average number of bytes included in each packet analyzed by the RNA process the percentage of packets dropped by RNA Version 4. 5. last day.Monitoring the System Viewing RNA Performance Statistics Chapter 14 4. or last month. Click Graph.9. Saving IPS Performance Statistics Graphs Requires: IPS or DC/MDC + IPS After you have generated an IPS performance statistics graph. From the Select Time Range list. displaying the information you specified.1 Sourcefire 3D System Administrator Guide 478 . Viewing RNA Performance Statistics Requires: DC + RNA The RNA Performance page allows you to generate graphs that display RNA-related performance statistics over a specific period of time. select the time range you would like to use for the graph. You can choose from last hour. The graph appears. To save the graph: Access: Maint/Admin Right-click on the graph and follow the instructions for your browser to save the image.

The RNA Performance Statistics Graph Types table lists the available graph types. See the following sections for more information: • • Generating RNA Performance Statistics Graphs on page 479 Saving RNA Performance Statistics Graphs on page 481 Generating RNA Performance Statistics Graphs Requires: DC + RNA You can generate graphs that display performance statistics for managed 3D Sensors with RNA. the data may not change until the next five-minute increment occurs. or last month of operation.9. To access the RNA Performance page: Access: Maint/Admin Select Operations > Monitoring > Performance > RNA.Monitoring the System Viewing RNA Performance Statistics Chapter 14 • • the number of packets.1 Sourcefire 3D System Administrator Guide 479 . RNA Performance Statistics Graph Types Graph Type Processed Events/Sec Output Displays a graph that represents the number of events that the Data Correlator processes per second Displays a graph that represents the number of flows that the Data Correlator processes per second Displays a graph that represents the number of events that RNA generates per second Processed Flows/Sec Generated Events/Sec Version 4. last day. The RNA page appears. New data is accumulated for statistics graphs every five minutes. in thousands. if you reload a graph quickly. Therefore. last week. analyzed by the RNA process per second the number of established connections analyzed by the RNA process per second These graphs can show statistics for the last hour.

in thousands Displays a graph that represents the number of established connections observed by the RNA process per second Avg Bytes/Packet Percent Packets Dropped K Packets/Sec Syn/Ack/Sec To generate RNA performance statistics graphs: Access: Maint/Admin 1.1 Sourcefire 3D System Administrator Guide 480 . Version 4. or the detection engines that you want to include. The RNA page appears. You can choose from last hour. 4. From the Select Graph(s) list. or last month. Select Operations > Monitoring > Performance > RNA. select the type of graph you want to create. 2. last day.9.Monitoring the System Viewing RNA Performance Statistics Chapter 14 RNA Performance Statistics Graph Types (Continued) Graph Type Mbits/Sec Output Displays a graph that represents the number of megabits of traffic that are analyzed by the RNA process per second Displays a graph that represents the average number of bytes included in each packet analyzed by the RNA process Displays a graph that represents the percentage of packets dropped by RNA Displays a graph that represents the number of packets analyzed by the RNA process per second. 3. select the time range you would like to use for the graph. TIP! You can select multiple graphs by holding down the Ctrl or Shift keys while clicking on the graph type. the Select Graph(s) list adjusts to display the available graphs. Depending on whether you select a detection engine or a sensor. the managed 3D Sensors. From the Select Time Range list. From the Select Target list. last week. select the Defense Center.

each graph appears on the page. Create an RNA performance statistic graph as described in Generating RNA Performance Statistics Graphs on page 479. To save the graph: Access: Maint/Admin 1. Click Graph. The graph appears. Saving RNA Performance Statistics Graphs Requires: DC + RNA After you have generated an RNA performance statistics graph. Right-click on the graph and follow the instructions for your browser to save the image.Monitoring the System Viewing RNA Performance Statistics Chapter 14 5. 2. you can save the graph as a graphic file for later use. Version 4. displaying the information you specified.9.1 Sourcefire 3D System Administrator Guide 481 . If you selected multiple graphs.

The tests. Optionally.Using Health Monitoring Chapter 15 Administrator Guide The health monitor provides numerous tests for determining the health of an appliance from the Defense Center. See the following sections for more information: • • Understanding Health Monitoring on page 483 Configuring Health Policies on page 489 Version 4. You can create one health policy for every appliance in your system. or use one of the default health policies. are scripts that test for criteria you specify.9. and you can delete health policies that you no longer need. The tests in a health policy run automatically at the interval you configure. You can also suppress messages from selected appliances by blacklisting them. SNMP or syslog alerting in response to health events. .1 Sourcefire 3D System Administrator Guide 482 . You can also generate troubleshooting files for an appliance if you are asked to do so by Support. Fully customizable event views allow you to quickly and easily analyze the health status events gathered by the health monitor. You can also run all tests or a specific test on demand. You can modify a health policy by enabling or disabling tests or by changing test settings. referred to as a health policy. At the Defense Center. These event views allow you to search and view event data and to access other information that may be related to the events you are investigating. The health monitor collects health events based on the test conditions configured. customize a health policy for the specific appliance where you plan to apply it. referred to as health modules. and apply the health policy to one or more appliances. You can use the health monitor to create a collection of tests. you can view health status information for the entire system or for a particular appliance. you can also configure email. You can also import a health policy exported from another Defense Center.

You can also search for specific health events. you can search for the CPU usage module and enter the percentage value. so you can check status at a glance. you can open a table view of occurrences of a specific event.Using Health Monitoring Understanding Health Monitoring Chapter 15 • • Using the Health Monitor Blacklist on page 534 Configuring Health Monitor Alerts on page 539 Understanding Health Monitoring You can use the health monitor to check the status of critical functionality across your Sourcefire 3D System deployment. disk. then drill down into status details if needed. events. Monitor the health of your entire Sourcefire 3D System through the Defense Center by applying health policies to each of the managed appliances and collecting the resulting health data at the Defense Center. You can use the health monitor to access health status information for the entire system or for a particular appliance. Pie charts and status tables on the Health Monitor page visually represent the health status for monitored appliances. You can then create a health alert that triggers that email alert whenever CPU. if you need to make sure an appliance never fails due to hardware overload. For example. Version 4. The Health Monitor page provides a visual summary of the status of all appliances on your system. Individual appliance health monitors let you drill down into health details for a specific appliance. From an individual appliance’s health monitor.1 Sourcefire 3D System Administrator Guide 483 . You can also configure email. or you can retrieve all the health events for that appliance. A health alert is an association between a standard alert and a health status level.9. if you want to see all the occurrences of CPU usage with a certain percentage. For example. You can set alerting thresholds to minimize the number of repeating alerts you receive. SNMP or syslog alerting in response to health . you can set up an email alert. You can also view health events in the standard Sourcefire 3D System table view. or memory usage reaches the Warning level you configure in the health policy applied to that appliance.

Version 4. IMPORTANT! Except for the Defense Center. the Data Correlator process. For more information on health policies and the health modules you can run to test system health. For more information on creating customized health policies. disk. and traffic status. For details on applying policies. only users with Admin access privileges can access system health data. see Predefined Health Policies on page 490. and memory usage. For more information on available default health policies you can apply to an appliance.9. Sourcefire 3D System appliances do not have health monitoring policies applied to them by default. you can create a policy that monitors just the intrusion event rate and the IPS process. see Modifying User Privileges and Options on page 306. to monitor the health of a 3D Sensor with IPS. If you want to monitor the health of a managed appliance.1 Sourcefire 3D System Administrator Guide 484 . You can also apply one of the five default health policies to each appliance. you choose which tests to run to determine appliance health. which also monitors CPU. For more information on assigning user privileges. For example. see Creating Health Policies on page 497.Using Health Monitoring Understanding Health Monitoring Chapter 15 Because health monitoring is an administrative activity. you have to apply a health policy to that appliance. see Applying Health Policies on page 528. When you create health policies. The health monitor tracks a variety of health indicators to ensure that your Sourcefire 3D System hardware and software are working correctly. or you can apply the default policy. see the following topics: • • • Understanding Health Policies on page 484 Understanding Health Modules on page 485 Understanding Health Monitoring Configuration on page 489 Understanding Health Policies A health policy is a collection of health module settings you apply to an appliance to define the criteria that the Defense Center uses when checking the health of the appliance.

9. the module only increments the restart counter by one each time it checks. The alert level also lowers by one level (for example.1 Sourcefire 3D System Administrator Guide 485 . but sets the module status to Critical for that test. are scripts that test for the criteria you specify in a health policy. This module determines if a detection engine has been bypassed because it did not respond within the number of seconds set in the bypass threshold. This module determines if the CPU on the sensor is overheated and alerts when the temperature exceeds temperatures configured for the module. For more information on system daemons such as SFDataCorrelator. also sometimes referred to as health tests. The first time the module checks and no restarts have occurred since the last test.Using Health Monitoring Understanding Health Monitoring Chapter 15 Understanding Health Modules Health modules. the module sets status according to the restart counter value and the configured limits for the module. which may indicate a problem with the process. This module checks for network cards which have restarted due to hardware failure and alerts when a reset occurs. the module resets the counter to zero. If any restarts occur. The module checks if any restarts occurred during the period between tests. Critical is reduced to Warning or Warning is reduced to Normal). This module only runs on 3Dx800 sensors. This module checks that the CPU on the appliance is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. it increments the restart counter by one. The restart counter does not count actual restarts. At that point. Health Modules Module Appliance Heartbeat Automatic Application Bypass Status CPU Temperature Description This module determines if an appliance heartbeat is being heard from the sensor and alerts based on the sensor heartbeat status. the alert level resets to Normal. regardless of the limits set for the module. and alerts when the number of restarts exceeds limits configured for the module. The status remains Critical until the module finds that the process is running. If the module finds that the process is not running at all. the module adds one to the restart count. CPU Usage Card Reset Data Correlator Process Version 4. Even if multiple restarts occur between tests. and alerts when a bypass occurs. see Understanding System Daemons on page 471. The available health modules are described in the Health Modules table. This module determines if the Data Correlator process (SFDataCorrelator) is restarting too often. The second time the module checks and no restarts have occurred since the last test.

This module determines if hardware needs to be replaced on a 3Dx800 or 3D9900 sensor and alerts based on the hardware status. This module only runs on Defense Centers. This module only runs on Master Defense Centers. Even if multiple restarts occur between tests. and alerts when the number of restarts exceeds limits configured for the module. see Interpreting Hardware Alert Details for 3D9900 Sensors on page 560. the module resets the counter to zero. the alert level resets to Normal. it increments the restart counter by one. On the 3D9900. The alert level also lowers by one level (for example. The first time the module checks and no restarts have occurred since the last test. For more information on the details reported for 3D9900 sensors. The status remains Critical until the module finds that the process is running. This module determines if the eStreamer process is restarting too often. which may indicate a problem with the process. the module sets status according to the restart counter value and the configured limits for the module.9. the module only increments the restart counter by one each time it checks. eStreamer Process Version 4. At that point.Using Health Monitoring Understanding Health Monitoring Chapter 15 Health Modules (Continued) Module Defense Center Status Description This module ensures that there are heartbeats from connected Defense Centers and alerts based on the Defense Center status. Critical is reduced to Warning or Warning is reduced to Normal). Fan Alarm Hardware Alarms This module determines if fans need to be replaced on the sensor and alerts based on the fan status. This module only runs on 3Dx800 sensors. This module only runs on 3Dx800 sensors and 3D9900 sensors. The module checks if any restarts occurred during the period between tests. regardless of the limits set for the module. Event Stream Status This module compares the number of events per second to the limits configured for this module and alerts if the limits are exceeded. If the module finds that the process is not running at all. If the Event Stream is zero. If any restarts occur. the module adds one to the restart count. the eStreamer process may be down or the Defense Center may not be sending events.1 Sourcefire 3D System Administrator Guide 486 . but sets the module status to Critical for that test. The second time the module checks and no restarts have occurred since the last test. The restart counter does not count actual restarts. Disk Usage This module compares disk usage on the appliance to the limits configured for the module and alerts when usage exceeds the percentages configured for the module. This module only runs on Master Defense Centers. the module also reports on the status of hardware-related daemons.

Using Health Monitoring Understanding Health Monitoring

Chapter 15

Health Modules (Continued) Module Health Monitor Process Description This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the Defense Center exceeds the Warning or Critical limits. This module only runs on Defense Centers. IPS Event Rate This module compares the number of intrusion events per second to the limits configured for this module and alerts if the limits are exceeded. If the IPS Event Rate is zero, the IPS process may be down or the 3D Sensor may not be sending events. Select Analysis & Reporting > Event Summary > Intrusion Event Statistics to check if events are being received from the sensor. This module determines if the IPS process (snort) has been restarting too often, which may indicate a problem with the process, and alerts when the number of restarts exceeds the limits configured for the module. The IPS process (also known as snort) is the packet decoder on a 3D Sensor with that is licensed for IPS component. If the IPS process is down or has been restarting, the IPS Event Rate results may be inaccurate. The restart counter does not indicate the number of restarts. Instead, the module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count. The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal. If the module finds that the process is not running at all, it increments the restart counter by one, but sets the module status to Critical for that test, regardless of the limits set for the module. The status remains Critical until the module finds that the process is running. At that point, the module sets status according to the restart counter value and the configured limits for the module. Link State Propagation MDC Event Service Memory Usage This module determines when a link in a paired inline interface set fails and triggers the link state propagation mode. This module monitors the health of the internal eStreamer process used to transmit events to the Master Defense Center from the Defense Center. This module compares memory usage on the appliance to the limits configured for the module and alerts when usage exceeds the levels configured for the module. This module monitors the application of PEP rules to interface sets on a 3D9900. If PEP rules cannot be applied to interfaces in an interface set, the module generates an alert.

IPS Process

PEP Status

Version 4.9.1

Sourcefire 3D System Administrator Guide

487

Using Health Monitoring Understanding Health Monitoring

Chapter 15

Health Modules (Continued) Module Power Supply Description This module determines if power supplies on the sensor require replacement and alerts based on the power supply status. This module only runs on the Series 2 DC3000, MDC3000, 3Dx800, 3D9900, 3D3500, 3D4500, and 3D6500 appliances. This module indicates whether a specified period of time has passed since any RNA events have been detected by a sensor. This module determines if sufficient RNA host licenses remain and alerts based on the warning level configured for the module. This module determines if the RNA process (rna) is restarting too often, which may indicate a problem with the process, and alerts based on the number of restarts configured for the module. The restart counter does not count actual restarts. The module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count. The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal. If the module finds that the process is not running at all, it increments the restart counter by one, but sets the module status to Critical for that test, regardless of the limits set for the module. The status remains Critical until the module finds that the process is running. At that point, the module sets status according to the restart counter value and the configured limits for the module. Time Synchronization Status Traffic Status This module tracks the synchronization of a sensor clock that obtains time using NTP with the clock on the NTP server and alerts if the difference in the clocks is more than ten seconds. This module determines if the sensor currently collects traffic and alerts based on the traffic status.

RNA Event Status RNA Host License Limit RNA Process

Version 4.9.1

Sourcefire 3D System Administrator Guide

488

Using Health Monitoring Configuring Health Policies

Chapter 15

Understanding Health Monitoring Configuration
There are several steps to setting up health monitoring on your Sourcefire 3D System, as indicated in the following procedure: 1. Create health policies for your appliances. You can set up specific policies for each kind of appliance you have in your Sourcefire 3D System, enabling only the appropriate tests for that appliance. TIP! If you want to quickly enable health monitoring without customizing the monitoring behavior, you can apply one of the default policies provided for that purpose. For more information on setting up health policies, see Configuring Health Policies on page 489. 2. Apply a health policy to each appliance where you want to track health status. For information on the default health policies available for immediate application, see Predefined Health Policies on page 490. 3. Optionally, configure health monitor alerts. You can set up email, syslog, or SNMP alerts that trigger when the health status level reaches a particular severity level for specific health modules. For more information on setting up health monitor alerts, see Configuring Health Monitor Alerts on page 539. After you set up health monitoring on your system, you can view the health status at any time on the Health Monitor page or the Health Table Events View. For more information about viewing system health data, see the following topics: • • • Using the Health Monitor on page 545 Using Appliance Health Monitors on page 547 Working with Health Events on page 555

Configuring Health Policies
A health policy contains configured health test criteria for several modules. You can control which health modules run against each of your appliances and configure the specific limits used in the tests run by each module. For more information on the health modules you can configure in a health policy, see Understanding Health Monitoring on page 483. You can create one health policy that can be applied to every appliance in your system, customize each health policy to the specific appliance where you plan to apply it, or use the default health policies provided for you. You can also import a health policy exported from another Defense Center.

Version 4.9.1

Sourcefire 3D System Administrator Guide

489

Using Health Monitoring Configuring Health Policies

Chapter 15

When you configure a health policy, you decide whether to enable each health module for that policy. You also select the criteria that control which health status each enabled module reports each time it assesses the health of a process. For more information on the default health policy, which is applied to the Defense Center and Master Defense Center automatically, see Default Health Policy on page 493. For more information, see the following topics: • • • • • Predefined Health Policies on page 490 Creating Health Policies on page 497 Applying Health Policies on page 528 Editing Health Policies on page 530 Deleting Health Policies on page 533

Predefined Health Policies
The Defense Center health monitor includes several default health policies to make it easier for you to quickly implement health monitoring for your appliances. The Default Health Policy is automatically applied to the Defense Center. To also monitor sensor health, you can push health policies to 3D Sensors. IMPORTANT! You cannot apply a health policy to RNA Software for Red Hat Linux or Crossbeam-based software sensors. For more information, see the following topics: • • • • • • • Default 3D Sensor Health Policy on page 491 Default 3Dx800 Health Policy on page 491 Suggested 3D9900 Health Policy on page 492 Default Health Policy on page 493 Default Intrusion Sensor Health Policy on page 495 Default IPS (3Dx800 only) Health Policy on page 495 Default RNA Sensor Health Policy on page 496

Version 4.9.1

Sourcefire 3D System Administrator Guide

490

Using Health Monitoring Configuring Health Policies

Chapter 15

Default 3D Sensor Health Policy
Use the Default 3D Sensor Health Policy to monitor health on any 3D Sensor. Enabled health modules for this policy are listed in the Enabled Health Modules: 3D Sensor Health Policy table. Enabled Health Modules: 3D Sensor Health Policy Module Automatic Application Bypass Status Data Correlator Process Disk Usage IPS Event Rate IPS Process Link State Propagation Memory Usage Power Supply RNA Process Traffic Status For more information, see... Configuring Automatic Application Bypass Monitoring on page 502 Configuring Data Correlator Process Monitoring on page 506 Configuring Disk Usage Monitoring on page 508 Configuring IPS Event Rate Monitoring on page 515 Configuring IPS Process Monitoring on page 516 Configuring Link State Propagation Monitoring on page 518 Configuring Memory Usage Monitoring on page 520 Configuring Power Supply Monitoring on page 522 Configuring RNA Process Monitoring on page 525 Configuring Traffic Status Monitoring on page 527

Default 3Dx800 Health Policy
Use the Default 3Dx800 Health Policy to monitor health on 3Dx800 sensors. Enabled health modules for this policy are listed in the Enabled Health Modules: Default 3Dx800 Health Policy table. Note that the Hardware Alarm module should

Version 4.9.1

Sourcefire 3D System Administrator Guide

491

Using Health Monitoring Configuring Health Policies

Chapter 15

be used instead of the Power Supply module to monitor power supply health on the 3Dx800 sensor models. Enabled Health Modules: Default 3Dx800 Health Policy Module Automatic Application Bypass Status CPU Temperature Disk Usage Fan Alarm Hardware Alarms IPS Event Rate IPS Process Memory Usage RNA Process Traffic Status For more information, see... Configuring Automatic Application Bypass Monitoring on page 502 Configuring CPU Temperature Monitoring on page 503 Configuring Disk Usage Monitoring on page 508 Configuring Fan Monitoring on page 512 Configuring Hardware Monitoring on page 513 Configuring IPS Event Rate Monitoring on page 515 Configuring IPS Process Monitoring on page 516 Configuring Memory Usage Monitoring on page 520 Configuring RNA Process Monitoring on page 525 Configuring Traffic Status Monitoring on page 527

Suggested 3D9900 Health Policy
The Defense Center interface does not include a default health policy specifically for 3D9900 sensors. Sourcefire recommends that you start with the default 3D Sensor policy and enable the Hardware Alarms module. If the sensor will be running RNA, enable the RNA Process module as well. Health modules that should be enabled when creating a policy for this type of sensor are listed in the Suggested Health Modules: 3D9900 Health Policy table. Note that the CPU Usage module cannot be enabled when monitoring 3D9900

Version 4.9.1

Sourcefire 3D System Administrator Guide

492

Using Health Monitoring Configuring Health Policies

Chapter 15

sensor models. CPU usage for a 3D9900 may reach 100% during normal sensor operation, so the data provided by the module would generate misleading events. Suggested Health Modules: 3D9900 Health Policy Module Data Correlator Process Disk Usage Hardware Alarms IPS Event Rate IPS Process Link State Propagation Memory Usage PEP Status Power Supply RNA Process Traffic Status For more information, see... Configuring Data Correlator Process Monitoring on page 506 Configuring Disk Usage Monitoring on page 508 Configuring Hardware Monitoring on page 513 Configuring IPS Event Rate Monitoring on page 515 Configuring IPS Process Monitoring on page 516 Configuring Link State Propagation Monitoring on page 518 Configuring Memory Usage Monitoring on page 520 Configuring PEP Status Monitoring on page 521 Configuring Power Supply Monitoring on page 522 Configuring RNA Process Monitoring on page 525 Configuring Traffic Status Monitoring on page 527

Default Health Policy
Use the Default Health Policy to monitor health on a Defense Center. Enabled health modules for this policy are listed in the Enabled Defense Center Health Modules - Default Health Policy table. Enabled Defense Center Health Modules - Default Health Policy Module Automatic Application Bypass Status Appliance Heartbeat For more information, see... Configuring Automatic Application Bypass Monitoring on page 502 Configuring Appliance Heartbeat Monitoring on page 501

Version 4.9.1

Sourcefire 3D System Administrator Guide

493

Using Health Monitoring Configuring Health Policies

Chapter 15

Enabled Defense Center Health Modules - Default Health Policy (Continued) Module Data Correlator Process Disk Usage Link State Propagation Memory Usage Time Synchronization Status Power Supply RNA Host License Limit For more information, see... Configuring Data Correlator Process Monitoring on page 506 Configuring Disk Usage Monitoring on page 508 Configuring Link State Propagation Monitoring on page 518 Configuring Memory Usage Monitoring on page 520 Configuring Time Synchronization Monitoring on page 526 Configuring Power Supply Monitoring on page 522 Configuring RNA Host Usage Monitoring on page 524

Use the Default Health Policy to monitor health on a Master Defense Center. Enabled health modules for this policy are listed in the Enabled MDC Health Modules - Default Health Policy table. Enabled MDC Health Modules - Default Health Policy Module Data Correlator Process Defense Center Status Disk Usage eStreamer Process Event Stream Memory Usage RNA Host License Limit For more information, see... Configuring Data Correlator Process Monitoring on page 506 Configuring Defense Center Status on page 507 Configuring Disk Usage Monitoring on page 508 Configuring eStreamer Process Monitoring on page 509 Configuring Event Stream Monitoring on page 511 Configuring Memory Usage Monitoring on page 520 Configuring RNA Host Usage Monitoring on page 524

Version 4.9.1

Sourcefire 3D System Administrator Guide

494

Using Health Monitoring Configuring Health Policies

Chapter 15

Default Intrusion Sensor Health Policy
Use the Default IPS Health Policy to monitor health on legacy Intrusion Sensors that you have not upgraded to Version 4.9.1. Enabled health modules for this policy are listed in the Enabled Health Modules: Default Intrusion Sensor Health Policy table. Enabled Health Modules: Default Intrusion Sensor Health Policy Module Automatic Application Bypass Status Data Correlator Process Disk Usage Health Monitor Process IPS Event Rate IPS Process Link State Propagation Memory Usage Power Supply Traffic Status For more information, see... Configuring Automatic Application Bypass Monitoring on page 502 Configuring Data Correlator Process Monitoring on page 506 Configuring Disk Usage Monitoring on page 508 Configuring Health Status Monitoring on page 514 Configuring IPS Event Rate Monitoring on page 515 Configuring IPS Process Monitoring on page 516 Configuring Link State Propagation Monitoring on page 518 Configuring Memory Usage Monitoring on page 520 Configuring Power Supply Monitoring on page 522 Configuring Traffic Status Monitoring on page 527

Default IPS (3Dx800 only) Health Policy
Use the Default IPS (3Dx800 only) Health Policy to monitor IPS health on 3Dx800 sensors. Enabled health modules for this policy are listed in the Enabled Health Modules: Default IPS (3Dx800 only) Health Policy table. Note that the Hardware

Version 4.9.1

Sourcefire 3D System Administrator Guide

495

Using Health Monitoring Configuring Health Policies

Chapter 15

Alarm module should be used instead of the Power Supply module to monitor power supply health on the 3Dx800 sensor models. Enabled Health Modules: Default IPS (3Dx800 only) Health Policy Module Automatic Application Bypass Status CPU Temperature Data Correlator Process Disk Usage Fan Alarm Hardware Alarms IPS Event Rate IPS Process Memory Usage Traffic Status For more information, see... Configuring Automatic Application Bypass Monitoring on page 502 Configuring CPU Temperature Monitoring on page 503 Configuring Data Correlator Process Monitoring on page 506 Configuring Disk Usage Monitoring on page 508 Configuring Fan Monitoring on page 512 Configuring Hardware Monitoring on page 513 Configuring IPS Event Rate Monitoring on page 515 Configuring IPS Process Monitoring on page 516 Configuring Memory Usage Monitoring on page 520 Configuring Traffic Status Monitoring on page 527

Default RNA Sensor Health Policy
Use the Default RNA Sensor Health Policy to monitor health on legacy RNA Sensors that you have not upgraded to Version 4.9.1. Enabled health modules for

Version 4.9.1

Sourcefire 3D System Administrator Guide

496

Using Health Monitoring Configuring Health Policies

Chapter 15

this policy are listed in the Enabled Health Modules: Default RNA Sensor Health Policy table. Enabled Health Modules: Default RNA Sensor Health Policy Module Automatic Application Bypass Status Data Correlator Process Disk Usage Link State Propagation Memory Usage Power Supply RNA Host License Limit RNA Process Traffic Status For more information, see... Configuring Automatic Application Bypass Monitoring on page 502 Configuring Data Correlator Process Monitoring on page 506 Configuring Disk Usage Monitoring on page 508 Configuring Link State Propagation Monitoring on page 518 Configuring Memory Usage Monitoring on page 520 Configuring Power Supply Monitoring on page 522 Configuring RNA Host Usage Monitoring on page 524 Configuring RNA Process Monitoring on page 525 Configuring Traffic Status Monitoring on page 527

Creating Health Policies
Requires: DC/MDC If you want to customize a health policy to use with your appliances, you can create a new policy. The settings in the policy initially populate with the settings from the health policy you select as a basis for the new policy. You can enable or disable modules within the policy and change the alerting criteria for each module as needed. TIP! Instead of creating a new policy, you can export a health policy from another Defense Center and then import it onto your Defense Center. You can then edit the imported policy to suit your needs before you apply it. For more information, see Importing and Exporting Objects on page 583. To create a health policy: Access: Maint/Admin 1. Select Operations > Monitoring > Health. The Health Monitor page appears.

Version 4.9.1

Sourcefire 3D System Administrator Guide

497

Using Health Monitoring Configuring Health Policies

Chapter 15

2. On the toolbar, click Health Policy. The Health Policy page appears.

3. Click Create Policy to create a new policy. The Create Health Policy page appears.

4. Select the existing policy that you want to use as the basis for the new policy from the Copy Policy drop-down list. 5. Enter a name for the policy. 6. Enter a description for the policy.

Version 4.9.1

Sourcefire 3D System Administrator Guide

498

Configure settings on each module you want to use to test the health status of your appliances. The Health Policy Configuration page appears. 8.Using Health Monitoring Configuring Health Policies Chapter 15 7.9. including a list of the modules.1 Sourcefire 3D System Administrator Guide 499 . as described in the following sections: • • • • • • • • • • • • Configuring Policy Run Time Intervals on page 500 Configuring Appliance Heartbeat Monitoring on page 501 Configuring Automatic Application Bypass Monitoring on page 502 Configuring CPU Temperature Monitoring on page 503 Configuring CPU Usage Monitoring on page 504 Configuring Card Reset Monitoring on page 505 Configuring Data Correlator Process Monitoring on page 506 Configuring Defense Center Status on page 507 Configuring Disk Usage Monitoring on page 508 Configuring eStreamer Process Monitoring on page 509 Configuring Event Stream Monitoring on page 511 Configuring Fan Monitoring on page 512 Version 4. Select Save to save the policy information.

The Health Policy Configuration . 9. Version 4. WARNING! Do not set a run interval of less than five minutes. The maximum run time interval you can set is 99999 minutes. To configure a policy run time interval: Access: Maint/Admin 1. select Policy Run Time Interval.Policy Run Time Interval page appears.Using Health Monitoring Configuring Health Policies Chapter 15 • • • • • • • • • • • • • • Configuring Hardware Monitoring on page 513 Configuring Health Status Monitoring on page 514 Configuring IPS Event Rate Monitoring on page 515 Configuring IPS Process Monitoring on page 516 Configuring Link State Propagation Monitoring on page 518 Configuring MDC Event Service Monitoring on page 519 Configuring Memory Usage Monitoring on page 520 Configuring PEP Status Monitoring on page 521 Configuring Power Supply Monitoring on page 522 Configuring RNA Event Status Monitoring on page 523 Configuring RNA Host Usage Monitoring on page 524 Configuring RNA Process Monitoring on page 525 Configuring Time Synchronization Monitoring on page 526 Configuring Traffic Status Monitoring on page 527 IMPORTANT! Make sure you enable each module that you want to run to test the health status on each Health Policy Configuration page as you configure the settings. Disabled modules do not produce health status feedback.9. For more information on applying health policies. On the Health Policy Configuration page. Click Save to save the policy. You must apply the policy to each appliance for it to take effect. Configuring Policy Run Time Intervals Requires: DC/MDC You can control how often health tests run by modifying the Policy Run Time Interval for the health policy.1 Sourcefire 3D System Administrator Guide 500 . see Applying Health Policies on page 528. even if the policy that contains the module has been applied to an appliance.

Select On for the Enabled option to enable use of the module for health status testing. To temporarily save your changes to this module and switch to another module’s settings to modify. whichever comes first. if you click Cancel. If the Defense Center does not detect a heartbeat from a appliance. all changes you made will be saved. The Health Policy Configuration . select Appliance Heartbeat. You have three options: • • • To save your changes to this module and return to the Health Policy page. Version 4. click Cancel. as an indicator that the appliance is running and communicating properly with the Defense Center. click Save Policy and Exit. That status data feeds into the health monitor. Configuring Appliance Heartbeat Monitoring Requires: DC Supported Platforms: Defense Center The Defense Center receives heartbeats from its managed appliances once every two minutes or every 200 events.9. To return to the Health Policy page without saving any of your settings for this module.Using Health Monitoring Configuring Health Policies Chapter 15 2. You must apply the health policy to the appropriate appliances if you want your settings to take effect.Appliance Heartbeat page appears. enter the time in minutes that you want to elapse between automatic repetitions of the test. you discard all changes. In the Run Interval (mins) field. Use the Appliance Heartbeat health status module to track whether the Defense Center receives heartbeats from managed appliances. 2. In the Health Policy Configuration page. select the other module from the list at the left of the page. See Applying Health Policies on page 528 for more information. the status classification for this module changes to Critical. If you click Save Policy and Exit when you are done. 3.1 Sourcefire 3D System Administrator Guide 501 . To configure Appliance Heartbeat health module settings: Access: Maint/Admin 1.

select Automatic Application Bypass Status. Select On for the Enabled option to enable use of the module for health status testing.9. click Cancel. To configure automatic application bypass monitoring status: Access: Maint/Admin 1. if you click Cancel. Version 4.Using Health Monitoring Configuring Health Policies Chapter 15 3. Configuring Automatic Application Bypass Monitoring Requires: DC/MDC Supported Platforms: 3D Sensors except 3D9900 Use this module to detect when a detection engine is bypassed because it did not respond within the number of seconds configured as the bypass threshold. To return to the Health Policy page without saving any of your settings for this module. That status data feeds into the health monitor. To temporarily save your changes to this module and switch to another module’s settings to modify. The Automatic Application Bypass Status page appears. You must apply the health policy to the appropriate appliances if you want your settings to take effect. In the Health Policy Configuration page. see Automatic Application Bypass on page 212. this module generates an alert. See Applying Health Policies on page 528 for more information. you discard all changes. If you click Save Policy and Exit when you are done. You have three options: • • • To save your changes to this module and return to the Health Policy page. select the other module from the list at the left of the page. For more information on automatic application bypass. 2.1 Sourcefire 3D System Administrator Guide 502 . all changes you made will be saved. click Save Policy and Exit. If a bypass occurs.

CPU Temperature page appears. the status classification for that module changes to Critical. all changes you made will be saved.9.1 Sourcefire 3D System Administrator Guide 503 . See Applying Health Policies on page 528 for more information. Version 4. select CPU Temperature. That status data feeds into the health monitor. click Save Policy and Exit. In the Health Policy Configuration page. you discard all changes. The maximum temperature you can set for either limit is 100 degrees Celsius. If the CPU temperature on the monitored sensor exceeds the Warning limit. Configuring CPU Temperature Monitoring Requires: DC/MDC Supported Platforms: 3Dx800 The temperature of the central processing unit (CPU) on your 3Dx800 sensor provides an important barometer for the health of your sensor. Overheating a CPU can damage the processing unit. the status classification for that module changes to Warning.Using Health Monitoring Configuring Health Policies Chapter 15 3. The Health Policy Configuration . and the Critical limit must be greater than the Warning limit. If the CPU temperature on the monitored sensor exceeds the Critical limit. You have three options: • • • To save your changes to this module and return to the Health Policy page. the Critical limit is set to 52 degrees Celsius and the Warning limit is set to 50 degrees Celsius. click Cancel. If you click Save Policy and Exit when you are done. You must apply the health policy to the appropriate 3D Sensor if you want your settings to take effect. To temporarily save your changes to this module and switch to another module’s settings to modify. To configure CPU temperature health module settings: Access: Maint/Admin 1. if you click Cancel. select the other module from the list at the left of the page. WARNING! Sourcefire recommends that you do not set the Critical limit higher than 65 degrees Celsius and that you do not set the Warning limit higher than 55 degrees Celsius. To return to the Health Policy page without saving any of your settings for this module. By default. Use the CPU Temperature health status module to set CPU temperature limits.

the status classification for that module changes to Warning. In the Warning Threshold Celsius field. that should trigger a warning health status. Note that this module is not available for health policies applied to 3D9900 sensors. that should trigger a critical health status. all changes you made will be saved.9. To return to the Health Policy page without saving any of your settings for this module. Version 4. 4. select the other module from the list at the left of the page. enter the number of degrees. and the Critical limit must be higher than the Warning limit. The maximum percentage you can set for either limit is 100 percent. You have three options: • • • To save your changes to this module and return to the Health Policy page.Using Health Monitoring Configuring Health Policies Chapter 15 2. enter the number of degrees. click Save Policy and Exit. If the CPU usage on the monitored appliance exceeds the Warning limit. Configuring CPU Usage Monitoring Requires: DC/MDC Supported Platforms: All except 3D9900 Excessive CPU usage can indicate that you need to upgrade your hardware or that there are processes that are not functioning correctly. To temporarily save your changes to this module and switch to another module’s settings to modify. the status classification for that module changes to Critical. 5. click Cancel. Select On for the Enabled option to enable use of the module for health status testing. Use the CPU Usage health status module to set CPU usage limits. That status data feeds into the health monitor. If the CPU usage on the monitored appliance exceeds the Critical limit. You must apply the health policy to the appropriate sensors if you want your settings to take effect. you discard all changes. In the Critical Threshold Celsius field. See Applying Health Policies on page 528 for more information. If you click Save Policy and Exit when you are done. if you click Cancel. 3. in Celsius.1 Sourcefire 3D System Administrator Guide 504 . in Celsius.

9. 3. To configure card reset monitoring: Access: Maint/Admin 1. Configuring Card Reset Monitoring Requires: DC/MDC Supported Platforms: 3D500 . select the other module from the list at the left of the page. you discard all changes. The Card Reset Monitoring page appears. Version 4. You must apply the health policy to the appropriate appliances if you want your settings to take effect. In the Critical Threshold % field. click Save Policy and Exit. On the Health Policy Configuration page. If you click Save Policy and Exit when you are done. this module generates an alert.Using Health Monitoring Configuring Health Policies Chapter 15 To configure CPU Usage health module settings: Access: Maint/Admin 1. In the Warning Threshold % field.1 Sourcefire 3D System Administrator Guide 505 . In the Health Policy Configuration page. if you click Cancel. Select On for the Enabled option to enable use of the module for health status testing. enter the percentage of CPU usage that should trigger a critical health status. select CPU Usage. The Health Policy Configuration .3D6500 except 3Dx800 Use the card reset monitoring health status module to track when the network card restarts because of hardware failure.CPU Usage page appears. enter the percentage of CPU usage that should trigger a warning health status. To return to the Health Policy page without saving any of your settings for this module. See Applying Health Policies on page 528 for more information. If a reset occurs. To temporarily save your changes to this module and switch to another module’s settings to modify. click Cancel. select Card Reset. all changes you made will be saved. You have three options: • • • To save your changes to this module and return to the Health Policy page. 4. 2. 5. That status data feeds into the health monitor.

the module resets the counter to zero. The first time the module checks and no restarts have occurred since the last test. Critical is reduced to Warning or Warning is reduced to Normal).Using Health Monitoring Configuring Health Policies Chapter 15 2. select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done. 3. the module only increments the restart counter by one each time it checks. Version 4. To temporarily save your changes to this module and switch to another module’s settings to modify. if you click Cancel. The module checks if any restarts occurred during the period between tests. If the module finds that the process is not running at all. regardless of the limits set for the module. short for the system daemon SFDataCorrelator.1 Sourcefire 3D System Administrator Guide 506 . it increments the restart counter by one. the module sets status according to the restart counter value and the configured limits for the module. The status remains Critical until the module finds that the process is running. You have three options: • • • To save your changes to this module and return to the Health Policy page. At that point. You must apply the health policy to the appropriate Defense Center if you want your settings to take effect. the alert level resets to Normal. Use the Data Correlator Process health status module to set limits for the number of restarts that trigger a change in the health status. Configuring Data Correlator Process Monitoring Requires: DC/MDC Supported Platforms: All The Data Correlator.9. the status classification for that module changes to Warning. click Cancel. the status classification for that module changes to Critical. you discard all changes. If any restarts occur. See Applying Health Policies on page 528 for more information. Even if multiple restarts occur between tests. To return to the Health Policy page without saving any of your settings for this module. That status data feeds into the health monitor. The second time the module checks and no restarts have occurred since the last test. The alert level also lowers by one level (for example. and each time one or more restarts have occurred. click Save Policy and Exit. If the module checks the Data Correlator process as many times as configured in the Warning Number of restarts limit. If the module checks the Data Correlator process as many times as configured in the Critical Number of restarts limit. and each time one or more restarts have occurred. manages data transmission. the module adds one to the restart count. all changes you made will be saved. Select On for the Enabled option to enable use of the module for health status testing. The restart counter does not count actual restarts. but sets the module status to Critical for that test.

Select On for the Enabled option to enable use of the module for health status testing. The Health Policy Configuration . To return to the Health Policy page without saving any of your settings for this module. On the Health Policy Configuration page. If a heartbeat is not obtained from the managed Defense Center or Defense Centers. To configure Data Correlator Process health module settings: Access: Maint/Admin 1. 4. You must apply the health policy to the appropriate appliances if you want your settings to take effect. 2.1 Sourcefire 3D System Administrator Guide 507 . 5. all changes you made will be saved. Configuring Defense Center Status Requires: MDC Supported Platforms: Master Defense Center Use the Defense Center Status health status module to monitor the status of a Defense Center or Defense Centers managed by the Master Defense Center where the health policy is applied. To temporarily save your changes to this module and switch to another module’s settings to modify. If you click Save Policy and Exit when you are done.Data Correlator Process page appears. this module generates an alert. you discard all changes. In the Critical Number of restarts field. click Save Policy and Exit. enter the number of process restarts that should trigger a critical health status. enter the number of process restarts that should trigger a warning health status. click Cancel.Using Health Monitoring Configuring Health Policies Chapter 15 The maximum number of restarts you can set for either limit is 100.9. if you click Cancel. select the other module from the list at the left of the page. In the Warning Number of restarts field. That status data feeds into the health monitor. 3. and the Critical limit must be higher than the Warning limit. You have three options: • • • To save your changes to this module and return to the Health Policy page. Version 4. See Applying Health Policies on page 528 for more information. select Data Correlator Process.

If the disk usage on the monitored appliance exceeds the Warning limit. an appliance cannot run. IMPORTANT! Although the disk usage module lists the /boot partition as a monitored partition. To return to the Health Policy page without saving any of your settings for this module. the status classification for that module changes to Warning. In the Health Policy Configuration page. and the Critical limit must be higher than the Warning limit. The maximum percentage you can set for either limit is 100 percent.1 Sourcefire 3D System Administrator Guide 508 . Configuring Disk Usage Monitoring Requires: DC/MDC Supported Platforms: All Without sufficient disk space. if you click Cancel. If the disk usage on the monitored appliance exceeds the Critical limit. The health monitor can identify low disk space conditions on your appliances before the space runs out. the status classification for that module changes to Critical. You have three options: • • • To save your changes to this module and return to the Health Policy page. click Cancel. you discard all changes. That status data feeds into the health monitor. Select On for the Enabled option to enable use of the module for health status testing. The Defense Center Status page appears.Using Health Monitoring Configuring Health Policies Chapter 15 To configure Defense Center Status: Access: Maint/Admin 1. You must apply the health policy to the appropriate Defense Center if you want your settings to take effect. Use the Disk Usage health status module to set disk usage limits for the / and / volume partitions on the appliance. 2. all changes you made will be saved.9. select Defense Center Status. click Save Policy and Exit. See Applying Health Policies on page 528 for more information. the size of the partition is static so the module does not alert on the boot partition. select the other module from the list at the left of the page. To temporarily save your changes to this module and switch to another module’s settings to modify. 3. Version 4. If you click Save Policy and Exit when you are done.

4. See Applying Health Policies on page 528 for more information. On the Health Policy Configuration page. If any restarts occur. click Save Policy and Exit. 2. 5. The module checks if any restarts occurred during the period between tests. click Cancel. enter the percentage of disk usage that should trigger a critical health status. the module only increments the restart counter by one each time it checks. If you click Save Policy and Exit when you are done. Select On for the Enabled option to enable use of the module for health status testing. You must apply the health policy to the appropriate appliances if you want your settings to take effect. if you click Cancel. allows you to stream Sourcefire 3D System intrusion and network discovery data from the Sourcefire Defense Center to an eStreamer client. The Health Policy Configuration . select the other module from the list at the left of the page. Even if multiple restarts occur between tests. eStreamer. Version 4. In the Warning Threshold % field. you discard all changes.Disk Usage page appears. To return to the Health Policy page without saving any of your settings for this module. In the Critical Threshold % field.9. The restart counter does not count actual restarts.1 Sourcefire 3D System Administrator Guide 509 .Using Health Monitoring Configuring Health Policies Chapter 15 To configure Disk Usage health module settings: Access: Maint/Admin 1. all changes you made will be saved. short for the Sourcefire Event Streamer. To temporarily save your changes to this module and switch to another module’s settings to modify. the module adds one to the restart count. select Disk Usage. 3. Configuring eStreamer Process Monitoring Requires: DC/MDC Supported Platforms: Defense Center Use the eStreamer Process health status module to monitor the health of the eStreamer process on the Defense Center. You have three options: • • • To save your changes to this module and return to the Health Policy page. enter the percentage of disk usage that should trigger a warning health status. You can set limits for the number of restarts that trigger a change in the health status.

At that point. 4. enter the number of process restarts that should trigger a critical health status. That status data feeds into the health monitor. The status remains Critical until the module finds that the process is running. enter the number of process restarts that should trigger a warning health status. and each time one or more restarts have occurred. it increments the restart counter by one. On the Health Policy Configuration page. and each time one or more restarts have occurred. The second time the module checks and no restarts have occurred since the last test. If the module checks the eStreamer process as many times as configured in the Warning Number of restarts limit. 3. the module resets the counter to zero. The alert level also lowers by one level (for example.Using Health Monitoring Configuring Health Policies Chapter 15 The first time the module checks and no restarts have occurred since the last test. the module sets status according to the restart counter value and the configured limits for the module. select eStreamer Process. If the module finds that the process is not running at all. To configure eStreamer Process health module settings: Access: Maint/Admin 1. the status classification for that module changes to Warning. In the Critical Number of restarts field. In the Warning Number of restarts field.9. If the module checks the eStreamer process as many times as configured in the Critical Number of restarts limit. the status classification for that module changes to Critical. Select On for the Enabled option to enable use of the module for health status testing. and the Critical limit must be higher than the Warning limit. Critical is reduced to Warning or Warning is reduced to Normal). regardless of the limits set for the module. The Health Policy Configuration . the alert level resets to Normal.1 Sourcefire 3D System Administrator Guide 510 . 2. The maximum number of restarts you can set for either limit is 100. Version 4.eStreamer Process page appears. but sets the module status to Critical for that test.

that causes an alert to be generated. In the Critical Seconds since last event field.Using Health Monitoring Configuring Health Policies Chapter 15 5. Configuring Event Stream Monitoring Requires: DC/MDC Supported Platforms: Master Defense Center Use the Event Stream Status module to monitor the health of the event stream process on a Defense Center by generating alerts when too many seconds elapse between events received by the Master Defense Center.1 Sourcefire 3D System Administrator Guide 511 . In the Health Policy Configuration page.Event Stream Status page appears. If the wait exceeds the Critical Seconds since last event limit. That status data feeds into the health monitor. enter the maximum number of seconds to wait between events. 2. To temporarily save your changes to this module and switch to another module’s settings to modify. To return to the Health Policy page without saving any of your settings for this module. you discard all changes. before triggering a critical health status. the status classification for that module changes to Critical. all changes you made will be saved. select the other module from the list at the left of the page.9. See Applying Health Policies on page 528 for more information. Version 4. and the Critical limit must be higher than the Warning limit. You must apply the health policy to the appropriate appliances if you want your settings to take effect. You have three options: • • • To save your changes to this module and return to the Health Policy page. The Health Policy Configuration . Select On for the Enabled option to enable use of the module for health status testing. If the wait exceeds the number of seconds configured in the Warning Seconds since last event limit. The minimum number of seconds is 300. You can configure the elapsed duration between events. select Event Stream Status. click Save Policy and Exit. in seconds. if you click Cancel. To configure Event Stream Status health module settings: Access: Maint/Admin 1. If you click Save Policy and Exit when you are done. 3. the status classification for that module changes to Warning. click Cancel. The maximum number of seconds you can set for either limit is 600.

To return to the Health Policy page without saving any of your settings for this module. 2. you discard all changes. before triggering a warning health status. enter the maximum number of seconds to wait between events. The Health Policy Configuration . all changes you made will be saved. the status classification for that module changes to Critical.1 Sourcefire 3D System Administrator Guide 512 . See Applying Health Policies on page 528 for more information.Fan Alarm monitor page appears. if you click Cancel. 5. select the other module from the list at the left of the page. In the Warning Seconds since last event field. Version 4. To configure Fan Alarm health module settings: Access: Maint/Admin 1. If the Fan Alarm module finds a fan that has failed. Select On for the Enabled option to enable use of the module for health status testing. That status data feeds into the health monitor. You must apply the health policy to the Master Defense Center for your settings to take effect. select Fan Alarm.9.Using Health Monitoring Configuring Health Policies Chapter 15 4. To temporarily save your changes to this module and switch to another module’s settings to modify. Configuring Fan Monitoring Requires: DC/MDC Supported Platforms: 3Dx800 Use the Fan Alarm health status module to warn of fan failure on a 3Dx800 sensor. click Save Policy and Exit. In the Health Policy Configuration page. click Cancel. You have three options: • • • To save your changes to this module and return to the Health Policy page. If you click Save Policy and Exit when you are done.

see Interpreting Hardware Alert Details for 3D9900 Sensors on page 560. The Health Policy Configuration . To temporarily save your changes to this module and switch to another module’s settings to modify. 3D9900 Use the Hardware Alarm health status module to detect hardware failure on a 3Dx800 or 3D9900 sensor. Note that the Hardware Alarm module can be used in addition to the Power Supply module to monitor power supply health on the 3Dx800 sensor models. To configure Hardware Alarm health module settings: Access: Maint/Admin 1. Version 4.1 Sourcefire 3D System Administrator Guide 513 . See Applying Health Policies on page 528 for more information.Hardware Alarm monitor page appears. click Save Policy and Exit. If the Hardware Alarm module finds a hardware component that has failed. all changes you made will be saved. For more information on the hardware status conditions that can cause hardware alerts on 3D9900 sensors. That status data feeds into the health monitor. You have three options: • • • To save your changes to this module and return to the Health Policy page. Configuring Hardware Monitoring Requires: DC/MDC Supported Platforms: 3Dx800. select the other module from the list at the left of the page. you discard all changes. click Cancel. if you click Cancel. You must apply the health policy to the appropriate sensors if you want your settings to take effect. To return to the Health Policy page without saving any of your settings for this module.9. select Hardware Alarms.Using Health Monitoring Configuring Health Policies Chapter 15 3. 2. the status classification for that module changes to Critical. Select On for the Enabled option to enable use of the module for health status testing. In the Health Policy Configuration page. If you click Save Policy and Exit when you are done.

if you click Cancel. See Applying Health Policies on page 528 for more information.example. If the wait exceeds the Critical Minutes since last event limit. all changes you made will be saved. That status data feeds into the health monitor. The Health Policy Configuration . before triggering a critical health status. You have three options: • • • To save your changes to this module and return to the Health Policy page. select the other module from the list at the left of the page. Version 4. enter the maximum number of minutes to wait between events.9. you discard all changes.com. In the Health Policy Configuration page. you apply a health policy with the Health Monitor Process module enabled to myrtle. click Cancel. You must apply the health policy to the appropriate sensors if you want your settings to take effect. that causes an alert to be generated. For example. click Save Policy and Exit. the status classification for that module changes to Critical.com. To temporarily save your changes to this module and switch to another module’s settings to modify. To configure Health Monitor Process module settings: Access: Maint/Admin 1. 3. if a Defense Center (myrtle. The minimum number of minutes is 5. You can configure the elapsed duration between events. in minutes.example. The maximum number of minutes you can set for either limit is 144.example. the status classification for that module changes to Warning. select Health Monitor Process. To return to the Health Policy page without saving any of your settings for this module.Health Monitor Process page appears.example.com). If you click Save Policy and Exit when you are done.com) monitors a sensor (dogwood. Configuring Health Status Monitoring Requires: DC/MDC Supported Platforms: Defense Center Use the Health Monitor Process module to monitor the health of the health monitor on a Defense Center by generating alerts when too many minutes elapse between health events received from monitored appliances. The Health Monitor Process module then reports events that indicate how many minutes have elapsed since the last event was received from dogwood. 2. If the wait exceeds the number of minutes configured in the Warning Minutes since last event limit.Using Health Monitoring Configuring Health Policies Chapter 15 3.1 Sourcefire 3D System Administrator Guide 514 . and the Critical limit must be higher than the Warning limit. Select On for the Enabled option to enable use of the module for health status testing. In the Critical Minutes since last event field.

you discard all changes. To return to the Health Policy page without saving any of your settings for this module. before triggering a warning health status. For a network segment with this average rate. click Cancel.9. Events per second (Critical) should be set to 50 and Events per second (Warning) should be set to 30. the event rate for a network segment averages 20 events per second. if you click Cancel. the status classification for that module changes to Warning. If you click Save Policy and Exit when you are done.1 Sourcefire 3D System Administrator Guide 515 . You have three options: • • • To save your changes to this module and return to the Health Policy page. That status data feeds into the health monitor. all changes you made will be saved. then calculate the limits using these formulas: • • Events per second (Critical) = Events/Sec * 2.5 The maximum number of events you can set for either limit is 999. Typically. find the Events/Sec value on the Statistics page for your sensor (Operations > Monitoring > Statistics). To temporarily save your changes to this module and switch to another module’s settings to modify. To determine limits for your system. Version 4. enter the maximum number of minutes to wait between events. You must apply the health policy to the Defense Center for your settings to take effect. click Save Policy and Exit. If the event rate for the IPS process on the monitored sensor exceeds the number of events per second configured in the Events per second (Warning) limit. Configuring IPS Event Rate Monitoring Requires: DC/MDC Supported Platforms: IPS Use the IPS Event Rate health status module to set limits for the number of packets per second that trigger a change in the health status.Using Health Monitoring Configuring Health Policies Chapter 15 4. select the other module from the list at the left of the page. If the event rate exceeds the number of events per second configured in the Events per second (Critical) limit. and the Critical limit must be higher than the Warning limit. 5.5 Events per second (Warning) = Events/Sec *1. See Applying Health Policies on page 528 for more information. the status classification for that module changes to Critical. In the Warning Minutes since last event field.

To temporarily save your changes to this module and switch to another module’s settings to modify. You have three options: • • • To save your changes to this module and return to the Health Policy page. In the Health Policy Configuration page.IPS Event Rate page appears.Using Health Monitoring Configuring Health Policies Chapter 15 To configure IPS Event Rate Monitor health module settings: Access: Maint/Admin 1. In the Events per second (Warning) field. all changes you made will be saved. If you click Save Policy and Exit when you are done. Even if multiple restarts occur between tests. The restart counter does not count actual restarts. 3.1 Sourcefire 3D System Administrator Guide 516 . Configuring IPS Process Monitoring Requires: DC/MDC Supported Platforms: IPS The IPS process (also known as Snort) is the packet decoder on a 3D Sensor with the IPS component. Use the IPS Process health status module to monitor the health of the IPS process on a sensor. The alert level also lowers by one level (for Version 4. The module checks if any restarts occurred during the period between tests. the module adds one to the restart count. Select On for the Enabled option to enable use of the module for health status testing. enter the number of events per second that should trigger a critical health status. the module resets the counter to zero. In the Events per second (Critical) field. 4. select IPS Event Rate. See Applying Health Policies on page 528 for more information. you discard all changes. You can configure how many restarts trigger a change in the health status for the process. To return to the Health Policy page without saving any of your settings for this module. The first time the module checks and no restarts have occurred since the last test. click Save Policy and Exit. enter the number of events per second that should trigger a warning health status. if you click Cancel.9. If any restarts occur. click Cancel. 2. select the other module from the list at the left of the page. 5. the module only increments the restart counter by one each time it checks. You must apply the health policy to the appropriate sensors if you want your settings to take effect. The Health Policy Configuration .

the alert level resets to Normal. At that point. Critical is reduced to Warning or Warning is reduced to Normal). 4. Select On for the Enabled option to enable use of the module for health status testing.IPS Process page appears. select IPS Process.9. To configure IPS Process Monitor health module settings: Access: Maint/Admin 1. The maximum number of restarts you can set for either limit is 100. The status remains Critical until the module finds that the process is running. the module sets status according to the restart counter value and the configured limits for the module. If the module checks the IPS process as many times as configured in the Warning Number of restarts limit. and each time one or more restarts have occurred. 3. regardless of the limits set for the module. the status classification for that module changes to Warning. the status classification for that module changes to Critical. and the Critical limit must be higher than the Warning limit. In the Critical Number of restarts field. enter the number of process restarts that should trigger a critical health status. That status data feeds into the health monitor.Using Health Monitoring Configuring Health Policies Chapter 15 example. In the Health Policy Configuration page. In the Warning Number of restarts field. The second time the module checks and no restarts have occurred since the last test. and each time one or more restarts have occurred. The Health Policy Configuration . it increments the restart counter by one. but sets the module status to Critical for that test. 2. If the module checks the IPS process as many times as configured in the Critical Number of restarts limit.1 Sourcefire 3D System Administrator Guide 517 . Version 4. If the module finds that the process is not running at all. enter the number of process restarts that should trigger a warning health status.

On the Health Policy Configuration page. the status classification for that module changes to Critical and the state reads: Module Link State Propagation: ethx_ethy is Triggered where x and y are the paired interface numbers. You must apply the health policy to the appropriate sensors if you want your settings to take effect.9. Version 4. To return to the Health Policy page without saving any of your settings for this module. You have three options: • • • To save your changes to this module and return to the Health Policy page.Link State Propagation monitor page appears. If you click Save Policy and Exit when you are done. select the other module from the list at the left of the page. Select On for the Enabled option to enable use of the module for health status testing.Using Health Monitoring Configuring Health Policies Chapter 15 5. if you click Cancel.1 Sourcefire 3D System Administrator Guide 518 . click Cancel. you discard all changes. See Applying Health Policies on page 528 for more information. click Save Policy and Exit. 2. select Link State Propagation. The Health Policy Configuration . all changes you made will be saved. Configuring Link State Propagation Monitoring Requires: DC/MDC Supported Platforms: IPS Use the Link State Propagation health status module to detect the interface link state propagation status on an inline interface pair. If a link state propagates to the paired interface. To configure Link State Propagation health module settings: Access: Maint/Admin 1. To temporarily save your changes to this module and switch to another module’s settings to modify.

Using Health Monitoring Configuring Health Policies

Chapter 15

3. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate sensors if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring MDC Event Service Monitoring
Requires: DC/MDC Supported Platforms: Defense Center Use the MDC health status module to monitor the health of the internal eStreamer process on the Defense Center that is used to transmit events to the Master Defense Center. You can set limits for the number of restarts that trigger a change in the health status. The restart counter does not count actual restarts. The module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count. The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal. If the module finds that the process is not running at all, it increments the restart counter by one, but sets the module status to Critical for that test, regardless of the limits set for the module. The status remains Critical until the module finds that the process is running. At that point, the module sets status according to the restart counter value and the configured limits for the module. If the module checks the MDC event service as many times as configured in the Warning Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Warning. If the module checks the MDC event service as many times as configured in the Critical Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Critical. That status data feeds into the health monitor. The maximum number of restarts you can set for either limit is 100, and the Critical limit must be higher than the Warning limit.

Version 4.9.1

Sourcefire 3D System Administrator Guide

519

Using Health Monitoring Configuring Health Policies

Chapter 15

To configure MDC Event Service health module settings: Access: Maint/Admin 1. On the Health Policy Configuration page, select MDC Event Service. The Health Policy Configuration - MDC Event Service Process page appears.

2. Select On for the Enabled option to enable use of the module for health status testing. 3. In the Critical Number of restarts field, enter the number of process restarts that should trigger a critical health status. 4. In the Warning Number of restarts field, enter the number of process restarts that should trigger a warning health status. 5. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring Memory Usage Monitoring
Requires: DC/MDC Supported Platforms: All Use the Memory Usage health status module to set memory usage limits. The module calculates free memory by adding free memory and cached memory. If the memory usage on the monitored appliance exceeds the Warning limit, the status classification for that module changes to Warning. If the memory usage on the monitored appliance exceeds the Critical limit, the status classification for that module changes to Critical. That status data feeds into the health monitor. The maximum percentage you can set for either limit is 100 percent, and the Critical limit must be higher than the Warning limit.

Version 4.9.1

Sourcefire 3D System Administrator Guide

520

Using Health Monitoring Configuring Health Policies

Chapter 15

To configure Memory Usage health module settings: Access: Maint/Admin 1. On the Health Policy Configuration page, select Memory Usage. The Health Policy Configuration - Memory Usage page appears.

2. Select On for the Enabled option to enable use of the module for health status testing. 3. In the Critical Threshold % field, enter the percentage of memory usage that should trigger a critical health status. 4. In the Warning Threshold % field, enter the percentage of memory usage that should trigger a warning health status. 5. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring PEP Status Monitoring
Requires: DC/MDC Supported Platforms: 3D9900 Use the PEP Status health status module to monitor the application of PEP rules to interface sets on a 3D9900. If PEP rules cannot be applied to interfaces in an interface set, this module generates an alert. That status data feeds into the health monitor.

Version 4.9.1

Sourcefire 3D System Administrator Guide

521

Using Health Monitoring Configuring Health Policies

Chapter 15

To configure PEP Status health module settings: Access: Maint/Admin 1. In the Health Policy Configuration page, select PEP Status. The Health Policy Configuration - PEP Status monitor page appears.

2. Select On for the Enabled option to enable use of the module for health status testing. 3. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate sensors if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring Power Supply Monitoring
Requires: DC/MDC Supported Platforms: Series 2 DC3000, MDC3000, 3D9900, 3Dx800, 3D3500, 3D4500, 3D6500 Use the Power Supply health status module to detect a power supply failure on a Series 2 DC3000, MDC3000, 3Dx800, 3D9900, 3D3500, 3D4500, or 3D6500 sensor. If the Power Supply module finds a power supply that has no power, the status classification for that module changes to No Power. If the module cannot detect the presence of the power supply, the status changes to Critical Error. That status data feeds into the health monitor. You can expand the Power Supply item on the Alert Detail list in the health monitor to see specific status items for each power supply. Note that the Hardware Alarm module can be used in addition to the Power Supply module to monitor power supply health on the 3Dx800 sensor models. To configure Power Supply health module settings: Access: Maint/Admin 1. In the Health Policy Configuration page, select Power Supply. The Health Policy Configuration - Power Supply monitor page appears.

Version 4.9.1

Sourcefire 3D System Administrator Guide

522

Using Health Monitoring Configuring Health Policies

Chapter 15

2. Select On for the Enabled option to enable use of the module for health status testing. 3. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate sensors if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring RNA Event Status Monitoring
Requires: DC/MDC Supported Platforms: DC Use the RNA Event Status module to monitor the health of the RNA process on a sensor from the Defense Center by generating alerts when too many seconds elapse between RNA events received by the Defense Center. You can configure the elapsed duration between events, in seconds, that causes an alert to be generated. If the wait exceeds the number of seconds configured in the Warning Seconds since last event limit, the status classification for that module changes to Warning. If the wait exceeds the Critical Seconds since last event limit, the status classification for that module changes to Critical. That status data feeds into the health monitor. The maximum number of seconds you can set for either limit is 7200, and the Critical limit must be higher than the Warning limit. The minimum number of seconds is 3600. Note that the RNA Health module was renamed to the RNA Event Status module in 4.9.1 and that the supported platforms changed from 3D Sensor to Defense Center in 4.9.1. To configure RNA Event Status module settings: Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Event Status. The Health Policy Configuration - RNA Event Status page appears.

Version 4.9.1

Sourcefire 3D System Administrator Guide

523

Using Health Monitoring Configuring Health Policies

Chapter 15

2. Select On for the Enabled option to enable use of the module for health status testing. 3. In the Critical Seconds since last event field, enter the maximum number of seconds to wait between events, before triggering a critical health status. 4. In the Warning Seconds since last event field, enter the maximum number of seconds to wait between events, before triggering a warning health status. 5. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the Defense Center for your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring RNA Host Usage Monitoring
Requires: DC/MDC Supported Platforms: RNA Use the RNA Host License Limit health status module to set RNA Host shortage limits. If the number of remaining RNA Hosts on the monitored sensor falls below the Warning Hosts limit, the status classification for that module changes to Warning. If the number of remaining RNA Hosts on the monitored sensor falls below the Critical Hosts limit, the status classification for that module changes to Critical. That status data feeds into the health monitor. The maximum number of hosts you can set for either limit is 999, and the Critical limit must be higher than the Warning limit. To configure RNA Host License Limit health module settings: Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Host License Limit. The Health Policy Configuration - RNA Host License Limit page appears.

2. Select On for the Enabled option to enable use of the module for health status testing.

Version 4.9.1

Sourcefire 3D System Administrator Guide

524

Using Health Monitoring Configuring Health Policies

Chapter 15

3. In the Critical number Hosts field, enter the remaining number of available hosts that should trigger a critical health status. 4. In the Warning number Hosts field, enter the remaining number of available hosts that should trigger a warning health status. 5. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate sensors if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring RNA Process Monitoring
Requires: DC/MDC Supported Platforms: RNA Use the RNA Process health status module to set limits for the number of restarts that trigger a change in the health status. The restart counter does not count actual restarts. The module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count. The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal. If the module finds that the process is not running at all, it increments the restart counter by one, but sets the module status to Critical for that test, regardless of the limits set for the module. The status remains Critical until the module finds that the process is running. At that point, the module sets status according to the restart counter value and the configured limits for the module. If the module checks the RNA process as many times as configured in the Warning Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Warning. If the module checks the RNA process as many times as configured in the Critical Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Critical. That status data feeds into the health monitor.

Version 4.9.1

Sourcefire 3D System Administrator Guide

525

Using Health Monitoring Configuring Health Policies

Chapter 15

The maximum number of restarts you can set for either limit is 100, and the Critical limit must be higher than the Warning limit. To configure RNA Process health module settings: Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Process. The Health Policy Configuration - RNA Process page appears.

2. Select On for the Enabled option to enable use of the module for health status testing. 3. In the Critical Number of restarts field, enter the number of process restarts that should trigger a critical health status. 4. In the Warning Number of restarts field, enter the number of process restarts that should trigger a warning health status. 5. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate sensors if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring Time Synchronization Monitoring
Requires: DC/MDC Supported Platforms: Defense Center Use the Time Synchronization Status module to detect when the time on a managed sensor that uses NTP to obtain time from an NTP server differs by 10 seconds or more from the time on the server.

Version 4.9.1

Sourcefire 3D System Administrator Guide

526

Using Health Monitoring Configuring Health Policies

Chapter 15

To configure time synchronization monitoring settings: Access: Maint/Admin 1. In the Health Policy Configuration page, select Time Synchronization Status. The Health Policy Configuration - Time Synchronization Status monitor page appears.

2. Select On for the Enabled option to enable use of the module for health status testing. 3. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate sensors if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring Traffic Status Monitoring
Requires: DC/MDC Supported Platforms: IPS, RNA Use the Traffic Status health status module to detect whether a sensor receives traffic. If the Traffic Status module determines that a sensor does not receive traffic, the status classification for that module changes to Critical. That status data feeds into the health monitor. WARNING! If you enable the Traffic Status module on a sensor where there are unused interfaces that are included in an interface set associated with a detection engine, the module interprets the idleness of the port as a traffic failure and alerts on traffic status. To prevent alerting on idle interfaces, remove those interfaces from all interface sets associated with detection engines. For more information on managing interface sets, see Editing an Interface Set on page 221.

Version 4.9.1

Sourcefire 3D System Administrator Guide

527

Using Health Monitoring Configuring Health Policies

Chapter 15

To configure Traffic Status health module settings: Access: Maint/Admin 1. In the Health Policy Configuration page, select Traffic Status. The Health Policy Configuration - Traffic Status monitor page appears.

2. Select On for the Enabled option to enable use of the module for health status testing. 3. You have three options: • • • To save your changes to this module and return to the Health Policy page, click Save Policy and Exit. To return to the Health Policy page without saving any of your settings for this module, click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate sensors if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Applying Health Policies
Requires: DC/MDC When you apply a health policy to an appliance, the health tests for all the modules you enabled in the policy automatically monitor the health of the processes and hardware on the appliance. Health tests then continue to run at the intervals you configured in the policy, collecting health data for the appliance and forwarding that data to the Defense Center. If you enable a module in a health policy and then apply the policy to an appliance that does not require that health test, the health monitor reports the status for that health module as disabled. If you apply a policy with all modules disabled to an appliance, it removes all applied health policies from the appliance so no health policy is applied. When you apply a different policy to an appliance that already has a policy applied, expect some latency in the display of new data based on the newly applied tests. IMPORTANT! Default health policies are not replicated between Defense Centers in a high availability pair. Each appliance uses the local default health policy configured for that appliance.

Version 4.9.1

Sourcefire 3D System Administrator Guide

528

Using Health Monitoring Configuring Health Policies

Chapter 15

You cannot apply a health policy to RNA Software for Red Hat Linux. To apply a health policy: Access: Maint/Admin 1. Select Operations > Monitoring > Health. The Health Monitor page appears. 2. Click Health Policy in the health monitor toolbar. The Health Policy page appears.

3. Click Apply next to the policy you want to apply. The Health Policy Apply page appears.

TIP! The status icon next to the Health Policy column ( ) indicates the current health status for the appliance. The status icon next to the System Policy column ( ) indicates the communication status between the Defense Center and the sensor. Note that you can remove the currently applied policy by clicking the remove icon ( ).

4. Check the appliances where you want to apply the health policy. 5. Click Apply to apply the policy to the selected appliances. The Health Policy page appears, with a message indicating if the application of the policy was successful. Monitoring of the appliance starts as soon as the policy is successfully applied.

Version 4.9.1

Sourcefire 3D System Administrator Guide

529

Using Health Monitoring Configuring Health Policies

Chapter 15

To unapply a health policy: Access: Maint/Admin 1. Select Operations > Monitoring > Health. The Health Monitor page appears. 2. Click Health Policy in the health monitor toolbar. The Health Policy page appears.

3. Click Apply next to the policy you want to apply. The Health Policy Apply page appears.

4. You have two options: • • Apply a health policy with all modules disabled. Click the x next to the health policy.

Under Health Policy the status of None appears.

Editing Health Policies
Requires: DC/MDC You can modify a health policy by enabling or disabling modules or by changing module settings. If you modify a policy that is already applied to an appliance, the changes do not take effect until you reapply the policy.

Version 4.9.1

Sourcefire 3D System Administrator Guide

530

3D4500. 3D3500. MDC3000. and 3D6500 Version 4. except 3D9900 3Dx800 Only All except 3D9900 All All Master Defense Center All Defense Center Master Defense Center 3Dx800 3Dx800 and 3D9900 Defense Center 3D Sensors with IPS 3D Sensors with IPS 3D Sensors with IPS Master Defense Center All 3D9900 Series 2 DC3000.9.1 Sourcefire 3D System Administrator Guide 531 .Using Health Monitoring Configuring Health Policies Chapter 15 Applicable health modules for various appliances are listed in the Health Modules Applicable to Appliances table. 3Dx800. Health Modules Applicable to Appliances Module Appliance Heartbeat Automatic Application Bypass Status CPU Temperature CPU Usage Card Reset Data Correlator Process Defense Center Status Disk Usage eStreamer Process Event Stream Status Fan Alarm Hardware Alarms Health Monitor Process IPS Event Rate IPS Process Link State Propagation MDC Event Service Memory Usage PEP Status Power Supply Applicable Appliance Defense Center 3D Sensors.

3D Sensors with RNA To edit a health policy: Access: Maint/Admin 1. The Health Monitor page appears. 4. 3. Click Edit next to the policy you want to modify. Click Health Policy in the health monitor toolbar.Using Health Monitoring Configuring Health Policies Chapter 15 Health Modules Applicable to Appliances (Continued) Module RNA Health RNA Host License Limit RNA Process Time Synchronization Status Traffic Status Applicable Appliance Defense Center Defense Center 3D Sensors with RNA Defense Center 3D Sensors with IPS. Modify settings as needed.9. as described in the following sections: • • • • • • • • Configuring Policy Run Time Intervals on page 500 Configuring Appliance Heartbeat Monitoring on page 501 Configuring Automatic Application Bypass Monitoring on page 502 Configuring CPU Temperature Monitoring on page 503 Configuring CPU Usage Monitoring on page 504 Configuring Card Reset Monitoring on page 505 Configuring Data Correlator Process Monitoring on page 506 Configuring Defense Center Status on page 507 Version 4.1 Sourcefire 3D System Administrator Guide 532 . Select Operations > Monitoring > Health. The Health Policy Configuration page appears. with the Policy Run Time Interval settings selected. The Health Policy page appears. 2.

any health monitoring alerts in effect for the sensor remain active until you Version 4. You have three options: • • • 6.9. click Cancel. if you click Cancel. To temporarily save your changes to this module and switch to another module’s settings to modify. click Save Policy and Exit. if you delete a health policy that is applied to a sensor.Using Health Monitoring Configuring Health Policies Chapter 15 • • • • • • • • • • • • • • • • • • Configuring Disk Usage Monitoring on page 508 Configuring eStreamer Process Monitoring on page 509 Configuring Event Stream Monitoring on page 511 Configuring Fan Monitoring on page 512 Configuring Hardware Monitoring on page 513 Configuring Health Status Monitoring Configuring IPS Event Rate Monitoring on page 515 Configuring IPS Process Monitoring on page 516 Configuring Link State Propagation Monitoring on page 518 Configuring MDC Event Service Monitoring on page 519 Configuring Memory Usage Monitoring on page 520 Configuring PEP Status Monitoring on page 521 Configuring Power Supply Monitoring on page 522 Configuring RNA Event Status Monitoring on page 523 Configuring RNA Host Usage Monitoring on page 524 Configuring RNA Process Monitoring on page 525 Configuring Time Synchronization Monitoring on page 526 Configuring Traffic Status Monitoring on page 527 To save your changes to this module and return to the Health Policy page. you discard all changes. If you delete a policy that is still applied to an appliance. all changes you made will be saved. If you click Save Policy and Exit when you are done. To return to the Health Policy page without saving any of your settings for this module. Reapply the policy to the appropriate appliances as described in Applying Health Policies on page 528. In addition. select the other module from the list at the left of the page. the policy settings remain in effect until you apply a different policy. Deleting Health Policies Requires: DC/MDC You can delete health policies that you no longer need.1 Sourcefire 3D System Administrator Guide 533 . 5.

or detection engine from the blacklist. the events that were generated during the blacklisting continue to show a status of disabled. The Health Policy page appears. For example. 2.9. and add an appliance to the blacklist. After the setting takes effect the appliance no longer includes the appliance when calculating the overall health status. Click Delete next to the policy you want to delete. module.Using Health Monitoring Using the Health Monitor Blacklist Chapter 15 deactivate the underlying associated alert. if you know that a segment of your network will be unavailable. For more information on applying health policies. When you disable health monitoring status. To temporarily disable health events from an appliance. see Activating and Deactivating Alerts in the Analyst Guide. A message appears. The Health Monitor page appears. You can use the health monitor blacklist feature to disable health monitoring status reporting on an appliance. go to the Blacklist configuration page. The Health Monitor Appliance Status Summary lists the appliance as disabled. you do not want the health status from those appliances to affect the summary health status on your Defense Center or Master Defense Center. At times it may be more practical to just blacklist an individual health monitoring module on an appliance or detection engine. If you remove the appliance. health events are still generated. Select Operations > Monitoring > Health. 3. or detection engine. create a health policy with all modules disabled and apply it to the appliance. you disable appliances or make them temporarily unavailable. TIP! To stop health monitoring for an appliance. To delete a health policy: Access: Maint/Admin 1. module. For example. For more information on deactivating alerts. Click Health Policy in the health monitor toolbar. but they have a disabled status and do not affect the health status for the health monitor. when you run out of Version 4. Because those outages are deliberate. indicating if the deletion was successful. Using the Health Monitor Blacklist In the course of normal network maintenance. see Applying Health Policies on page 528. see Creating Health Policies on page 497.1 Sourcefire 3D System Administrator Guide 534 . you can temporarily disable health monitoring for a 3D Sensor on that segment to prevent the health status on the Defense Center from displaying a warning or critical state because of the lapsed connection to the 3D Sensor. For more information on creating health policies.

Select Operations > Monitoring > Health. Once the blacklist settings take effect. not a Master Defense Center. the blacklist settings remain persistent. The Health Monitor page appears. If you need to disable the results of a group of appliances’ health monitoring. Health Monitor blacklist settings are system settings. You cannot blacklist intrusion agents. you can blacklist the policy. A blacklist icon ( ) and a notation are visible once you expand the view for a blacklisted or partially blacklisted appliance. IMPORTANT! On a Defense Center. 2. Therefore if you blacklist a sensor. see Using the Health Monitor on page 545. the appliances report a disabled status in the Appliance Status Summary. Version 4. You can also blacklist the HA peer to cause it to mark events generated by it and the sensors from which it receives health events as disabled. The Blacklist page appears. To blacklist an entire health policy or group of appliances: Access: Maint/Admin 1.9. you can blacklist the RNA Host License Limit status messages until you install a new license with more hosts. On the toolbar. Make sure to remove all unused sensing interfaces from any interface sets in use by a detection engine so health monitoring alerts do not generate for those interfaces. The newly re-registered sensor remains blacklisted.Using Health Monitoring Using the Health Monitor Blacklist Chapter 15 RNA host licenses on an appliance. Blacklisting Health Policies or Appliances Requires: DC/MDC If you want to set health events to disabled for all appliances with a particular health policy. For more information on expanding that view. click Blacklist. Note that on the main Health Monitor page you can distinguish between appliances that are blacklisted if you expand to view the list of appliances with a particular status by clicking the arrow in that status row.1 Sourcefire 3D System Administrator Guide 535 . you can blacklist the group of appliances. TIP! You can blacklist 3D Sensors only from a Defense Center. then delete it and later re-register it with the Defense Center. Note that if your Defense Center is in a high availability configuration. you can blacklist a managed sensor on one HA peer and not the other.

model. policy. select the manager then click Apply. To blacklist an individual appliance: Access: Maint/Admin 1. to blacklist all appliances associated with a manager. Once the blacklist settings take effect. 3. Use the drop-down list on the right to sort the list by group.) The page refreshes. policy or model. now indicating the blacklisted state of the appliances. the appliance shows as disabled in the Health Monitor Appliance Module Summary and health events for the appliance have a status of disabled. Select Operations > Monitoring > Health.9. To blacklist all appliances in a group. model. 4. manager. click Blacklist.1 Sourcefire 3D System Administrator Guide 536 . 2. (On a Master Defense Center. (On a Master Defense Center. manager.) TIP! The status icon next to the Health Policy column ( ) indicates the current health status for the appliance. Groups on a Master Defense Center are appliances. policy or model. On the toolbar. select the category then click Apply. or by policy. Groups on a Defense Center are 3D Sensors. sort the list by group. sort the list by group. or policy category. you can blacklist the appliance. The status icon next to the System Policy column ( ) indicates the communication status between the Defense Center and the sensor. Use the drop-down list on the right to sort the list by appliance group. The Health Monitor page appears.Using Health Monitoring Using the Health Monitor Blacklist Chapter 15 3. (On a Master Defense Center. Blacklisting an Appliance If you need to set the events and health status for an individual appliance to disabled. Note that you can remove the currently applied policy by clicking the remove icon ( ).) Version 4. The Blacklist page appears. or model.

Note that modules that allow you to select a specific detection engine have an arrow next to the module. select and expand a category folder. Click Edit and see Blacklisting a Health Policy Module on page 537 to blacklist individual health policy modules. you can blacklist the Traffic Status module for that detection engine. the interface indicates the following information in parentheses after each module with detection engines: number of blacklisted detection engines/maximum number of detection engines. Defense Center Only Specific health policy modules operate for a Defense Center. For some modules. the line for that module appears in boldface type in the Defense Center web interface. When any part of a module is blacklisted. you can blacklist that module for a specific detection engine. select the box next to the appropriate appliance.9. For example.1 Sourcefire 3D System Administrator Guide 537 . The page refreshes then indicates the blacklisted state of the appliances.Using Health Monitoring Using the Health Monitor Blacklist Chapter 15 4. then click Apply. To blacklist an individual appliance. Blacklisting a Health Policy Module Requires: DC/MDC You can blacklist individual health policy modules on appliances. In addition. You may want to do this to prevent events from the module from changing the status for the appliance to warning or critical. When blacklisting modules for Defense Centers. if you know you are going to disable the RNA detection engine on a sensor and do not want traffic status alerts to change the status for the sensor. only include the following modules: • • • • • • • • • Appliance Heartbeat CPU Usage Data Correlator Process Disk Usage eStreamer Process Health Monitor Process MDC Event Service Memory Usage Time Synchronization Status Version 4.

9.Using Health Monitoring Using the Health Monitor Blacklist Chapter 15 • • Power Supply RNA Host License Limit Master Defense Center Only Specific health policy modules operate for a Master Defense Center. To blacklist an individual health policy module: Access: Maint/Admin 1. The Blacklist page appears. Make sure that you keep track of individually blacklisted modules so you can reactivate them when you need them. You may miss necessary warning or critical messages if you accidentally leave a module disabled. Select Operations > Monitoring > Health. When blacklisting modules for Master Defense Centers. Version 4. 2. click Blacklist.1 Sourcefire 3D System Administrator Guide 538 . The Health Monitor page appears. On the toolbar. only include the following modules: • • • • • • • CPU Usage Data Correlator Process Defense Center Status Disk Usage Event Stream Status Memory Usage Power Supply For details about applicable modules on all appliances. see the Health Modules Applicable to Appliances table on page 531. TIP! Once the blacklist settings take effect. the appliance shows as Part Blacklisted or All Modules Blacklisted in the Blacklist page and in the Appliance Health Monitor Module Status Summary but only in expanded views on the main Appliance Status Summary page.

then click Edit to display the list of health policy modules. 4.Using Health Monitoring Configuring Health Monitor Alerts Chapter 15 3. Version 4. Sort by Group. 5. Expand the detection engine list by clicking on the arrow next to modules with detection engine lists.9. then select each detection engine for which you want to blacklist the module. The health policy modules appear. Policy. through SNMP or through the . Click Save. You have two options: • • Select each module that you want to blacklist. You can associate an existing alert with health event levels to cause that alert to trigger when health events of a particular level occur. system log when the status changes for the modules in a health policy.1 Sourcefire 3D System Administrator Guide 539 . or Model. Configuring Health Monitor Alerts You can set up alerts to notify you through email.

2. In the policy. if you are concerned that your appliances may run out of hard disk space.9. you first need to create the underlying alert that you associate to the health alert. Enter the name of the Mail Relay Host. To prepare your system for alerting: Access: Admin 1. you can send a second email when the hard drive reaches the critical level. If you want to use email alerting. see Creating Email Alerts in the Analyst Guide. Create a new policy or click Edit next to an existing one. a health module. you can automatically send an email to a system administrator when the remaining disk space reaches the warning level. If you plan to use email alerting: • • • • • • Select Operations > System Policy. If the hard drive continues to fill. Creating Health Monitor Alerts Requires: DC/MDC When you create a health monitor alert. Create email. For more information. • • • Continue with Creating Health Monitor Alerts on page 540. see Creating Syslog Alerts in the Analyst Guide. see the following topics: • • • • • Preparing to Create a Health Alert on page 540 Creating Health Monitor Alerts on page 540 Interpreting Health Monitor Alerts on page 542 Editing Health Monitor Alerts on page 543 Deleting Health Monitor Alerts on page 544 Preparing to Create a Health Alert Requires: DC/MDC If you want to create a health alert.Using Health Monitoring Configuring Health Monitor Alerts Chapter 15 For example. you also need to set up your email relay host in your system policy and re-apply that policy. and an alert. For more information on creating SNMP alerts. For more information on creating email alerts. click Email Notification. You can use an existing alert or configure a new one specifically to report on system health. SNMP or syslog alerts you want to associate with health alerts: . For more information on creating syslog alerts.1 Sourcefire 3D System Administrator Guide 540 . see Creating SNMP Alerts in the Analyst Guide. Click Save Policy and Exit. you create an association between a severity level. Click Apply and apply the policy to the Defense Center where you plan to create the health alert. For more information Version 4.

2.1 Sourcefire 3D System Administrator Guide 541 . From the Severity list. Select Operations > Monitoring > Health. you are notified of the conflict. press Shift + Ctrl and click the module names.967 . To create health monitor alerts: Access: Admin 1.295 minutes. Version 4. The timeout value for the threshold must be between 5 and 4. select the severity level you want to use to trigger the alert. Click Health Monitor Alerts in the health monitor toolbar. the health monitor uses the threshold that generates the fewest alerts and ignores the others. select the modules for which you want the alert to apply. TIP! To select multiple modules. When duplicate thresholds exist. see Preparing to Create a Health Alert on page 540. Type a name for the health alert in the Health Alert Name field. Note that if you create or update a threshold in a way that duplicates an existing threshold. The Health Monitor page appears. When the severity level occurs for the selected module. From the Module list.294. 3.Using Health Monitoring Configuring Health Monitor Alerts Chapter 15 on creating the alert. the associated alert triggers.9. The Health Monitor Alerts page appears. 4. 5.

Using Health Monitoring Configuring Health Monitor Alerts Chapter 15 6. 7. For more information on creating alerts. see Creating Alerts in the Analyst Guide. The health test results met the criteria to trigger a Normal alert status. The Active Health Alerts list now includes the alert you created. From the Alert list. The health test results met the criteria to trigger a Warning alert status. For more information on health alert severity levels. Version 4. which indicates the severity level of the alert. Alert Severities Severity Critical Warning Normal Error Recovered Description The health test results met the criteria to trigger a Critical alert status. Click Save to save the health alert. which includes the health test results that triggered the alert. see the Alert Severities table. The health test results met the criteria to return to a normal alert status. type the number of minutes that should elapse before each threshold period ends and the threshold count resets. In the Threshold Timeout field. Description. which specifies the health module whose test results triggered the alert. The health test did not run. For more information on health modules. 8. Interpreting Health Monitor Alerts The alerts generated by the health monitor contain the following information: • • • Severity. see Understanding Health Modules on page 485. indicating if the alert configuration was successfully saved. following a Critical or Warning alert status. A message appears. TIP! Click Alerts in the toolbar to open the Alerts page. Module.1 Sourcefire 3D System Administrator Guide 542 .9. select the alert which you want to trigger when the selected severity level is reached.

5.9. 3.1 Sourcefire 3D System Administrator Guide 543 . A message appears. 6. indicating if the alert configuration was successfully saved. Select the alert you want to modify in the Active Health Alerts list. see Creating Health Monitor Alerts on page 540. To edit health monitor alerts: Access: Admin 1. or alert associated with the health monitor alert. Modify settings as needed.Using Health Monitoring Configuring Health Monitor Alerts Chapter 15 Editing Health Monitor Alerts Requires: DC/MDC You can edit existing health monitor alerts to change the severity level. The Health Monitor page appears. 4. Click Load to load the configured settings for the selected alert. Select Operations > Monitoring > Health. Click Save to save the modified health alert. Click Health Monitor Alerts in the health monitor toolbar. Version 4. For more information. The Health Monitor Alerts page appears. 2. health module.

IMPORTANT! Deleting a health monitor alert does not delete the associated alert. Click Delete. Version 4. You must deactivate or delete the underlying alert to ensure that alerting does not continue. For more information on deleting alerts.1 Sourcefire 3D System Administrator Guide 544 . see Deleting Alerts in the Analyst Guide. Select Operations > Monitoring > Health. 2. For more information on deactivating alerts. The Health Monitor Alerts page appears. 3. A message appears.9. Click Health Monitor Alerts in the health monitor toolbar. Select the alert you want to delete in the Active Health Alerts list. The Health Monitor page appears. see Activating and Deactivating Alerts in the Analyst Guide. 4. indicating if the alert configuration was successfully deleted.Using Health Monitoring Configuring Health Monitor Alerts Chapter 15 Deleting Health Monitor Alerts Requires: DC/MDC You can delete existing health monitor alerts. To delete health monitor alerts: Access: Admin 1.

see the following topics: • • • Using the Health Monitor on page 545 Using Appliance Health Monitors on page 547 Working with Health Events on page 555 Using the Health Monitor Requires: DC/MDC The Health Monitor page provides the compiled health status for all sensors managed by the Defense Center.9. indicating the percentage of appliances currently in each health status category. For more information on viewing the health status of your appliance. The Health Monitor then generates health events to indicate the current status of any aspects of appliance health that you chose to monitor. The Status table provides a count of the managed appliances for this Defense Center by overall health status.Reviewing Health Status Chapter 16 Administrator Guide You can obtain information about the health of your Sourcefire 3D System through the Health Monitor. The pie chart supplies another view of the health status breakdown.1 Sourcefire 3D System Administrator Guide 545 . Version 4. plus the Defense Center. Administrators can create and apply a health policy to an appliance.

Reviewing Health Status Using the Health Monitor Chapter 16 To use the health monitor: Access: Maint/Admin/ Any Analyst except Restricted 1. The Health Monitor page appears. the appliance list for that status shows in the lower table. TIP! If the arrow in the row for a status level points down. Click Health Monitor on the toolbar. the appliance list is hidden. 2. If the arrow points right.1 Sourcefire 3D System Administrator Guide 546 . Select the appropriate status in the Status column of the table or the appropriate portion of the pie chart to the list appliances with that status. The following topics provide details on the tasks you can perform from the Health Monitor page: • • • • Interpreting Health Monitor Status on page 547 Using Appliance Health Monitors on page 547 Configuring Health Policies on page 489 Configuring Health Monitor Alerts on page 539 Version 4.9.

as described in the Health Status Indicator table. IMPORTANT! Your browser session will not be automatically timed out while you are viewing the Health Monitor page.9. that the appliance does not have a health policy applied to it. Indicates that the critical limits have been exceeded for at least one health module on the appliance and the problem has not been corrected. Health Status Indicator Status Level Error Status Icon Status Color White Description Indicates that at least one health monitoring module has failed on the appliance and has not been successfully re-run since the failure occurred. Critical Red Warning Yellow Normal Green Recovered Green Disabled Blue Using Appliance Health Monitors Requires: DC/MDC The Appliance health monitor provides a detailed view of the health status of an appliance. Normal. Indicates that all health modules on the appliance are running within the limits configured in the health policy applied to the appliance. Warning. Contact your technical support representative to obtain an update to the health monitoring module. Indicates that warning limits have been exceeded for at least one health module on the appliance and the problem has not been corrected. including modules that were in a Critical or Warning state. include Error. by severity. Indicates that an appliance is disabled or blacklisted. Version 4.1 Sourcefire 3D System Administrator Guide 547 . Indicates that all health modules on the appliance are running within the limits configured in the health policy applied to the appliance.Reviewing Health Status Using Appliance Health Monitors Chapter 16 Interpreting Health Monitor Status Available status categories. and Disabled. Critical. or that the appliance is currently unreachable.

To show the list of appliances with a particular status. Optionally. 4. Select Operations > Monitoring > Health. in the Module Status Summary graph. see the following sections: • • • Interpreting Appliance Health Monitor Status on page 549 Viewing Alerts by Status on page 549 Running All Modules for an Appliance on page 550 Version 4.1 Sourcefire 3D System Administrator Guide 548 .Reviewing Health Status Using Appliance Health Monitors Chapter 16 To view the status summary for a specific appliance: Access: Maint/Admin/ Any Analyst except Restricted 1. the appliance list for that status shows in the lower table. click the name of the appliance for which you want to view details in the health monitor toolbar. For more information.9. 2. If the arrow points right. the appliance list is hidden. The Alert Detail list toggles the display to show or hide events. In the Appliance column of the appliance list. The Health Monitor page appears. click the color for the event status category you want to view. click the arrow in that status row. 3. The Health Monitor Appliance page appears. TIP! If the arrow in the row for a status level points down.

that the appliance does not have a health policy applied to it. Appliance Health Status Indicator Status Level Error Status Icon Status Color White Description Indicates that the health monitoring module has failed and has not been successfully re-run since the failure occurred. Normal Green Indicates that the monitored item is running within the limits configured in the health policy applied to the appliance. Critical.1 Sourcefire 3D System Administrator Guide 549 . Viewing Alerts by Status Requires: DC/MDC You can show or hide categories of alerts by status. Normal. as described in the Appliance Health Status Indicator table that follows. Critical Red Warning Yellow Indicates that warning limits have been exceeded for the health module on the appliance and the problem has not been corrected. Version 4. include Error. Warning. Disabled Blue Indicates that a module is disabled or blacklisted. or that the appliance is currently unreachable.9. Recovered Green Indicates that the health for the monitored item is back within the limits configured in the health policy applied to the appliance.Reviewing Health Status Using Appliance Health Monitors Chapter 16 • • • Running a Specific Health Module on page 551 Generating Health Module Alert Graphs on page 553 Generating Appliance Troubleshooting Files on page 554 Interpreting Appliance Health Monitor Status Available status categories. Contact your technical support representative to obtain an update to the health monitoring module. Indicates that the critical limits have been exceeded for the health module on the appliance and the problem has not been corrected. and Disabled. by severity.

Running All Modules for an Appliance Requires: DC/MDC Health module tests run automatically at the policy run time interval you configure when you create a health policy. The alerts for that category appear in the Alert Detail list. the appliance list for that status shows in the lower table. The Health Monitor page appears.Reviewing Health Status Using Appliance Health Monitors Chapter 16 To show alerts by status: Access: Maint/Admin/ Any Analyst except Restricted Click the status icon or the color segment in the pie chart that corresponds to the health status of the alerts you want to view. However. click the arrow in that status row. you can also run all health module tests on demand to collect up-to-date health information for the appliance. 2.9. Select Operations > Monitoring > Health. To hide alerts by status: Access: Maint/Admin/ Any Analyst except Restricted Click the status icon or the color segment in the pie chart that corresponds to the health status of the alerts you want to view. To expand the appliance list to show appliances with a particular status. the appliance list is hidden. The alerts in the Alert Detail list for that category disappear. TIP! If the arrow in the row for a status level points down. If the arrow points right. To run all health modules for the appliance: Access: Maint/Admin/ Any Analyst except Restricted 1.1 Sourcefire 3D System Administrator Guide 550 . Version 4.

wait a few seconds. Click Run All Modules. Version 4. the first refresh that automatically occurs may not reflect the data from the manually-run tests. then the Health Monitor Appliance page refreshes. The Health Monitor Appliance page appears. In the Appliance column of the appliance list. IMPORTANT! When you manually run health modules. You can also wait for the page to refresh again automatically. However. If the value has not changed for a module that you just ran manually.Reviewing Health Status Using Appliance Health Monitors Chapter 16 3.9. 4. click the name of the appliance for which you want to view details in the health monitor toolbar. The status bar indicates the progress of the tests. then refresh the page by clicking the sensor name. you can also run a health module test on demand to collect up-to-date health information for that module. Running a Specific Health Module Requires: DC/MDC Health module tests run automatically at the policy run time interval you configure when you create a health policy.1 Sourcefire 3D System Administrator Guide 551 .

To expand the appliance list to show appliances with a particular status. You can also wait for the page to refresh automatically again. the first refresh that automatically occurs may not reflect the data from the manually-run tests. 4. the appliance list for that status shows in the lower table. then refresh the page by clicking the sensor name. click the name of the appliance for which you want to view details in the health monitor toolbar. IMPORTANT! When you manually run health modules. In the Appliance column of the appliance list. click the color for the health alert status category you want to view. If the arrow points right. If the value has not changed for a module that you just manually ran. 3. The Health Monitor Appliance page appears. click the arrow in that status row. The Alert Detail list expands to list the health alerts for the selected appliance for that status category. wait a few seconds.1 Sourcefire 3D System Administrator Guide 552 . 2. click Run.Reviewing Health Status Using Appliance Health Monitors Chapter 16 To run a specific health module: Access: Maint/Admin/ Any Analyst except Restricted 1. The status bar indicates the progress of the test. 5. The Health Monitor page appears. the appliance list is hidden. then the Health Monitor Appliance page refreshes. Select Operations > Monitoring > Health. In the Module Status Summary graph of the Health Monitor Appliance page.9. TIP! If the arrow in the row for a status level points down. In the Alert Detail row for the alert for which you want to view a list of events. Version 4.

9. In the Module Status Summary graph of the Health Monitor Appliance page. 4. To generate a health module alert graph: Access: Maint/Admin/ Any Analyst except Restricted 1. The Alert Detail list expands to list the health alerts for the selected appliance for that status category. To expand the appliance list to show appliances with a particular status. the appliance list for that status shows in the lower table. Select Operations > Monitoring > Health. Version 4. In the Appliance column of the appliance list.1 Sourcefire 3D System Administrator Guide 553 . The Health Monitor Appliance page appears. 3. If the arrow points right. click the color for the health alert status category you want to view. The Health Monitor page appears. click the name of the appliance for which you want to view details in the health monitor toolbar. 2. click the arrow in that status row. the appliance list is hidden. TIP! If the arrow in the row for a status level points down.Reviewing Health Status Using Appliance Health Monitors Chapter 16 Generating Health Module Alert Graphs Requires: DC/MDC You can graph the results over a period of time of a particular health test for a specific appliance.

To generate appliance troubleshooting files: Access: Maint/Admin/ Any Analyst except Restricted 1. Generating Appliance Troubleshooting Files Requires: DC/MDC In some cases. Sourcefire Support may ask you to generate troubleshooting files to help them diagnose the problem. TIP! If the arrow in the row for a status level points down. click the arrow in that status row. In the Alert Detail row for the alert for which you want to view a list of events.Reviewing Health Status Using Appliance Health Monitors Chapter 16 5. if you have a problem with your appliance. A graph appears. To expand the appliance list to show appliances with a particular status. TIP! If no events appear. showing the status of the event over time. If the arrow points right. Select Operations > Monitoring > Health. you may need to adjust the time range. See Setting Event Time Constraints in the Analyst Guide for more information. the appliance list is hidden.9. The Alert Detail section below the graph lists all health alerts for the selected appliance. Version 4. click Graph.1 Sourcefire 3D System Administrator Guide 554 . 2. The Health Monitor page appears. the appliance list for that status shows in the lower table.

Select Click to retrieve generated files. 7. Click the folder for the file generation job entry to expand the entry. Save the files to a location on your computer. The file generation task is added to the task status queue. 6. 8. click the name of the appliance for which you want to view details in the health monitor toolbar. The Task Status page appears. See Understanding Health Event Views on page 556 for more information about these common procedures. Version 4. Send the generated files to technical support to assist in troubleshooting your system. These event views allow you to search and view event data and to easily access other information that may be related to the events you are investigating. Click Generate Troubleshooting Files and confirm that you want to generate the files. Working with Health Events The Defense Center provides fully customizable event views that allow you to quickly and easily analyze the health status events gathered by the health monitor. 5. 9. Many functions that you can perform on the health event view pages are constant across all event view pages. 4. you can view health events. From the Operations > Monitoring > Health menu.1 Sourcefire 3D System Administrator Guide 555 . Select Operations > Monitoring > Task Status. The Health Monitor Appliance page appears.9. and can search for specific events. A File Download dialog box appears.Reviewing Health Status Working with Health Events Chapter 16 3. In the Appliance column of the appliance list.

Searching for Health Events on page 563 describes how to search for specific events using the Event Search page. you can more effectively configure alerting for health events. For more information on the different types of health modules that generate health events. you retrieve all health events for all managed appliances. see the following topics: • • • • Viewing All Health Events on page 556 Viewing Health Events by Module and Appliance on page 557 Working with the Health Events Table View on page 559 Searching for Health Events on page 563 Viewing All Health Events Requires: DC/MDC The Table View of Health Events page provides a list of all health events on the selected appliance. If you understand what conditions each health module tests for.9. For more information. see Understanding Health Modules on page 485. For more information about viewing and searching for health events. Understanding Health Event Views The Defense Center health monitor logs health events. When you access health events from the Health Monitor page on your Defense Center. For a description of the health modules that generated the events that you may see on this page. Version 4.1 Sourcefire 3D System Administrator Guide 556 . see Understanding Health Modules on page 485.Reviewing Health Status Working with Health Events Chapter 16 See the following sections for more information about viewing events: • • • Understanding Health Event Views on page 556 describes the types of events that RNA generates. which you can see on the Health Event View page. see the following sections: • • • Viewing Health Events on page 556 Understanding the Health Events Table on page 561 Searching for Health Events on page 563 Viewing Health Events You can view the appliance health data collected by your health monitor in several ways. Viewing Health Events on page 556 describes how to access and use the Event View page.

If the arrow points right. see Setting Event Time Constraints in the Analyst Guide. click the arrow in that status row. To expand the appliance list to show appliances with a particular status.9. If no events appear. containing all health events. click Health Events. Viewing Health Events by Module and Appliance Requires: DC/MDC You can query for events generated by a specific health module on a specific appliance. the appliance list is hidden. the appliance list for that status shows in the lower table. In the toolbar. 2. To view the health events for a specific module: Access: Maint/Admin/ Any Analyst except Restricted 1. TIP! If the arrow in the row for a status level points down. Select Operations > Monitoring > Health. 2. TIP! You can bookmark this view to allow you to return to the page in the health events workflow containing the Health Events table of events. For more information. Select Operations > Monitoring > Health. The Health Monitor page appears. See Setting Event Time Constraints in the Analyst Guide for more information. The bookmarked view retrieves events within the time range you are currently viewing. The Health Monitor page appears. The Events page appears. Version 4. you may need to adjust the time range.1 Sourcefire 3D System Administrator Guide 557 . but you can then modify the time range to update the table with more recent information if needed.Reviewing Health Status Working with Health Events Chapter 16 To view all health events on all managed appliances: Access: Maint/Admin/ Any Analyst except Restricted 1.

1 Sourcefire 3D System Administrator Guide 558 . you may need to adjust the time range. In the Appliance column of the appliance list. 6. 4. If no events appear. Version 4. The Health Events page appears. click Events. If you want to view all health events for the selected appliance. 5. See Setting Event Time Constraints in the Analyst Guide for more information. expand Search Constraints and click the Module Name constraint to remove it.9.Reviewing Health Status Working with Health Events Chapter 16 3. In the Module Status Summary graph of the Health Monitor Appliance page. click the name of the appliance for which you want to view details in the health monitor toolbar. In the Alert Detail row for the alert for which you want to view a list of events. The Alert Detail list expands to list the health alerts for the selected appliance for that status category. containing query results for a query with the name of the appliance and the name of the selected health alert module as constraints. The Health Monitor Appliance page appears. click the color for the health alert status category you want to view.

. then confirm you want to delete all the events.. Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. from any event view. See Using Bookmarks in the Analyst Guide for more information. See Generating Reports from Event Views on page 235 for more information... Health Event View Functions To. select the check box next to the events you want to delete and click Delete. To delete all the events in the current constrained view. change what columns display in the table of events. sort the events that appear.Reviewing Health Status Working with Health Events Chapter 16 Working with the Health Events Table View Requires: DC/MDC The Health Event View Functions table describes each action you can perform from the Event View page. This can occur even if you configured a sliding time window for the appliance. find more information in Understanding the Health Events Table on page 561. navigate through event view pages navigate to other event tables to view associated events bookmark the current page so that you can quickly return to it navigate to the bookmark management page generate a report based on data in the table view Version 4. find more information in Setting Event Time Constraints in the Analyst Guide. provide a name for the bookmark and click Save. learn more about the contents of the columns that appear in the Health event view modify the time and date range for events listed in the Health table view You can. click Delete All. find more information in Navigating between Workflows in the Analyst Guide.9. click Bookmark This Page. click View Bookmarks. or constrain the events that appear delete health events find more information in Sorting Drill-down Workflow Pages in the Analyst Guide.1 Sourcefire 3D System Administrator Guide 559 . click Report Designer. See Using Bookmarks in the Analyst Guide for more information. select Analysis & Reporting > Bookmarks or. find more information in Navigating to Other Pages in the Workflow in the Analyst Guide.

See Selecting Workflows in the Analyst Guide for more information. click Workflows or select from the Workflows dropdown list in the toolbar. • If NFE temperature exceeds 89 degrees Fahrenheit. click the down arrow link on the left side of the event.Reviewing Health Status Working with Health Events Chapter 16 Health Event View Functions (Continued) To.1 Sourcefire 3D System Administrator Guide 560 . health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon. health status for the Hardware Alarms module changes to red and the message details include a reference to the NFE temperature... click the status icon in the Status column for an event with that status.. hardware alarms generate in response to the events described in the Conditions Monitored for 3D9900 Sensors table. NFE Platform daemon If the NFE Platform daemon goes down.. health status for the Hardware Alarms module changes to red and the message details include a reference to the NFE card presence. click View All. health status for the Hardware Alarms module changes to yellow and the message details include a reference to the NFE temperature.9. • If NFE temperature exceeds 99 degrees Fahrenheit. select another health events workflow You can. The triggering condition can be found in the message detail for the alert. Conditions Monitored for 3D9900 Sensors Condition Monitored NFE card presence Causes of Yellow or Red Error Conditions If NFE hardware is detected that is not valid for the appliance. select the check box next to the rows that correspond with the events you want to view details for and then click View. NFE temperature Version 4. view the details associated with a single health event view event details for multiple health events view event details for all events in the view view all events of a particular status Interpreting Hardware Alert Details for 3D9900 Sensors For 3D9900 sensor models.

9. If the NFE TCAM daemon goes down. If the nfm_ipfragd daemon goes down.1 Sourcefire 3D System Administrator Guide 561 . NFE TCAM daemon LBIM presence Scmd daemon Psls daemon Ftwo daemon Rulesd (host rules) daemon nfm_ipfragd (host frag) daemon Understanding the Health Events Table You can use the Defense Center’s health monitor to determine the status of critical functionality within the Sourcefire 3D System. health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon. health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon. You create and apply health policies to your appliances. If the Psls daemon goes down. The Health Monitor modules you choose to enable Version 4. health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon. If the Rulesd daemon goes down. If the Ftwo daemon goes down. health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon. health status for the Hardware Alarms module changes to yellow and the message details include a reference to the daemon.Reviewing Health Status Working with Health Events Chapter 16 Conditions Monitored for 3D9900 Sensors (Continued) Condition Monitored NFE Message daemon Causes of Yellow or Red Error Conditions If the NFE Message daemon goes down. If the Scmd daemon goes down. including hardware and software status. health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon. which monitor a variety of aspects. health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon. If the Load-Balancing Interface Module (LBIM) switch assembly is not present or not communicating. health status for the Hardware Alarms module changes to red and the message details include a reference to the LBIM presence.

The Health Monitor page appears. The name of the test. a health event is generated. For example. the value could be a number from 80 to 100. The fields in the health events table are described in the Health Event Fields table. This is typically the same as the module name. The description of the health module that generated the event. For more information on health monitoring. When the health status meets criteria that you specify. The appliance where the health event was reported. or Disabled) reported for the appliance. the units is a percentage sign (%). You can use the asterisk (*) to create wildcard searches. Green. if the Defense Center generates a health event whenever a sensor it is monitoring is using 80 percent or more of its CPU resources.Reviewing Health Status Working with Health Events Chapter 16 in your health policy run various tests to determine appliance health status. Select Operations > Monitoring > Health. health events generated when a process was unable to execute are labeled Unable to Execute.1 Sourcefire 3D System Administrator Guide 562 . Health Event Fields Field Module Name Description The name of the health module that generated the event. For a list of health modules. see Monitoring the System on page 463. Yellow. see the Health Modules table on page 485. Units The units descriptor for the result. if the Defense Center generates a health event when a sensor it is monitoring is using 80 percent or more of its CPU resources. Version 4. The value (number of units) of the result obtained by the health test that generated the event. Status Sensor The status (Critical. For example. The timestamp for the health event.9. For example. Test Name Time Description Value To display the table view of health events: Access: Maint/Admin/ Any Analyst except Restricted 1.

For example. The search should retrieve applicable CPU Usage and CPU temperature events. For example. Value Version 4. On the toolbar. click Workflows.9. to view events that measure CPU performance. and re-use event searches.Reviewing Health Status Working with Health Events Chapter 16 2. click Health Events. you could enter Unable to Execute to view any health events where a process was unable to execute. you retrieve events where the appliance CPU was running at 15% utilization at the time the test ran. Searching for Health Events Requires: DC/MDC You can use Event Search to search for specific network discovery events. You can use an asterisk (*) in this field to create wildcard searches. type CPU. Health Event Search Criteria Search Field Module Name Description Specify the name of the module which generated the health events you want to view. For example. Specify the value (number of units) of the result obtained by the health test for the events you want to view. The Health Event Search Criteria table describes each search criterion you can specify. click Health Events. For information on working with health events. Description Specify the description of the events you want to view. see Working with Health Events on page 555. When creating new searches or modifying default searches. You can create. there are a number of options you can configure. save. if you specify a value of 15 and type CPU in the Units field. TIP! If you are using a custom workflow that does not include the table view of health events. The table view appears. On the Select Workflow page.1 Sourcefire 3D System Administrator Guide 563 .

Appliance Specify the name of appliance. one is created automatically when you save the search. you retrieve all events for any modules that contain text followed by a “%” sign in the Units field. For example. type Critical to retrieve all health events that indicate a critical status. See Health Event Search Criteria on page 563 for more information about the values you can enter for search criteria. To run and save health event searches: Access: Any Analyst except Restricted/ Admin 1. enter a name for the search in the Name field. Enter your search criteria. if you type % in the Units field.Reviewing Health Status Working with Health Events Chapter 16 Health Event Search Criteria (Continued) Search Field Units Description Specify the units descriptor for the result obtained by the health test for the events you want to view.9. and Disabled. You can use an asterisk (*) in this field to create wildcard searches. The Search page appears.1 Sourcefire 3D System Administrator Guide 564 . Select Analysis & Reporting > Searches > Health Events. if you want to save the search. Valid status levels are Critical. Status Specify the status for the health events that you want to view. Normal. However. Error. 2. if you type *% in the Units field. Version 4. If you do not enter a name. For example. Warning. you retrieve all events for the Disk Usage modules. 3. because the Disk Usage module has a “%” label in the Units field (and no additional text). Optionally.

including a custom workflow. • • Click Save if you are modifying an existing search and want to save your changes. so that you can run it at a later time. constrained by the current time range.Reviewing Health Status Working with Health Events Chapter 16 4. use the Workflows menu on the toolbar. see the following sections: • • Version 4. The search is saved and associated with your user account (if you selected Save As Private). Loading a Saved Search in the Analyst Guide Deleting a Saved Search in the Analyst Guide For more information about searching. For information on specifying a different default workflow. Click Save as New Search to save the search criteria.1 Sourcefire 3D System Administrator Guide 565 . see Configuring Event View Settings on page 27. Your search results appear in the default health events workflow. Otherwise. Optionally. disable the Save As Private check box. leave the check box selected to save the search as private. TIP! If you want to save a search as a restriction for restricted data users. 5. if you want to save the search so that other users can access it. You have the following options: • Click Search to execute the search. To use a different workflow.9. you must save it as a private search.

see Working with Event Reports on page 232. and filter audit log messages based on any item in the audit view. The following sections provide more information about the monitoring features that the system provides: • • Managing Audit Records on page 566 describes how to view and manage system audit information. For more information. Viewing the System Log on page 578 describes how to view the system log. You can easily delete and report on audit information.Auditing the System Chapter 17 Administrator Guide You can audit activity on your system in two ways. TIP! Defense Centers and 3D Sensors with IPS also provide full-featured reporting features that allow you to generate reports for almost any type of data accessible in an event view. The appliances that are a part of the Sourcefire 3D System generate an audit record for each user interaction with the web interface. Audit logs are presented in a standard event view that allows you to view. and also record system status messages in the system log. Version 4.9. which contains system status messages. including auditing data. Managing Audit Records Requires: DC/MDC or 3D Sensor Defense Centers and 3D Sensors log read-only auditing information for user activity.1 Sourcefire 3D System Administrator Guide 566 . sort.

When the number of audit log entries exceeds 100.. you can manipulate the view depending on the information you are looking for. find more information at Setting Event Time Constraints in the Analyst Guide. For information on creating a custom workflow. find more information in Understanding the Audit Log Table on page 574.1 Sourcefire 3D System Administrator Guide 567 . learn more about the contents of the columns in the table modify the time range used when viewing audit records You can. Then.. see Creating Custom Workflows in the Analyst Guide. For more information.. the appliance prunes the oldest records from the database to reduce the number to 100. Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. The predefined workflow includes a single table view of events.9. The Audit Log Actions table below describes some of the specific actions you can perform on an audit log workflow page. see the following sections: • • • • Viewing Audit Records on page 567 Suppressing Audit Records on page 570 Understanding the Audit Log Table on page 574 Searching Audit Records on page 575 Viewing Audit Records Requires: DC/MDC or 3D Sensor You can use the appliance to view a table of audit records. You can also create a custom workflow that displays only the information that matches your specific needs. find more information in Navigating to Other Pages in the Workflow in the Analyst Guide. sort and constrain events on the current workflow page navigate within the current workflow page find more information in Sorting Table View Pages and Changing Their Layout in the Analyst Guide.000 entries.000.000. This can occur even if you configured a sliding time window for the appliance. Audit Log Actions To.. Version 4.Auditing the System Managing Audit Records Chapter 17 The audit log stores a maximum of 100.

If you click a value on a drilldown page. navigate between pages in the current workflow.. click the appropriate page link at the top left of the workflow page. TIP! Table views always include “Table View“ in the page name. For more information. then click View.. TIP! Table views always include “Table View” in the page name.9. see Using Workflow Pages in the Analyst Guide. click a value within a row. • To drill down to the next workflow page constraining on some events. keeping the current constraints drill down to the next page in the workflow You can. click View All.. Note that clicking a value within a row in a table view constrains the table view and does not drill down to the next page.1 Sourcefire 3D System Administrator Guide 568 . select the checkboxes next to the events you want to view on the next workflow page. constraining on a specific value Click a value within a row. For more information. Clicking a value within a row in a table vie