sourcefire 3d system administrator guide v4.9.1

Sourcefire 3D SystemAdministrator Guide

Version 4.9.1

Intellectual Property Notices, Disclaimers, and Terms of Use Applicable to the User Documentation.

The legal notices, disclaimers, terms of use, and other information contained herein (the “terms”) apply only to Sourcefire, Inc. appliance discussed in the Documentation (“Documentation”) and your use of it. The terms do not apply to or govern the use of Sourcefire's web site or Sourcefire's appliance discussed in the Documentation. Sourcefire appliances are available for purchase and subject to a separate license containing very different terms of use.

Terms Of Use and Copyright and Trademark Notices

The copyright in the Documentation is owned by Sourcefire, Inc., and is protected by copyright pursuant to US copyright law, international conventions, and other laws. You may use, print out, save on a retrieval system, and otherwise copy and distribute the documentation solely for non-commercial use, provided that (i) you do not modify the documentation in any way and (ii) you always include Sourcefire's copyright, trademark, and other notices, as well as a link to, or print out of, the full contents of this page and its terms. No part of the documentation may be used in a compilation or otherwise incorporated into another work, or be used to create derivative works, without the express prior written permission of Sourcefire, Inc. Sourcefire, Inc. reserves the right to change the Terms at any time, and your continued use of the Documentation shall be deemed an acceptance of those terms.

Sourcefire, the Sourcefire logo, Snort, the Snort logo, 3D Sensor, Intrusion Sensor, Intrusion Agent, Real-time Network Awareness, RNA Sensor, Defense Center, Master Defense Center, Success Pack, and 3D System, are trademarks or registered trademarks of Sourcefire, Inc. All other trademarks are property of their respective owners.

© 2004 - 2010 Sourcefire, Inc. All rights reserved.

Liability Disclaimers

THE DOCUMENTATION AND ANY INFORMATION AVAILABLE FROM IT MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. SOURCEFIRE, INC. MAY CHANGE THE DOCUMENTATION FROM THE TIME TO TIME. SOURCEFIRE, INC. MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE ACCURACY OR SUITABILITY OF THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND/OR ANY APPLIANCE OR INFORMATION. SOURCEFIRE, INC. PROVIDES THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND ANY APPLIANCE OR INFORMATION “AS IS” AND SOURCEFIRE, INC. DISCLAIMS ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE OR THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOURCEFIRE, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF DATA, LOSS OF PROFITS, AND/OR BUSINESS INTERRUPTIONS), ARISING OUT OF OR IN ANY WAY RELATED TO THE SOURCEFIRE, INC. WEB SITE, THE DOCUMENTATION, AND/OR ANY SOFTWARE OR INFORMATION, NO MATTER HOW CAUSED AND/OR WHETHER BASED ON CONTRACT, STRICT LIABILITY, NEGLIGENCE OR OTHER TORTUOUS ACTIVITY, OR ANY OTHER THEORY OF LIABILITY, EVEN IF SOURCEFIRE, INC. IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

The Documentation may contain “links” to sites on the Internet that are not created by, or under the control of Sourcefire, Inc. Sourcefire, Inc. provides such links solely for your convenience, and assumes no responsibility for the availability or content of such other sites.

2010-Jul-12 13:56

Version 4.9.1 Sourcefire 3D System Administrator Guide 3

Table of Contents

Chapter 1: Introduction to the Sourcefire 3D System............................. 14Components of the Sourcefire 3D System......................................................... 15

Real-time Network Awareness (RNA).................................................... 15Intrusion Prevention System (IPS) ......................................................... 16Real-time User Awareness (RUA) .......................................................... 17PEP Traffic Management ....................................................................... 17Defense Centers.................................................................................... 17Master Defense Centers ....................................................................... 19Intrusion Agents..................................................................................... 19RNA for Red Hat Linux........................................................................... 20RNA and IPS for Crossbeam Systems................................................... 20eStreamer .............................................................................................. 20

Logging into the Appliance ................................................................................. 21

Logging into the Appliance to Set Up an Account .............................................. 23

Logging Out of the Appliance ............................................................................. 24

Last Successful Login......................................................................................... 25

Specifying Your User Preferences ...................................................................... 25Changing Your Password ....................................................................... 25Configuring Event View Settings ........................................................... 27Setting Your Default Time Zone ............................................................. 34Specifying Your Home Page................................................................... 35Specifying Your Default Dashboard........................................................ 35

Using the Context Menu .................................................................................... 36

Documentation Resources ................................................................................. 37


Table of Contents

Documentation Conventions .............................................................................. 38Platform Requirements Conventions..................................................... 38Access Requirements Conventions....................................................... 39

IP Address Conventions...................................................................................... 41

Chapter 2: Performing the Initial Setup .................................................... 43Setting Up 3D Sensors ....................................................................................... 44

Setting up Defense Centers ............................................................................... 47

Communication Ports ......................................................................................... 50

What’s Next? ...................................................................................................... 52Administrator User Tasks....................................................................... 53Maintenance User Tasks........................................................................ 54Policy & Response Administrator User Tasks ........................................ 55RNA Event Analyst User Tasks .............................................................. 56Intrusion Event Analyst User Tasks........................................................ 57

Chapter 3: Using Dashboards..................................................................... 59Understanding Dashboard Widgets.................................................................... 60

Understanding Widget Availability ......................................................... 61Understanding Widget Preferences ...................................................... 64

Understanding the Predefined Widgets ............................................................. 65Understanding the Appliance Information Widget................................. 66Understanding the Appliance Status Widget......................................... 67Understanding the Compliance Events Widget..................................... 67Understanding the Current Interface Status Widget ............................. 68Understanding the Current Sessions Widget ........................................ 69Understanding the Custom Analysis Widget......................................... 69Understanding the Disk Usage Widget ................................................. 80Understanding the Interface Traffic Widget ........................................... 81Understanding the Intrusion Events Widget.......................................... 81Understanding the Network Compliance Widget.................................. 82Understanding the Product Licensing Widget ....................................... 84Understanding the Product Updates Widget......................................... 85Understanding the RSS Feed Widget.................................................... 86Understanding the System Load Widget............................................... 87Understanding the System Time Widget .............................................. 87Understanding the White List Events Widget ....................................... 88

Working with Dashboards .................................................................................. 89Creating a Custom Dashboard............................................................... 89Viewing Dashboards .............................................................................. 91Modifying Dashboards........................................................................... 93Deleting a Dashboard ............................................................................ 97


Table of Contents

Chapter 4: Using the Defense Center........................................................ 99Management Concepts .................................................................................... 100

The Benefits of Managing Your Sensors.............................................. 100What Can Be Managed by a Defense Center? .................................... 101Understanding Software Sensors........................................................ 105Beyond Policies and Events .................................................................. 111Using Redundant Defense Centers ..................................................... 112

Working in NAT Environments.......................................................................... 112

Working with Sensors ...................................................................................... 113Understanding the Sensors Page ........................................................ 115Adding Sensors to the Defense Center ................................................ 117Deleting Sensors ................................................................................. 121Resetting Management of a Sensor .................................................... 122Managing a 3Dx800 Sensor................................................................. 125Adding Intrusion Agents ...................................................................... 130Sensor Attributes - Intrusion Agent Page............................................. 130

Managing Sensor Groups ................................................................................. 131Creating Sensor Groups....................................................................... 131Editing Sensor Groups ......................................................................... 132Deleting Sensor Groups....................................................................... 133

Editing a Managed Sensor’s System Settings .................................................. 133Viewing a Sensor’s Information Page .................................................. 135Stopping and Restarting a Managed Sensor ....................................... 137Managing Communication on a Managed Sensor............................... 138Setting the Time on a Managed Sensor .............................................. 139

Managing a Clustered Pair ................................................................................ 140Establishing a Clustered Pair ............................................................... 142Separating a Clustered Pair.................................................................. 144

Configuring High Availability ............................................................................. 145Using High Availability.......................................................................... 145Guidelines for Implementing High Availability ..................................... 149Setting Up High Availability .................................................................. 150Monitoring the High Availability Status ................................................ 152Disabling High Availability and Unregistering Sensors......................... 153Pausing Communication between Paired Defense Centers ................ 154Restarting Communication between Paired Defense Centers ............ 154

Chapter 5: Using the Master Defense Center........................................ 156Understanding Event Aggregation.................................................................... 157

Aggregating Intrusion Events............................................................... 158Aggregating Compliance Events.......................................................... 158Limitations on Event Aggregation........................................................ 159


Table of Contents

Understanding Global Policy Management....................................................... 161Managing Global Intrusion Policies ...................................................... 161Using RNA Detection Policies on a Master Defense Center ............... 162Using Health Policies on a Master Defense Center............................. 162Using System Policies on a Master Defense Center ........................... 162Master Defense Center Policy Management Limitations.................... 163

Adding and Deleting Defense Centers ............................................................. 164Adding a Master Defense Center ........................................................ 165Adding a Defense Center..................................................................... 168Deleting a Defense Center .................................................................. 171Resetting Management of a Defense Center ...................................... 171

Using the Appliances Page ............................................................................... 173

Editing Settings for a Managed Defense Center .............................................. 175Viewing the Defense Center Information Page ................................... 175Editing the Event Filter Configuration .................................................. 176Editing or Disabling Remote Management Communications.............. 178Managing the Health Blacklist ............................................................. 178Managing High Availability Defense Centers ....................................... 178

Managing Appliance Groups............................................................................. 179Creating Appliance Groups .................................................................. 180Editing Appliance Groups..................................................................... 180Deleting Appliance Groups .................................................................. 181

Editing Master Defense Center System Settings ............................................. 181Listing Master Defense Center Information ........................................ 182Viewing a Master Defense Center License ......................................... 182Configuring Network Settings.............................................................. 182Shutting Down and Restarting the System.......................................... 182Configuring Remote Management Networking................................... 183Setting System Time............................................................................ 183Blacklisting Health Policies................................................................... 184

Chapter 6: Using Detection Engines and Interface Sets...................... 185Understanding Detection Engines.................................................................... 186

Understanding Detection Resources and 3D Sensor Models ............. 189Understanding Default Detection Engines .......................................... 191

Managing Detection Engines............................................................................ 193Creating a Detection Engine ................................................................ 193Editing a Detection Engine .................................................................. 194Deleting a Detection Engine ................................................................ 197

Using Detection Engine Groups ....................................................................... 197Creating Detection Engine Groups ...................................................... 197Editing Detection Engine Groups......................................................... 198Deleting Detection Engine Groups ...................................................... 199


Table of Contents

Using Variables within Detection Engines ........................................................ 199Assigning Values to System Default Variables in Detection Engines... 200Creating New Variables for Detection Engines .................................... 202Deleting and Resetting Variables ......................................................... 203Configuring Custom Variables in Detection Engines ........................... 204Using Portscan-Only Detection Engines .............................................. 205

Using Interface Sets ......................................................................................... 207Understanding Interface Set Configuration Options............................ 207Creating an Interface Set ..................................................................... 213Creating an Inline Interface Set ........................................................... 216Editing an Interface Set ....................................................................... 221Deleting an Interface Set ..................................................................... 223

Using Interface Set Groups .............................................................................. 223Creating Interface Set Groups ............................................................. 224Editing Interface Set Groups................................................................ 224Deleting Interface Set Groups ............................................................. 225

Inline Fail Open Interface Set Commands ........................................................ 225Removing Bypass Mode on Inline Fail Open Fiber Interfaces ............. 225Forcing an Inline Fail Open Interface Set into Bypass Mode ............... 226

Using Clustered 3D Sensors............................................................................. 227Using Detection Engines on Clustered 3D Sensors ............................ 228Understanding Interface Sets on Clustered 3D Sensors ..................... 229Managing Information from a Clustered 3D Sensor ............................ 230

Chapter 7: Working with Event Reports.................................................. 232Working with Event Reports............................................................................. 234

Working with Report Profiles............................................................................ 234

Generating Reports from Event Views ............................................................. 235

Managing Generated Reports........................................................................... 237Viewing Generated Reports................................................................. 238Downloading Generated Reports......................................................... 238Deleting Generated Reports ................................................................ 239Moving Reports to a Remote Storage Location................................... 239Running Remote Reports .................................................................... 240

Understanding Report Profiles.......................................................................... 241Understanding the Predefined Report Profiles .................................... 242Modifying a Predefined Report Profile................................................. 246Creating a Report Profile...................................................................... 246

Working with Report Information ..................................................................... 248Using Report Types.............................................................................. 250Defining Report Information ................................................................ 254


Table of Contents

Working with Report Sections .......................................................................... 255Using Summary Reports...................................................................... 255Including an Image File ........................................................................ 257Defining the Report Sections............................................................... 258

Working with Report Options ........................................................................... 258

Using a Report Profile ....................................................................................... 260Generating a Report using a Report Profile ......................................... 261Editing Report Profiles ......................................................................... 263Deleting Report Profiles....................................................................... 263

Chapter 8: Managing Users ...................................................................... 264Understanding Sourcefire User Authentication ................................................ 264

Understanding Internal Authentication ................................................ 266Understanding External Authentication ............................................... 266Understanding User Privileges ............................................................ 267

Managing Authentication Objects .................................................................... 269Understanding LDAP Authentication ................................................... 269Creating LDAP Authentication Objects................................................ 269LDAP Authentication Object Examples ............................................... 281Editing LDAP Authentication Objects .................................................. 286Understanding RADIUS Authentication ............................................... 287Creating RADIUS Authentication Objects............................................ 287RADIUS Authentication Object Examples ........................................... 295Editing RADIUS Authentication Objects .............................................. 298Deleting Authentication Objects.......................................................... 298

Managing User Accounts ................................................................................. 299Viewing User Accounts........................................................................ 299Adding New User Accounts................................................................. 300Managing Externally Authenticated User Accounts............................. 302Managing User Password Settings...................................................... 303Configuring User Roles........................................................................ 304Modifying User Privileges and Options ............................................... 306Modifying Restricted Event Analyst Access Properties....................... 307Modifying User Passwords.................................................................. 311Deleting User Accounts....................................................................... 312User Account Privileges....................................................................... 312

Chapter 9: Managing System Policies .................................................... 320Creating a System Policy .................................................................................. 321

Editing a System Policy..................................................................................... 323

Applying a System Policy .................................................................................. 324

Deleting System Policies .................................................................................. 325


Table of Contents

Configuring the Parts of Your System Policy..................................................... 325Configuring the Access List for Your Appliance ................................... 325Configuring Audit Log Settings ............................................................ 327Configuring Authentication Profiles ..................................................... 329Configuring Dashboard Settings .......................................................... 331Configuring Database Event Limits ..................................................... 332Configuring Detection Policy Preferences ........................................... 336Configuring DNS Cache Properties...................................................... 337Configuring a Mail Relay Host and Notification Address ..................... 338Configuring Intrusion Policy Preferences ............................................. 339Specifying a Different Language.......................................................... 340Adding a Custom Login Banner ........................................................... 341Configuring RNA Settings .................................................................... 342Configuring RNA Subnet Detection Settings ....................................... 349Configuring RUA Settings .................................................................... 352Synchronizing Time.............................................................................. 354Mapping Vulnerabilities for Services.................................................... 358

Chapter 10: Configuring System Settings ................................................. 360Viewing and Modifying the Appliance Information ........................................... 362

Understanding Licenses ................................................................................... 364Understanding Feature Licenses ......................................................... 366Verifying Your Product License ............................................................ 368Managing Your Feature Licenses......................................................... 370

Configuring Network Settings........................................................................... 377

Editing Network Interface Configurations......................................................... 380

Shutting Down and Restarting the System....................................................... 382

Configuring the Communication Channel ......................................................... 383Setting Up the Management Virtual Network...................................... 384Editing the Management Virtual Network............................................ 385

Configuring Remote Access to the Defense Center ........................................ 386

Setting the Time Manually ................................................................................ 389

Blacklisting Health Modules.............................................................................. 391

Specifying NetFlow-Enabled Devices ............................................................... 392

Managing Remote Storage............................................................................... 393Using Local Storage............................................................................. 393Using NFS for Remote Storage ........................................................... 394Using SSH for Remote Storage ........................................................... 395Using SMB for Remote Storage .......................................................... 396


Table of Contents

Chapter 11: Updating System Software.................................................... 398Installing Software Updates.............................................................................. 400

Updating a Defense Center or Master Defense Center ...................... 402Updating Managed Sensors ................................................................ 404Updating Unmanaged 3D Sensors ...................................................... 406

Uninstalling Software Updates ......................................................................... 409

Updating the Vulnerability Database................................................................. 410

Chapter 12: Using Backup and Restore .................................................... 413Creating Backup Files ....................................................................................... 414

Creating Backup Profiles................................................................................... 418

Performing Sensor Backup with the Defense Center ....................................... 419

Uploading Backups from a Local Host .............................................................. 420

Restoring the Appliance from a Backup File ..................................................... 421

Chapter 13: Scheduling Tasks .................................................................... 425Configuring a Recurring Task ............................................................................ 426

Automating Backup Jobs .................................................................................. 428

Automating Software Updates ......................................................................... 430Automating Software Downloads ........................................................ 431Automating Software Pushes .............................................................. 433Automating Software Installs............................................................... 435

Automating Vulnerability Database Updates .................................................... 437Automating VDB Update Downloads................................................... 438Automating VDB Update Pushes......................................................... 440Automating VDB Update Installs ......................................................... 442

Automating SEU Imports.................................................................................. 444

Automating Intrusion Policy Applications.......................................................... 446

Automating Reports.......................................................................................... 448

Automating Nessus Scans................................................................................ 450Preparing Your System to Run a Nessus Scan..................................... 450Scheduling a Nessus Scan................................................................... 451

Synchronizing Nessus Plugins .......................................................................... 452

Automating Nmap Scans .................................................................................. 454Preparing Your System for an Nmap Scan ........................................... 454Scheduling an Nmap Scan ................................................................... 455

Automating Recommended Rule State Generation.......................................... 456


Table of Contents

Viewing Tasks ................................................................................................... 458Using the Calendar .............................................................................. 459Using the Task List............................................................................... 460

Editing Scheduled Tasks ................................................................................... 461

Deleting Scheduled Tasks................................................................................. 461Deleting a Recurring Task .................................................................... 462Deleting a One-Time Task.................................................................... 462

Chapter 14: Monitoring the System........................................................... 463Viewing Host Statistics..................................................................................... 464

Monitoring System Status and Disk Space Usage ........................................... 468

Viewing System Process Status ....................................................................... 468

Understanding Running Processes................................................................... 471Understanding System Daemons........................................................ 471Understanding Executables and System Utilities ................................ 473

Viewing IPS Performance Statistics.................................................................. 476Generating IPS Performance Statistics Graphs ................................... 476Saving IPS Performance Statistics Graphs .......................................... 478

Viewing RNA Performance Statistics................................................................ 478Generating RNA Performance Statistics Graphs ................................. 479Saving RNA Performance Statistics Graphs ........................................ 481

Chapter 15: Using Health Monitoring ........................................................ 482Understanding Health Monitoring .................................................................... 483

Understanding Health Policies ............................................................. 484Understanding Health Modules........................................................... 485Understanding Health Monitoring Configuration ................................. 489

Configuring Health Policies ............................................................................... 489Predefined Health Policies ................................................................... 490Creating Health Policies ....................................................................... 497Applying Health Policies....................................................................... 528Editing Health Policies ......................................................................... 530Deleting Health Policies ....................................................................... 533

Using the Health Monitor Blacklist ................................................................... 534Blacklisting Health Policies or Appliances ............................................ 535Blacklisting a Health Policy Module ..................................................... 537


Table of Contents

Configuring Health Monitor Alerts .................................................................... 539Preparing to Create a Health Alert ....................................................... 540Creating Health Monitor Alerts ............................................................ 540Interpreting Health Monitor Alerts....................................................... 542Editing Health Monitor Alerts .............................................................. 543Deleting Health Monitor Alerts ............................................................ 544

Chapter 16: Reviewing Health Status........................................................ 545Using the Health Monitor ................................................................................. 545

Interpreting Health Monitor Status ...................................................... 547

Using Appliance Health Monitors ..................................................................... 547Interpreting Appliance Health Monitor Status ..................................... 549Viewing Alerts by Status...................................................................... 549Running All Modules for an Appliance ................................................. 550Running a Specific Health Module....................................................... 551Generating Health Module Alert Graphs.............................................. 553Generating Appliance Troubleshooting Files........................................ 554

Working with Health Events ............................................................................. 555Understanding Health Event Views ..................................................... 556Viewing Health Events......................................................................... 556Understanding the Health Events Table............................................... 561Searching for Health Events................................................................. 563

Chapter 17: Auditing the System................................................................ 566Managing Audit Records .................................................................................. 566

Viewing Audit Records......................................................................... 567Suppressing Audit Records.................................................................. 570Understanding the Audit Log Table...................................................... 574Searching Audit Records...................................................................... 575

Viewing the System Log................................................................................... 578Filtering System Log Messages .......................................................... 579Using Four-Digit Year Formats on the 3D3800..................................... 581


Table of Contents

Appendix A: Importing and Exporting Objects .......................................... 583Exporting Objects ............................................................................................. 584

Exporting a Custom Table .................................................................... 584Exporting a Custom Workflow............................................................. 585Exporting a Dashboard......................................................................... 585Exporting a Health Policy ..................................................................... 586Exporting an Intrusion Policy................................................................ 586Exporting a PEP Policy ......................................................................... 588Exporting an RNA Detection Policy...................................................... 588Exporting a System Policy.................................................................... 588Exporting a User-Defined RNA Detector.............................................. 589Exporting Multiple Objects .................................................................. 590

Importing Objects ............................................................................................. 593

Appendix B: Purging the RNA and RUA Databases................................. 598

Appendix C: Viewing the Status of Long-Running Tasks ........................ 600Viewing the Task Queue ................................................................................... 600

Managing the Task Queue................................................................................ 602

Glossary .................................................................................................................... 603

Index .......................................................................................................................... 629


tnAdministrator Guide

Chapter 1Introduction to the Sourcefire 3D

System

The Sourcefire 3D System™ provides you with real-time network intelligence for real-time network defense. Sourcefire 3D System has the tools you need to:

• discover the changing assets and vulnerabilities on your network

• determine the types of attacks against your network and the impact they have to your business processes

• defend your network in real time

The topics that follow introduce you to the Sourcefire 3D System and describe some of the key components that contribute to its value as a part of any security strategy for your network.

• Components of the Sourcefire 3D System on page 15 provides descriptions of each of the components that may be in your Sourcefire 3D System.

• Logging into the Appliance on page 21 explains how to access the web interface on your appliance and log in using one of the user accounts.

• Logging into the Appliance to Set Up an Account on page 23 explains how to set up an association between a external user account and a set of credentials on the appliance.

• Logging Out of the Appliance on page 24 explains how to log out of the web interface.

• Specifying Your User Preferences on page 25 explains how to configure the preferences that are tied to a single user account, such as the home page, account password, time zone, dashboard, and event viewing preferences.

• Using the Context Menu on page 36 explains how to display a context-specific menu of shortcuts on certain pages in the web interface.


Introduction to the Sourcefire 3D SystemComponents of the Sourcefire 3D System Chapter 1

• Documentation Resources on page 37 explains where to locate specific information about using the Defense Center.

• Documentation Conventions on page 38 explains typeface conventions used throughout the guide to convey specific types of information visually.

• IP Address Conventions on page 41 explains how the Sourcefire 3D System treats IP address ranges specified using Classless Inter-Domain Routing (CIDR) notation.

Components of the Sourcefire 3D SystemThe topics that follow introduce you to the Sourcefire 3D System and describe some of the key components that contribute to its value as a part of any security strategy for your network.

• Real-time Network Awareness (RNA) on page 15

• Intrusion Prevention System (IPS) on page 16

• Real-time User Awareness (RUA) on page 17

• Defense Centers on page 17

• Master Defense Centers on page 19

• Intrusion Agents on page 19

• RNA for Red Hat Linux on page 20

• RNA and IPS for Crossbeam Systems on page 20

• eStreamer on page 20

Real-time Network Awareness (RNA)Sourcefire Real-time Network Awareness (also called RNA) is one of the components of the Sourcefire 3D System that you can use on your 3D Sensor. RNA monitors traffic on your network, using information from detected packets to build a comprehensive map of the devices on the network. You can set up compliance policies, compliance white lists, and traffic profiles to protect your company’s infrastructure by monitoring network traffic for unusual patterns or behavior and automatically responding as needed. You must use a Defense Center to manage a 3D Sensor if it is running RNA.

As RNA passively observes traffic, listening to the network segments you specify, it compiles the following information:

• the number and types of network devices running on your network

• the operating systems running on monitored network devices

• the active services and open ports on monitored network devices



• the vulnerabilities and exploits to which monitored network devices may be susceptible

• flow data, which are records of active sessions involving monitored network devices including the frequency and size of the session, as well as the service and protocol used and, if applicable, the client application and URL involved in the session

You can access event views and graphs to analyze this collected data. RNA builds a host profile for each host it detects, containing host details such as detected operating system, services, and protocols, and assigned host attributes. RNA assigns vulnerabilities to the host based on the operating system vendor and version detected for the host. You can access host profiles by browsing the network map or through one of the workflows Sourcefire provides to aid your analysis.

3D Sensors running RNA transmit the network map, event and flow data, and sensor statistics to the Defense Center so you can see a consolidated view of events. The Defense Center can also push health, system, and RNA detection policies to your sensors. You can push vulnerability database (VDB) and software updates from the Defense Center as well. For more information, see What Can Be Managed by a Defense Center? on page 101.

Intrusion Prevention System (IPS)The Sourcefire Intrusion Prevention System (also called IPS) is one of the components of the Sourcefire 3D System that you can run on the 3D Sensor. IPS allows you to monitor your network for attacks that might affect the availability, integrity, or confidentiality of hosts on the network. By placing 3D Sensors on key network segments, you can examine the packets that traverse your network for malicious activity. Each 3D Sensor uses rules, decoders, and preprocessors to look for the broad range of exploits that attackers have developed.

3D Sensors that are licensed to use IPS include a set of intrusion rules developed by the Sourcefire Vulnerability Research Team (VRT). You can choose to enable rules that would detect the attacks you think most likely to occur on your network. You can also create custom intrusion rules tuned to your environment. In addition, 3D Sensors with IPS run preprocessors against detected network traffic to normalize traffic and detect malicious packets.

When a 3D Sensor identifies a possible intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and contextual information about the source of the attack and its target. For packet-based events, a copy of the packet or packets that triggered the event is also recorded.

In a Sourcefire 3D System deployment that includes 3D Sensors with IPS and a Defense Center, the sensors transmit events and sensor statistics to the Defense Center where you can view the aggregated data and gain a greater understanding of the attacks against your network assets.The Defense Center can also push health, system, and intrusion policies to your sensors. You can push software



updates from the Defense Center to sensors as well. For more information, see What Can Be Managed by a Defense Center? on page 101.

If your 3D Sensor is running IPS, you can also use a local web interface to create intrusion policies and review the resulting intrusion events. Note that if you do manage your 3D Sensors with a Defense Center, Sourcefire recommends that you use only the Defense Center’s web interface to interact with the sensor and its data.

IMPORTANT! The Sourcefire 3D Sensor 3800, 3D Sensor 6800, and 3D Sensor 9800 models (usually referred to a the 3Dc800 sensors) do not have a web interface. You must manage these models with a Defense Center.

If you deploy your 3D Sensor inline on your network and create what is called an inline detection engine, you can configure your 3D Sensor to drop or replace packets that you know to be harmful.

Real-time User Awareness (RUA)The Real-time User-Awareness component (also called RUA) allows you to create policies and response rules that are user-based. You can apply these policies and rules across the Sourcefire 3D System. As a result, RUA enables you to implement and enforce policies specific to individuals, departments, or other user characteristics.

The network protocol used by your organization to provide user authentication largely determines the amount of data and efficiency of RUA. See Using Sourcefire RUA in the Analyst Guide for more information about RUA.

PEP Traffic ManagementPEP is a technology based on the hardware capabilities of the 3D9900 Sensors. PEP allows you to create rules to block, analyze, or send traffic directly through the 3D9900 with no further inspection. PEP traffic management enhances the sensor’s efficiency by allowing you to pre-select traffic to cut through or to drop instead of analyzing.

Defense CentersThe Defense Center provides a centralized management interface and database repository for the Sourcefire 3D System. You can analyze and respond to events from all your sensors consistently by doing the analysis through an interface where you can see all the data collected by the managed sensors. You can also push policies created on the Defense Center and software updates to managed sensors. If you have software sensors or Intrusion Agents on your network, you must use the Defense Center to manage them. Note that a 3D Sensor running



the IPS component includes its own local web interface, but if you want to use RNA on the sensor, you must manage the sensor with a Defense Center.

If you use your Defense Center to manage 3D Sensors that run RNA and IPS (either on the same sensor or different sensors that monitor the same network segments), the Defense Center correlates intrusion events from IPS with host vulnerabilities from RNA and assigns impact flags to the intrusion events. Impact correlation lets you focus in on attacks most likely to damage high priority hosts.

If you deploy Real-time User-Awareness (RUA), the Defense Center correlates threat, endpoint, and network intelligence with user identity information so that you can identify the source of policy breaches, attacks, or network vulnerabilities.

DC500You can use the DC500 model of the Defense Center in managed services environments to collect data from up to three 3D Sensors. The DC500 receives data at an aggregate rate of up to 100 intrusion events or 900 flow events per second. DC500s also have an RNA host limit of 1000.

IMPORTANT! You cannot use DC500s in high availability configurations.

Key DC500 database limits are:

• Intrusion Events - 500 thousand default and 2.5 million maximum

• RNA Flows - 1 million default and 10 million maximum

• RNA Flow Summaries - 2 million default and 10 million maximum

DC1000You can use DC1000 Defense Centers in most environments. You can rack mount a DC1000 and collect data from a large number of 3D Sensors. You can use either DC1000s or DC3000s in high availability configurations.

Key DC1000 database quantities are:

• Intrusion Events - 1 million default and 10 million maximum



DC3000You can use DC3000 Defense Centers in high-demand environments. A DC3000 allows you to use higher database quantities. You can configure a DC3000 as a Master Defense Center during the initial setup.



Key DC3000 database quantities are:




Virtual Defense CenterVirtual Defense Centers are hosted on VMware’s ESX/ESXi or Xen virtual machines. For more information, see the Sourcefire 3D System Virtual Defense Center and 3D Sensor Installation Guide. You can manage up to 25 physical and Virtual 3D Sensors with a Virtual Defense Center. You cannot use a Virtual Defense Center in high availability configurations or as a Master Defense Center.

Key Virtual Defense Center database quantities are:




Master Defense CentersThe Sourcefire Master Defense Center is a key component in the Sourcefire 3D System. You can use the Master Defense Center to aggregate and analyze intrusion events, compliance events, and white list events from up to ten Defense Centers within your Sourcefire 3D System deployment. The Master Defense Center can also aggregate events related to the health of the Defense Centers it is managing. In this way, you can view the current status of the Defense Centers across your enterprise from a single web interface.

See Using the Master Defense Center on page 156 for more information about managing your Defense Centers with a Master Defense Center.

Intrusion AgentsIf you have an existing installation of Snort®, you can install an Intrusion Agent to forward intrusion events to a Defense Center. You can then analyze the events detected by Snort alongside your other data. Although you cannot manage policies or rules for an Intrusion Agent from the Defense Center, you can do analysis and reporting on those events. If the network map on the Defense Center has entries for the target host in a given event, the Defense Center



assigns impact flags to the events. You can continue to manually tune Snort rules and preprocessors with the Intrusion Agent in place.

IMPORTANT! When using Intrusion Agents registered to Defense Centers configured for high availability and managed by a Master Defense Center, register all Intrusion Agents to the primary Defense Center.

RNA for Red Hat LinuxThe Sourcefire 3D System currently supports a software-only version of the RNA component on your server hardware running Red Hat Enterprise Linux 5 (RHEL5) or CentOS 5. RNA data received by a Defense Center from the server is treated in a similar way to RNA data received from a 3D Sensor that is running RNA. See the Sourcefire RNA Software on Red Hat Linux Configuration Guide for more information.

IMPORTANT! You must have a Defense Center in your Sourcefire 3D System deployment to use RNA for Red Hat Linux.

RNA and IPS for Crossbeam SystemsThe Sourcefire 3D System currently supports software-only versions of RNA and IPS for Crossbeam Systems X-Series security switches. RNA and IPS data received by a Defense Center from a Crossbeam-based software sensors is treated in a similar way to data received from a 3D Sensor. Separate installation and configuration guides are available for the 3D Sensor Software for X-Series.

IMPORTANT! Because the 3D Sensor Software for X-Series does not have a web interface, you must use a Defense Center to manage it.

eStreamerYou can access event data within your own applications through the eStreamer Application Programming Interface (API). eStreamer integration requires custom programming, but allows you to request specific data from a Defense Center. If, for example, you display network host data within one of your network management applications, you could write a program to retrieve host criticality or vulnerability data from the Defense Center and add that information to your display. See the eStreamer Integration Guide for more information.


Introduction to the Sourcefire 3D SystemLogging into the Appliance Chapter 1

Logging into the ApplianceRequires: Any The Defense Center and many 3D Sensor models have a web-based interface

that you can use to perform administrative, management, and analysis tasks.

If your 3D Sensor is not licensed for IPS, there is a limited web interface that you can use to perform the initial appliance setup and to register the sensor with a Defense Center. If your 3D Sensor is licensed for IPS, you are presented with a more complete web interface that you can use to perform additional configuration and event analysis.

Note that 3Dx800 and software sensors (Crossbeam-based software sensors, RNA for Red Hat Linux, Intrusion Agents, and Virtual 3D Sensors) do not have a web interface. You must use the Defense Center’s web interface to manage these sensors.

You can access the web interface by logging into the appliance using a web browser. The current version of the web interface supports the browsers listed in the following table.

TIP! Some processes that take a significant amount of time may cause your web browser to display a message that a script has become unresponsive. If this occurs, make sure you allow the script to continue until it finishes.

If you are the first user to log into the appliance after it is installed, you must log in using the admin user account. The initial setup process is described in Setting Up 3D Sensors on page 44.

Browser Requirements

Browser Required Enabled Options and Settings

Firefox 3.5.x JavaScriptcookiesSecure Sockets Layer (SSL) v3

Microsoft Internet Explorer 7.0

JavaScriptcookiesSecure Sockets Layer (SSL) v3128-bit encryptionActive scripting security setting

Microsoft Internet Explorer 8.0

JavaScriptcookiesSecure Sockets Layer (SSL) v3128-bit encryptionActive scripting security settingCompatibility View


Introduction to the Sourcefire 3D SystemLogging into the Appliance Chapter 1

After you log into the appliance, the features that you can access are controlled by the privileges granted to your user account. However, the procedures for logging into and out of the appliance remain the same.

When the appliance was installed, the user who performed the installation created a single administrative user account and password. The first time you log into the appliance, you should use this account. After you create other user accounts as described in Adding New User Accounts on page 300, you and other users should use those accounts to log into the appliance.

If your organization uses SecurID® tokens when logging in, append the token to your SecurID pin and use that as your password to log in. For example, if your pin is 1111 and the SecurID token is 222222, type 1111222222.

IMPORTANT! Because the Defense Center and the 3D Sensor audit user activity based on user accounts, you should make sure that users log into the system with the correct account.

Your session automatically logs you out after 3.5 hours of inactivity, unless you are viewing a page (such as an unpaused dashboard) that periodically communicates with the web server on the appliance.

To log into the appliance:

Access: Any 1. Direct your browser to https://hostname/, where hostname corresponds to the host name of the appliance.

The Login page appears.

2. In the Username and Password fields, type your user name and password.

IMPORTANT! If your company uses SecurID, append the SecurID token to the end of your SecurID pin and use that as your password when you log in. You must have already generated your SecurID pin before you can log into the Sourcefire 3D System.


Introduction to the Sourcefire 3D SystemLogging into the Appliance to Set Up an Account Chapter 1

3. Click Login.

The default start page appears. If you selected a new home page for your user account, then that page is displayed instead. See Specifying Your Home Page on page 35 for more information.

The menus and menu options that are available to you at the top of the page are based on the privileges for your user account. However, the links on the default home page include options that span the range of user account privileges. If you click a link that requires different privileges from those granted to your account, the following warning message is displayed:

You are attempting to view an unauthorized page. This activity has been logged.

You can either select a different option from the available menus or click Back in your browser window.

Logging into the Appliance to Set Up an AccountRequires: Any Some user accounts may be authenticated through an external authentication

server. If this is the case, the first time you log into the Defense Center or 3D Sensor using your external user credentials, the appliance associates those credentials with a set of permissions by creating a local user record. The permissions for that local user record can then be modified, unless they are granted through group or list membership.

If the default role for external user accounts is set to a specific access role, externally authenticated users can log into the appliance using their external account credentials without any additional configuration by the system administrator. If an account is externally authenticated and by default receives no access privileges, you can log in but cannot access any functionality. You (or your system administrator) can then change the permissions to grant the appropriate access to user functionality.

LDAP usernames can include underscores (_), periods (.), and hyphens (-) but otherwise only alphanumeric characters are supported.

Note that when a shell access user logs into the appliance, it does not create a local user account. Shell access is controlled entirely through the shell access filter or PAM login attribute set for an LDAP server or the shell access list on a RADIUS server. Shell users should log in using usernames with all lowercase letters.

If your organization uses SecurID tokens when logging in, append the token to your SecurID pin and use that as your password to log in. For example, if your pin is 1111 and the SecurID token is 222222, type 1111222222.

IMPORTANT! The 3Dx800 sensor models do not have a web interface. Instead, use the Defense Center’s web interface to manage policies and view events.


Introduction to the Sourcefire 3D SystemLogging Out of the Appliance Chapter 1

To create an externally authenticated account on the appliance:

Access: Any 1. Direct your browser to https://hostname, where hostname corresponds to the host name of the appliance.

The Login page appears.

2. In the Username and Password fields, type your user name and password.

IMPORTANT! If your company uses SecurID, append the SecurID token to your SecurID pin and use that as your password when you log in.

3. Click Login.

The page that appears depends on the default access role for external authentication:

• If a default access role is selected in the authentication object or the system policy, the default start page appears. If you selected a new home page for your user account, then that page is displayed instead. See Specifying Your Home Page on page 35 for more information.

The menus and menu options that are available to you at the top of the page are based on the privileges for your user account. However, the links on the default home page include options that span the range of user account privileges. If you click a link that requires different privileges from those granted to your account, the following warning message is displayed:

You are attempting to view an unauthorized page. This

activity has been logged.

You can either select a different option from the available menus or click Back in your browser window.

• If no default access role is selected, the Login page re-appears, with the following error message:

Unable to authorize access. If you continue to have

difficulty accessing this device, please contact the system

administrator.

4. If you do not have access, contact your system administrator and ask them to modify your account privileges or login as a user with Administrator access and modify the privileges for the account. For more information, see Modifying User Privileges and Options on page 306.

Logging Out of the ApplianceRequires: Any Make sure you log out of the appliance, even if you are only stepping away from

your web browser for a short period of time. Logging out ends your web session and ensures that no one can use the appliance with your credentials.


Introduction to the Sourcefire 3D SystemLast Successful Login Chapter 1

Note that your session automatically logs you out after 3.5 hours of inactivity, unless you are viewing a page (such as an unpaused dashboard) that periodically communicates with the web server on the appliance.

To log out of the appliance:

Access: Any Click Logout on the toolbar.

Last Successful LoginRequires: Any The first time you visit the appliance home page during a web session, you can

view information about the last login session for the appliance. You can see the following information about that user account last login:

• day of the week, month, date and year of your last login

• the appliance-local time of your last login in 24-hour notation

• host and domain name last used to access the appliance.

Specifying Your User PreferencesRequires: Any Users can specify certain preferences for their user account, including

passwords, event viewing preferences, time zone settings, and home page preferences. See the following sections for more information:

• Changing Your Password on page 25 explains how to change the password for your user account.

• Configuring Event View Settings on page 27 describes how the event preferences affect what you see as you view events.

• Setting Your Default Time Zone on page 34 explains how to set the time zone for your user account and describes how that affects the time stamp on the events that you view.

• Specifying Your Home Page on page 35 explains how to use one of the existing pages as your default home page. After setting this value, this is the first page you see upon logging into the appliance.

• Specifying Your Default Dashboard on page 35 explains how to choose which of the dashboards you want to use as your default dashboard.

Changing Your PasswordRequires: Any All user accounts are protected with a password. You can change your password

at any time, and depending on the settings for your user account, you may have to change your password periodically; see Changing an Expired Password on page 26.


Introduction to the Sourcefire 3D SystemSpecifying Your User Preferences Chapter 1

Note that if password strength-checking is enabled, passwords must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters.

IMPORTANT! If you are an LDAP or a RADIUS user, you cannot change your password through the web interface.

To change your password:

Access: Any 1. In the toolbar, click Preferences.

The User Preferences page appears.

2. Click Change Password.

The Change Password page appears.

3. In the Current Password field, type your current password and click Change.

4. In the New Password and Confirm fields, type your new password.

5. Click Change.

A success message appears on the page when your new password is accepted by the system.

Changing an Expired Password

Requires: DC/MDC or3D Sensor

Depending on the settings for your user account, your password can expire. Note that the password expiration time period is set when your account is created and cannot be changed. If your password has exired, the Password Expiration Warning page appears.

To respond to the password expiration warning:

Access: Any You have two choices:

• Click Change Password to change your password now.

If you have zero warning days left, you must change your password. Also, if password strength-checking is enabled, passwords must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. Passwords cannot be a word that appears in a dictionary or include consecutive repeating characters

• Click Skip to change your password later.



Configuring Event View SettingsRequires: Any Use the Event View Settings page to configure characteristics of event views in

the Sourcefire 3D System.

To configure event preferences:



2. Click Event View Settings.

The Event View Settings page appears.

3. Configure the basic characteristics of event views.

For more information, see Event Preferences on page 27.

4. Configure the default time window or windows.

For more information, see Default Time Windows on page 29.

5. Configure default workflows.

For more information, see Default Workflows on page 32.

6. Click Save.

Your changes are implemented.

Event PreferencesUse the Event Preferences section of the Event View Settings page to configure basic characteristics of event views in the Sourcefire 3D System.



The Event Preferences table describes the settings you can configure.

Event Preferences

Setting Description Requires

Confirm ‘All’ Actions Controls whether the appliance forces you to confirm actions that affect all events in an event view.

For example, if this setting is enabled and you click Delete All on an event view, you must confirm that you want to delete all the events that meet the current constraints (including events not displayed on the current page) before the appliance will delete them from the database.

Any

Resolve IP Addresses

Whenever possible, allows the appliance to display host names instead of IP addresses in event views.

Note that an event view can be slow to display if it contains a large number of IP addresses and you have enabled this option. Note also that for this setting to take effect, you must have a DNS server configured in the system settings; see Configuring Network Settings on page 377.

IPS or DC/MDC

Expand Packet View Allows you to configure how the packet view for intrusion events appears. By default, the appliance displays a collapsed version of the packet view.

• None - collapse all subsections of the Packet Information section of the packet view

• Packet Text - expand only the Packet Text subsection• Packet Bytes - expand only the Packet Bytes subsection• All - expand all sections

Regardless of the default setting, you can always manually expand the sections in the packet view to view detailed information about a captured packet. For more information on the packet view, see Using the Packet View in the Analyst Guide.

IPS or DC/MDC + IPS

Rows Per Page Controls how many rows of events per page you want to appear in drill-down pages and table views.

Any



Default Time Windows

Requires: Any The time window, sometimes called the time range, imposes a time constraint on the events in any event view. Use the Default Time Windows section of the Event View Settings page to control the default behavior of the time window. The following graphic shows the Defense Center version of the page.

Note that regardless of the default time window setting, you can always manually change the time window for individual event views during your event analysis. Also keep in mind that time window settings are valid for only the current session. When you log out and then log back in, time windows are reset to the

Refresh Interval Sets the refresh interval for event views, in minutes. Entering zero disables the refresh option. Note that this interval does not apply to dashboards.

Any

Statistics Refresh Interval

Sets the refresh interval for event summary pages such as the Intrusion Event Statistics and RNA Statistics pages. Entering zero disables the refresh option. Note that this interval does not apply to dashboards.

IPS or DC/MDC

Deactivate Rules Controls which links appear on the packet view for intrusion events generated by standard text rules.

• All Policies - a single link that deactivates the standard text rule in all the locally defined custom intrusion policies

• Current Policy - a single link that deactivates the standard text rule in only the currently applied intrusion policy. Note that you cannot deactivate rules in the default policies.

• Ask - links for each of these options

To see these links on the packet view, your user account must have either Administrator access or both Intrusion Event Analyst and Policy & Response Administrator access.

IPS or DC/MDC + IPS

Event Preferences (Continued)

Setting Description Requires



defaults you configured on this page. For more information, see Setting Event Time Constraints in the Analyst Guide.

There are three types of events for which you can set the default time window.

• Requires: IPS or DC/MDC The Events Time Window sets a single default time window for (depending on the appliance) intrusion events, RNA events, flow data, RUA events, compliance events, remediation status events, white list events, the SEU import log, and event views for custom tables that can be constrained by time.

• Requires: Any The Audit Log Time Window sets the default time window for the audit log.

• Requires: DC/MDC The Health Monitoring Time Window sets the default time window for health events.

You can only set time windows for event types your user account can access. All user types can set event time windows. Administrators, maintenance users, RNA event analysts, and IPS event analysts can set health monitoring time windows. Administrators and maintenance users can set audit log time windows.

Note that because not all event views can be constrained by time, time window settings have no effect on event views that display RNA hosts, host attributes, services, client applications, vulnerabilities, RUA users, or white list violations.

You can either use Multiple time windows, one for each of these types of events, or you can use a Single time window that applies to all events. If you use a single time window, the settings for the three types of time window disappear and a new Global Time Window setting appears.

There are three types of time window:

• static, which displays all the events generated from a specific start time to a specific end time

• expanding, which displays all the events generated from a specific start time to the present; as time moves forward, the time window expands and new events are added to the event view

• sliding, which displays all the events generated from a specific start time (for example, one day ago) to the present; as time moves forward, the time window “slides” so that you see only the events for the range you configured (in this example, for the last day)



The Time Window Settings table explains the kinds of default time windows you can configure.

IMPORTANT! The maximum time range for all time windows is from midnight on January 1, 1970 (UTC) to 3:14:07 AM on January 19, 2038 (UTC).

Time Window Settings

Setting Description

Show the Last - Sliding

This setting allows you to configure a sliding default time window of the length you specify.

The appliance displays all the events generated from a specific start time (for example, 1 hour ago) to the present. As you change event views, the time window “slides” so that you always see events from the last hour.

Show the Last - Static/Expanding

This setting allows you to configure either a static or expanding default time window of the length you specify.

For static time windows (enable the Use End Time check box), the appliance displays all the events generated from a specific start time (for example, 1 hour ago), to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occured during the static time window.

For expanding time windows (disable the Use End Time check box), the appliance displays all the events generated from a specific start time (for example, 1 hour ago), to the present. As you change event views, the time window expands to the present time.



Default Workflows

Requires: Any A workflow is a series of pages displaying data that analysts use to evaluate events. For each event type, the appliance ships with at least one predefined workflow. For example, depending on the type of analysis you are performing, you can choose between ten different intrusion event workflows, each of which presents intrusion event data in a different way.

The appliance is configured with a default workflow for each event type. For example, the Events by Priority and Classification workflow is the default for intrusion events. This means whenever you view intrusion events (including reviewed intrusion events), the appliance displays the Events by Priority and Classification workflow.

Current Day - Static/Expanding

This setting allows you to configure either a static or expanding default time window for the current day. The current day begins at midnight, based on the time zone setting for your current session.

For static time windows (enable the Use End Time check box), the appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occured during the static time window.

For expanding time windows (disable the Use End Time check box), the appliance displays all the events generated from midnight to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 24 hours before you log out, this time window can be more than 24 hours.

Current Week - Static/Expanding

This setting allows you to configure either a static or expanding default time window for the current week. The current week begins at midnight on the previous Sunday, based on the time zone setting for your current session.

For static time windows (enable the Use End Time check box), the appliance displays all the events generated from midnight to the time when you first viewed the events. As you change event views, the time window stays fixed so that you see only the events that occured during the static time window.

For expanding time windows (disable the Use End Time check box), the appliance displays all the events generated from midnight Sunday to the present. As you change event views, the time window expands to the present time. Note that if your analysis continues for over 1 week before you log out, this time window can be more than 1 week.

Time Window Settings (Continued)

Setting Description



You can, however, change the default workflow for each event type using the Default Workflows sections of the Event View Settings page. The following graphic shows the Defense Center version of the Default Workflows section.

Keep in mind that the default workflows you are able to configure depend not only on the appliance you are using, but also on your user role. For example, on a 3D Sensor without an IPS license, you can only configure the default workflow for the audit log. As another example, on the Defense Center, intrusion event analysts cannot set default RNA workflows. For general information on workflows, see Understanding and Using Workflows in the Analyst Guide.



Setting Your Default Time ZoneRequires: Any You can change the time zone used to display events from the standard UTC time

that the appliance uses. When you configure a time zone, it applies only to your user account and is in effect until you make further changes to the time zone.

WARNING! The Time Zone function assumes that the default system clock is set to UTC time. If you have changed the system clock on the appliance to use a local time zone, you must change it back to UTC time in order to view accurate local time on the appliance. For more information about time synchronization between the Defense Center and the sensors, see Synchronizing Time on page 354.

To change your time zone:



2. Click Time Zone Settings.

The Time Zone Preference page appears.

3. From the box on the left, select the continent or area that contains the time zone you want to use.

For example, if you want to use a time zone standard to North America, South America, or Canada, select America.

4. From the box on the right, select the zone (city name) that corresponds with the time zone you want to use.

For example, if you want to use Eastern Standard Time, you would select New York after selecting America in the first time zone box.

5. Click Save.

The time zone is set.



Specifying Your Home PageRequires: Any You can specify a page within the web interface as your home page for the

appliance. The default home page is the dashboard (Analysis & Reporting > Event Summary > Dashboards), except for user accounts with Restricted Event Analyst access, who use the Welcome page.

To specify your home page:



2. Click Home Page.

The Home Page page appears.

3. Select the page you want to use as your home page from the Opening Screen drop-down list.

The options in the drop-down list are based on the access privileges for your user account. That is, user accounts with Policy & Response Administrator access have different options from accounts with Intrusion or RNA Event Analyst full or read-only access, Restricted Event Analyst full or read-only access, Maintenance access, or Administrator access.

4. Click Save.

Your home page preference is saved.

Specifying Your Default DashboardRequires: Any You can specify one of the dashboards on the appliance as the default dashboard.

The default dashboard appears when you select Analysis & Reporting > Event Summary > Dashboards. If you do not have a default dashboard defined, the Dashboard List page appears. For general information on dashboards, see Using Dashboards on page 59.

IMPORTANT! User accounts with Restricted Event Analyst access cannot use the dashboard and therefore cannot specify a default dashboard.

To specify your default dashboard:




Introduction to the Sourcefire 3D SystemUsing the Context Menu Chapter 1

2. Click Dashboard Settings.

The Dashboard Settings page appears.

3. Select the dashboard you want to use as your default from the Default Dashboard drop-down list.

If you select None, when you select Analysis & Reporting > Event Summary > Dashboards, the Dashboard List page appears. You can then select a dashboard to view.

4. Click Save.

Your default dashboard preference is saved.

Using the Context MenuRequires: Any For your convenience, certain pages in the web interface support a pop-up

context menu that you can use as a shortcut for accessing other features in the Sourcefire 3D System. As the name implies, the contents of the menu depend on the context where you access it. For example, if you access the menu while viewing an RNA event, the context menu provides you with the option to view the event in a separate browser window. However, if you access the context menu while viewing an intrusion event that was triggered by an intrusion rule, you have a range of options that includes enabling, disabling, suppressing, and thresholding the rule. You can also view the rule documentation and edit the rule.

You can access the context menu on the following pages.

• Event pages (drill-down pages and table views) contain hotspots over each event.

• The Rule Editor page for intrusion rules contains a hotspot over each intrusion rule.

Note that if you try to access the context menu for a web page or location that doesn’t support the Sourcefire-specific menu, the normal context menu for your browser appears.

To access the context menu:

Access: Any 1. On one of the hotspot-enabled pages in the web interface, hover your pointer over one of the hotspots.

A “Right-click for menu” message appears.


Introduction to the Sourcefire 3D SystemDocumentation Resources Chapter 1

2. Right-click your pointing device.

A pop-up context menu appears with options that are appropriate for the hotspot. For example, the following menu appears if you right-click over an intrusion event.

3. Select one of the options by left-clicking the name of the option.

A new browser window opens based on the option you selected.

Documentation ResourcesThe Sourcefire 3D System documentation set includes online help and PDF files.

You can reach the online help in two ways:

• by clicking the context-sensitive help links on each page

• by selecting Operations > Help > Online.

The online help includes information about the tasks you can complete on the web interface, including procedural and conceptual information about user management, system management, and IPS and RNA analysis.

The Documentation CD contains a PDF version of the Sourcefire 3D System Administrator Guide and the Sourcefire 3D System Analyst Guide, which together include the same content as the online help, but in an easy-to-print format.

The Administrator Guide contains information specifically for administrators and maintenance users. In this guide you will find information about managing Master Defense Centers, Defense Centers, and 3D Sensors, configuring system settings and system policies, managing user accounts, scheduling tasks, and monitoring the health of your appliances.

The Analyst Guide contains information for Intrusion Event Analysts, RNA Event Analysts, and Policy & Response Administrators. In this guide you will find information about managing RNA and IPS policies; analyzing RNA, RUA, and intrusion data; and using event reports.

The Documentation CD also contains copies of the Defense Center Installation Guide and the 3D Sensor Installation Guide, which includes information about installing the appliance as well as hardware specifications and safety information. The CD also contains copies of various API guides and supplementary material. You can access the most up-to-date versions of the documentation on the Sourcefire Support web site (https://support.sourcefire.com/).

https://support.sourcefire.com/


Introduction to the Sourcefire 3D SystemDocumentation Conventions Chapter 1

Documentation ConventionsThis documentation includes information about which Sourcefire 3D System components are required for each feature and which user roles have permission to complete each procedure.

Refer to Platform Requirements Conventions on page 38 for the meaning of the Requires statement at the beginning of each section.

Refer to Access Requirements Conventions on page 39 for the meaning of the Access statement at the beginning of each procedure.

Platform Requirements ConventionsThe Requires statement at the beginning of each section in this documentation indicates the combination of appliance platform and licenses you need to use the feature described in the section. Platform requirement information for specific aspects of a feature is provided where needed.

All platform information is formatted with an orange typeface.

The following table defines the abbreviations used to indicate each different platform requirement:

Platform and Licensing Requirement Abbreviations

Requires Acronym Indicates

3D Sensor One of the following Series 1 or Series 2 sensors:• 3D500• 3D1000• 3D2000• 3D2100• 3D2500• 3D3500• 3D4500• 3D6500• 3D9900

This acronym on its own indicates that the task in question can be performed on any of these sensors even if an IPS license is not applied on the sensor and the sensor is not managed.

Any Any appliance with any combination of licenses

DC A DC500, DC1000, Virtual Defense Center, or DC3000 appliance used as a Defense Center



An or conjunction indicates that the task or feature is available on either of the indicated platforms. A “+” conjunction indicates that the platforms are required in combination.

For example, you can change an expired password on a Defense Center or Master Defense Center or on a 3D Sensor, so the Changing an Expired Password topic has a Requires statement of DC/MDC or 3D Sensor.

In contrast, to manage a Defense Center with a Master Defense Center, you need both a Defense Center and a Master Defense Center, so the Adding a Master Defense Center topic has a Requires statement of MDC + DC.

Access Requirements ConventionsThe Access statement at the beginning of each procedure in this documentation indicates the access role required to use the feature described in the section.

All access information is formatted with a green typeface.

The following table defines the abbreviations used to indicate each different platform requirement:

DC/MDC A DC3000 appliance used as a Defense Center or a Master Defense Center

IPS A 3D Sensor licensed with the IPS technology

RNA An RNA license

RUA An RUA license

Platform and Licensing Requirement Abbreviations (Continued)


Access Requirement Abbreviations


Admin User must have the Administrator role

Any User can have any role

Any Analyst User can have any analyst role

Any except Restricted

User can have any role except Restricted Analyst or Restricted Analyst (Read Only)



A “/” conjunction indicates that the task or feature is available to users with one or more of the indicated platforms. A “+” conjunction indicates that the platforms are required in combination.

For example, to view the Hosts network map, a user must have the RNA Event Analyst or RNA Event Analyst (Read Only) role or the Restricted Event Analyst or Restricted Event Analyst (Read Only) role with RNA Hosts Data set to Show All Data or to show a specific search. The Access setting for the procedure in the Working with the Hosts Network Map topic is Any RNA/Admin.

Rule thresholding in the packet view provides an example of required combined access roles. You must have the Administrator role or have the Policy & Response Administrator role in combination with the Intrusion Event Analyst role or the Restricted Event Analyst role with Intrusion Events Data set to Show All Data or to show a specific search to access the packet view and set thresholding for a rule

Any Analyst except Restricted

User can have any analyst role except Restricted Analyst or Restricted Analyst (Read Only)

Any IPS User must have the Intrusion Event Analyst role or Intrusion Event Analyst (Read Only) role or the Restricted Event Analyst role or Restricted Event Analyst (Read Only) role with rights to that function

IPS User must have the Intrusion Event Analyst role or Restricted Event Analyst role with rights to that function

IPS-RO User must have the Intrusion Event Analyst (Read Only) role or Restricted Event Analyst (Read Only) role with rights to that function

Maint User must have the Maintenance role

P&R Admin User must have the Policy & Response Administrator role

Any RNA User must have the RNA Event Analyst or RNA Event Analyst (Read Only) or Restricted Event Analyst or Restricted Event Analyst (Read Only) with rights to that function

RNA User must have the RNA Event Analyst role or Restricted Event Analyst role with rights to that function

RNA-RO User must have the RNA Event Analyst (Read Only) role or Restricted Event Analyst (Read Only) role with rights to that function

Access Requirement Abbreviations (Continued)



Introduction to the Sourcefire 3D SystemIP Address Conventions Chapter 1

from the packet view. As a result, the Access setting for the procedure in the Setting Threshold Options within the Packet View topic is IPS + P&R Admin/Admin.

IP Address ConventionsRequires: Any You can use Classless Inter-Domain Routing (CIDR) notation to define IP address

ranges in many places in the Sourcefire 3D System, including but not limited to the following:

• RNA detection policies

• custom topologies

• auto-assigned networks for user-defined host attributes

• traffic profiles

• compliance rules and white lists

• active scan targets

• intrusion policies, variables, and standard text rules

• PEP

CIDR notation uses a network IP address combined with a bit mask to define the IP addresses in the specified range. For example, the following table lists the private IPv4 address spaces in CIDR notation.

When you use CIDR notation to specify a range of IP addresses, the Sourcefire 3D System uses only the masked portion of the network IP address you specified, without changing your user input. For example, if you type 10.1.2.3/8, the Sourcefire 3D System uses 10.0.0.0/8, but the web interface continues to display 10.1.2.3/8.

CIDR Notation Syntax Examples

CIDR Block IP Addresses in CIDR Block

Subnet Mask Number of IP Addresses

10.0.0.0/8 10.0.0.0 - 10.255.255.255

255.0.0.0 16,777,216

172.16.0.0/12 172.16.0.0 - 172.31.255.255

255.240.0.0 1,048,576

192.168.0.0/16 192.168.0.0 - 192.168.255.255

255.255.0.0 65,536


Introduction to the Sourcefire 3D SystemIP Address Conventions Chapter 1

In other words, although Sourcefire recommends the standard method of using a network IP address on the bit boundary when using CIDR notation, the Sourcefire 3D System does not require it.


Administrator Guide

Chapter 2Performing the Initial Setup

After installing your Defense Center or 3D Sensor as described in the Installation Guide and logging into the web interface for the first time, you are presented with a series of start-up pages.

Newer models of the 3D Sensor, called Series 2 sensors, provide a rapid set up feature and a status page. Note that if you purchased your sensor prior to 2008, you may have a Series 1 3D Sensor. Consult your original documentation or contact Sourcefire Support for information about performing the initial setup on those sensor models.

To perform the initial setup of a Virtual 3D Sensor, see the Sourcefire 3D System Virtual Defense Center and 3D Sensor Installation Guide.

See the following sections for more information:

• Setting Up 3D Sensors on page 44 explains how to complete the setup process for Series 2 3D Sensors.

• Setting up Defense Centers on page 47 explains how to complete the setup process for Defense Centers.

• What’s Next? on page 52 provides detailed lists of the next tasks to be performed by each type of user.


Performing the Initial SetupSetting Up 3D Sensors Chapter 2

Setting Up 3D SensorsRequires: 3D Sensor Newer models of the 3D Sensor (that is, Series 2 sensors) provide a simple web

form to collect information about your network environment and how you intend to deploy the sensor. These sensors include the following models:

• 3D500

• 3D1000

• 3D2000

• 3D2100

• 3D2500

• 3D3500

• 3D4500

• 3D6500

• 3D9900

You can view illustrations of each model in the 3D Sensor Installation Guide to determine your sensor model. Defense Centers use the setup process in Setting up Defense Centers on page 47.

After physically installing the 3D Sensor, setting up the IP address for the management interface, and logging into the 3D Sensor’s web interface (as described in the 3D Sensor Installation Guide), the Install page appears so that you can continue the setup process.

WARNING! Prepare for the initial setup and complete it promptly after you begin. If the initial setup is interrupted or if a second user logs in while it is underway, the results can be unpredictable.

To complete the initial setup:

Access: Admin 1. Under Change Password, in the New Password and Confirm fields, enter a new password for the admin user account and for the root password for the shell account. The same password is used for both accounts.

TIP! The initial change to the admin user password changes the root password for the shell account. Use the command line interface on the appliance for subsequent changes to the root password.

Sourcefire strongly recommends that your password is at least eight alphanumeric characters of mixed case and includes at least one numeric character. Avoid using words that appear in a dictionary.



2. Under Network Settings, enter the settings that you want to use for the management IP address.

Note that if you used the configure-network script before logging into the web interface, the IP address, netmask, and gateway fields are pre-populated with your settings.

3. Under Remote Management, indicate whether you want to manage the 3D Sensor with a Defense Center.

You can use the IP address of the Defense Center or, if you specify a DNS server, its hostname. The registration key is a single-use, user-created string that you will also use from within the Defense Center’s web interface when you complete the sensor registration process.

If your sensor and Defense Center are separated by a network address translation (NAT) device, defer Defense Center management until after you complete the initial setup. Refer to Working in NAT Environments on page 112 and Adding Sensors to the Defense Center on page 117 for more information.

4. Optionally, if your Defense Center is running current software and your sensors are running earlier software, under Time Settings, indicate how you want to set the time for the 3D Sensor. You can set the time manually or via network time protocol (NTP) from an NTP server. Note that if you use an NTP server to set the time, you must also specify the primary and secondary DNS servers.

Note that if you are managing the sensor with a Defense Center and the Defense Center itself is set up as an NTP server, you can specify the Defense Center as the sensor’s NTP server.

IMPORTANT! If both your Defense Center and your sensors are running current software, this step is unnecessary as the current software will synchronize automatically.

5. Under Detection Mode, specify how you want to deploy the 3D Sensor. You have two options:

• If you deployed the sensor as an inline IPS using paired sensing interfaces, select Inline with Failopen Mode.

• If you deployed the sensor as a passive IDS on your network, select Passive Mode.

WARNING! If you select Inline with Failopen Mode when the sensor is deployed passively, you may cause your network to be bridged, resulting in unexpected network behavior.



6. Under Recurring SEU Imports, check the Enable Recurring SEU Imports check box to configure automatic SEU imports and specify the update frequency. To queue an immediate update from the Sourcefire support site, select Update Now.

Select the state for adding new rules to intrusion policies as disabled or in the predefined default state. For detailed information on adding new rules to custom policies in the default state or in the disabled rule state, refer to Using Recurring SEU Imports in the Analyst Guide. You can also instruct the system to reapply intrusion policies after the SEU import completes.

7. Under License Settings, indicate whether you want to add a product license to the 3D Sensor. You have two options:

• To use only the RNA or RUA functionality without IPS, you do not need to add a product license. You will automatically create an RNA detection engine without a policy. You control licensing for RNA or RUA through the Defense Center managing the sensor.

Skip to step 8.

• To use IPS functionality (either by itself or with RNA or RUA functionality), you must add a product license to the 3D Sensor.

To add a product license, enter the license key in the license key field, and click Add/Verify.

To obtain a product license, click the link to navigate to https://keyserver.sourcefire.com/. Follow the on-screen instructions to generate an email containing the license file and paste it into the License field. Note that you will be prompted for the license key and an activation key. The activation key was previously emailed to the contact person identified on your support contract.

If your current host cannot access the Internet, switch to a host that can and navigate to the keyserver web page.


Performing the Initial SetupSetting up Defense Centers Chapter 2

8. Under End User License Agreement, read the agreement carefully. If you agree to abide by its provisions, select the check box and click Apply.

The 3D Sensor is configured according to your selections. The appliance logs you out. A dashboard page appears after you log back in, which indicates the appliance is now operational. See Using Dashboards on page 59 for more information. See What’s Next? on page 52 for some suggestions about how to proceed after you complete these initial startup pages.

TIP! If you used the option to connect through the management port to perform the initial setup, remember to connect the cable to the protected management network.

TIP! Applying a default policy to detection engines can take several minutes. You will see no intrusion events until it completes. You can check the task progress at Operations > Monitoring > Task Status.

Setting up Defense CentersRequires: DC/MDC The first time you log in to the web interface, Defense Centers and Master

Defense Centers provide a simple web form to collect information about your network environment and how you intend to deploy the appliance.

After physically installing the Defense Center, setting up the IP address for the management interface, and logging into the Defense Center’s web interface (as described in the Defense Center Installation Guide), the Install page appears so that you can continue the setup process.

WARNING! Prepare for the initial setup and complete it promptly after you begin. If the initial setup is interrupted or if a second user logs in while it is underway, the results can be unpredictable.



To complete the initial setup:

Access: Admin 1. Under Change Password, in the New Password and Confirm fields, enter a new password for the admin user account and the root password shell account. The same password is used for both accounts.

TIP! The initial change to the admin user password changes the root password for the shell account. Use the command line interface on the appliance for subsequent changes to the root password.

Sourcefire strongly recommends that your password is at least eight alphanumeric characters of mixed case and includes at least one numeric character. Avoid using words that appear in a dictionary.

2. Under Network Settings, enter the settings that you want to use for the management IP address.

Note that if you used the configure-network script before logging into the web interface, the IP address, netmask, and gateway fields are pre-populated with your settings.

3. If you are installing a DC3000, under Operational Mode, you can set the appliance to operate as a Defense Center or a Master Defense Center.

IMPORTANT! A Master Defense Center can manage only Defense Centers, and not 3D Sensors. Defense Center capabilities are not a subset of a Master Defense Center. For more information on the differences between the features provided by a Master Defense Center and a Defense Center, see Master Defense Center and Defense Center Functional Comparison on page 159.

If you select the Master Defense Center mode, the Remote Management section becomes unnecessary and is hidden from the form. Skip to step 5.

4. Under Remote Management, indicate whether you want to manage the Defense Center with a Master Defense Center.

You can use the IP address of the Master Defense Center or, if you specify a DNS server, its hostname. The registration key is a single-use, user-created string that you will also need to use when you register the Defense Center through the Master Defense Center’s web interface.

IMPORTANT! If your Defense Center and Master Defense Center are separated by a network address translation (NAT) device, defer remote management until after you complete the initial setup. See Working in NAT Environments on page 112 and Adding a Master Defense Center on page 165 for more information.



5. Under Time Settings, indicate how you want to set the time for the Defense Center. You can set the time manually or via network time protocol (NTP) from an NTP server. Note that if you use an NTP server to set the time, you must also specify the primary and secondary DNS servers.

Note that if you are managing the Defense Center with a Master Defense Center and the Master Defense Center itself is set up as an NTP server, you can specify the Master Defense Center as the Defense Center’s NTP server.

IMPORTANT! If your Defense Center, Master Defense Center and all sensors are running current software, this step is unnecessary as the current software will synchronize automatically.

6. If you are installing a DC3000 and your operational mode is Master Defense Center, the Defense Center Registration portion of the form is visible. Use these fields only to register Defense Centers where you have already configured remote management by this Master Defense Center.

You can use the IP address of the Defense Center or, if you specify a DNS server, its hostname. The registration key is the single-use, user-created string you used in the Defense Center’s web interface when you configured remote management.

IMPORTANT! If your Defense Center and Master Defense Center are separated by a network address translation (NAT) device, defer remote management until after you complete the initial setup. See Working in NAT Environments on page 112 and Adding a Defense Center on page 168 for more information.

7. On Defense Centers, under Sensor Registration, indicate whether you want to apply default policies.

You can use the IP address of the 3D Sensor or, if you specify a DNS server, its hostname. The registration key is the single-use, user-created string used in the 3D Sensor’s web interface when you configured remote management for the sensor.

If your 3D Sensor and Defense Center are separated by a network address translation (NAT) device, you should defer remote management until after you complete the initial setup. Refer to Working in NAT Environments on page 112 and Adding Sensors to the Defense Center on page 117 for more information.

IMPORTANT! Use this function only if you have previously installed 3D Sensors that are pending registration with this Defense Center.

Click Add to register each newly listed 3D Sensors with this Defense Center.


Performing the Initial SetupCommunication Ports Chapter 2

8. Under Recurring SEU Imports, check the Enable Recurring SEU Import check box to configure automatic SEU imports and specify the update frequency. To queue an immediate update from the Sourcefire support site, select Update Now.

Select the state for adding new rules to intrusion policies as disabled or in the predefined default state. For detailed information on adding new rules to custom policies in the default state or in the disabled rule state see Using Recurring SEU Imports in the Analyst Guide. You can also instruct the system to reapply intrusion policies after the SEU import completes.

9. Under License Settings, add a product license and any required feature licenses to the Defense Center.

To obtain a product license, click the link to navigate to https://keyserver.sourcefire.com/. Follow the on-screen instructions to generate an email containing the license file and paste it into the License field. Note that you will be prompted for the license key and an activation key. The activation key was previously emailed to the contact person identified on your support contract.

If your current host cannot access the Internet, switch to a host that can and navigate to the keyserver web page.

10. Under End User License Agreement, read the agreement carefully.If you agree to abide by its provisions, select the check box and click Apply.

The Defense Center or Master Defense Center is configured according to your selections.The appliance logs you out. A dashboard page appears after you log back in, which indicates the appliance is operational. See Using Dashboards on page 59 for more information. See What’s Next? on page 52 for some suggestions about how to proceed after you complete these initial startup pages.

TIP! If you used the option to connect through the management port to perform the initial setup, remember to connect the cable to the protected management network.

Communication PortsThe Sourcefire 3D System requires the use of specific ports to communicate internally and externally, between Defense Centers and sensors, and to enable


Performing the Initial SetupCommunication Ports Chapter 2

certain functionality within the network deployment. Refer to the Required Open Ports table for more information on functions and their associated ports.

Required Open Ports

Ports Description Notes

20, 21 ftp

22 ssh/ssl

23 telnet

25 smtp

53 dns

67, 68 dhcp

80 http Open this port when you connect to a remote web server through the RSS widget.

162 snmp

389, 636 ldap

443 https

514 syslog Open this port only if you are using a remote syslog server.

1241 Nessus

1660 Nmap

1812 and 1813 FreeRADIUS Note that you must open both ports to ensure that FreeRADIUS functions correctly.

3306 RUA Agent Open this port for communicatiosn between the Defense Center and RUA Agents.

8301 Intrustion Agent Open this port for communications between the Defense Center and Intrusion Agents.


Performing the Initial SetupWhat’s Next? Chapter 2

What’s Next?Requires: Any After you complete the initial setup for the Sourcefire 3D System, your next steps

depend on the role assigned to your user account (Administrator user, Maintenance user, Policy & Response Administrator user, Intrusion Event Analyst user, or RNA Event Analyst user) and what appliance you are using. See Managing Users on page 264 for more information about user roles.

For deployments that include a Defense Center, you can perform much of the process on the Defense Center itself.

IMPORTANT! Tasks that must be completed on specific hardware or software platforms are indicated by special text: For example, tasks that require a Defense Center are preceded with Requires: DC. Similarly, if your Defense Center or 3D Sensor must be licensed for IPS, RNA, or RUA, the task is preceded with Requires: IPS, Requires: RNA, or Requires: RUA.

For standalone 3D Sensor deployments (that is, deployments that do not include a Defense Center and do not use RNA), a user with Administrator access must perform the first steps. Review the tasks in the following sections, which are based on the user account privileges required for the task.

• Administrator User Tasks on page 53 describe the steps that you must complete before Policy & Response Administrator users and analyst users can begin their tasks.

• Maintenance User Tasks on page 54 explain some of the steps in the process that Maintenance users can perform after Administrator users finish their required tasks.

• Policy & Response Administrator User Tasks on page 55 describe some of the policies and custom rules that Policy & Response Administrator users can create and apply so that analyst users receive useful data for their analyses.

8302 eStreamer

8305 Management Virtual Network

Open this port for communications between the Defense Center and v. 4.8.x 3D Sensors.

18183 OPSEC SAM

Required Open Ports (Continued)

Ports Description Notes



• RNA Event Analyst User Tasks on page 56 describe the features that RNA Event Analyst users can use to learn about the assets on your network.

• Intrusion Event Analyst User Tasks on page 57 describe the features that Intrusion Event Analyst users can use to learn about the kinds of attacks that are launched against assets on your network.

Administrator User TasksRequires: Any Administrator users have a superset of tasks. Tasks essential to initial setup are

listed below.

The first steps for the Administrator user are as follows:

Access: Admin 1. If you want to manage your 3D Sensors with a Defense Center but did not enable remote management as part of the initial setup on the sensor, you should set it up now. See Configuring Remote Access to the Defense Center on page 386 for information about setting up management links between your sensors and the Defense Center.

TIP! After you set up management, Sourcefire recommends that you use the Defense Center’s web interface rather than the sensor’s web interface to manage the sensor and view the events that it generates. You must complete the steps outlined in Working with Sensors on page 113 on the Defense Center and on the sensors to complete the process.

2. Requires: DC If you are deploying two Defense Centers in high availability mode, set up high availability as explained in Configuring High Availability on page 145.

In most network environments, the sensors you add to the primary Defense Center are automatically added to the secondary Defense Center.

TIP! You can use high availabilty mode on Defense Centers which are managed by a Master Defense Center, but you cannot use high availability mode directly on the Master Defense Center itself.

3. Requires: DC If you want to authenticate users using an external authentication server, you must create an authentication object for that server as described in Creating LDAP Authentication Objects on page 269.



4. If you did not already set up a system policy as part of the initial setup, you should configure one that meets the needs of your network and security environment. Note that, if you want to use external authentication, you need to enable it in a system policy on the Defense Center and apply that policy to any appliances where users will authenticate to the external server. See Managing System Policies on page 320 for more information.

You can also create different policies on your Defense Center and apply them to the managed sensors where it is appropriate.

5. Check for any available software patches, vulnerability database updates, and Security Enhancement Updates (SEUs) and apply them to your Defense Center where required. Apply any available software patches or vulnerability database updates to managed sensors where required.

Patches and updates are available on the Sourcefire Support site. See Importing SEUs and Rule Files in the Analyst Guide and Updating System Software on page 398 for more information.

6. Create new user accounts that match the roles you want to assign to your users.

The auditing feature records events based on the user account name, so it is much better to have an account for each user rather than allowing multiple users to access the appliance from one or two accounts. See Managing Users on page 264 for more information.

7. By default, each 3D Sensor has a single detection engine that encompasses all of the available sensing interfaces (or all of the available fast-packet-enabled interfaces) on the sensor. To take advantage of the multiple detection engine feature, you must modify the default detection engine.

See Using Detection Engines and Interface Sets on page 185 for more information about examining traffic on multiple network segments with a single sensor.

8. Requires: DC Set up health monitoring policies and apply them to your managed sensors and to the Defense Center itself.

The health monitoring feature includes a range of modules that you can enable or disable based on the needs of your network environment. See Using Health Monitoring on page 482 for more information. Note that a Maintenance user can also set up health policies.

The next section, Maintenance User Tasks, describes the steps that a user with Maintenance access can perform.

Maintenance User TasksRequires: Any After a user with Administrator privileges performs the initial configuration as

described in Setting Up 3D Sensors on page 44, a Maintenance user or an Administrator user can perform the following tasks:



To continue the initial setup, Maintenance users can:

Access: Maint/Admin 1. Requires: DC If a user with Administrator privileges has not configured health monitoring, you can set up and apply health policies on your managed sensors and the Defense Center.

See Using Health Monitoring on page 482 for more information.

2. Set up scheduled tasks for any jobs that you want to perform on a regular basis. See Scheduling Tasks on page 425 for more information.

3. Develop a backup and restore plan. See Using Backup and Restore on page 413 for details about backing up configurations as well as event data. Note that you can also schedule regular backups of your appliance.

The next section, Policy & Response Administrator User Tasks, describes the steps that a user with Policy & Response Administrator access can perform.

Policy & Response Administrator User TasksRequires: Any After a user with Administrator privileges performs the initial configuration as

described in Setting Up 3D Sensors on page 44, a Policy & Response Administrator user or an Administrator user can perform the following tasks:

To continue the initial setup, Policy & Response Administrator users can:

Access: P&R Admin/Admin

1. Requires: RNA Set up compliance policies to determine when prohibited activity occurs on your network. Compliance policies can contain rules based on nearly any kind of network activity that your 3D Sensor can detect, including anomalous network traffic patterns. See Configuring Compliance Policies and Rules in the Analyst Guide.

2. Requires: RNA If a compliance policy violation occurs, you can specify that the Defense Center automatically respond to it in one of several ways, including blocking a suspect host at the firewall or router, sending a notification by email or SNMP, or simply generating a syslog alert. For more information on responses, see Configuring Responses for Compliance Policies in the Analyst Guide.

3. Requires: IPS Create and apply intrusion policies to the IPS-related detection engines on your 3D Sensor. See Using Basic Settings in an Intrusion Policy in the Analyst Guide for more information.

4. Requires: IPS Part of the process for creating an intrusion policy includes enabling the appropriate intrusion rules and fine-tuning the preprocessors and packet decoders to match your network traffic. See Managing Intrusion Rules in the Analyst Guide and Using Advanced Settings in an Intrusion Policy in the Analyst Guide for more in-depth information about configuring intrusion policies.



5. Requires: IPS To ensure that your intrusion event analysts are informed as soon as possible regarding attacks against your most valuable network assets, consider setting up automated notifications (that can be sent to the syslog, via email, or via SNMP) if a specific intrusion rule is triggered. If your network environment includes an OPSEC-compliant firewall, you can also send SAM-based responses to the firewall. See Configuring External Responses to Intrusion Events in the Analyst Guide for more information.

6. Requires: IPS As you gain more experience with the intrusion rules provided by Sourcefire, you may want to write your own rules to meet the unique needs of your network. See Understanding and Writing Intrusion Rules in the Analyst Guide and Rule-Writing Examples and Tips in the Analyst Guide to learn more about using the rule editor to write your own intrusion rules.

The policies and rules that you create as a Policy & Response Administrator user determine the kinds of events that are seen by the RNA Event Analyst and Intrusion Event Analyst users on your appliance. The next sections, RNA Event Analyst User Tasks and Intrusion Event Analyst User Tasks, describe the steps that a user with Intrusion Event Analyst, Intrusion Event Analyst (Read-Only), RNA Event Analyst, RNA Event Analyst (Read-Only), or Restricted Event Analyst access can perform.

RNA Event Analyst User TasksRequires: Any After a user with Administrator privileges performs the initial configuration as

described in Setting Up 3D Sensors on page 44, an RNA Event Analyst user or an Administrator user can perform the tasks listed below. RNA Event Analyst (Read Only) users can perform any of these tasks. Similarly, Restricted Event Analyst users can perform most of these tasks, but their event views are limited to specific IP address ranges.

To continue the initial setup, RNA Event Analyst users can:

Access: Any RNA/Admin

1. Begin by reviewing the summary statistics, which can provide you with a high-level view of the activity and events taking place on your network. See Viewing RNA Event Statistics in the Analyst Guide for more information.

2. Requires: RNA Review the information in the network map, which is an expandable tree view of all the hosts and services reported by RNA. The network map provides you with an overview of your network and is a good tool for locating rogue access points, unknown hosts, and services that are prohibited by your security policies. See Using the Network Map in the Analyst Guide for more information.

3. Requires: RNA If you locate unknown hosts on the network map, use the host profile feature to learn more about them. You can also use the host profile to set host criticality and to learn about the vulnerabilities reported for the operating system and services running on each host. See Using Host Profiles in the nAnalyst Guide for more information.



4. Requires: RNA Use the RNA event workflows to review the activity that has occurred on your network over time. You can review information for network hosts, services, vulnerabilities, client applications, and host attributes. You can also use the extensive search capability to define and save your own search criteria that you can use as part of your regular analysis. Note that the kinds of RNA events that are logged to the database are determined by the system policy on the managing Defense Center. See Working with RNA Events in the Analyst Guide for more information.

5. Requires: RNA Use flow data and traffic profiles to gain a different kind of insight into the activity on your network. For example, you can review the information collected by RNA’s traffic monitoring features and identify high-traffic hosts, then determine which might be behaving abnormally. Note that flow data is collected by your sensors only if the flow data option is enabled in the RNA detection policy. See Working with Flow Data and Traffic Profiles in the Analyst Guide for more information.

6. Use the report designer to create CSV, HTML, or PDF-based event and incident reports. You can automatically email a report when it is complete, and you can create and save report profiles to use later. See Working with Event Reports on page 232 for more information. You can use the scheduler to automate reporting. See Scheduling Tasks on page 425.

7. Use any of the predefined workflows to view, investigate, and act on the events generated by your sensors. As you grow more experienced with the Sourcefire 3D System, you may want to create your own workflows. See Understanding and Using Workflows in the Analyst Guide for more information.

Intrusion Event Analyst User TasksRequires: Any After a user with Administrator privileges performs the initial configuration as

described in Setting Up 3D Sensors on page 44, an Intrusion Event Analyst user or an Administrator user can perform the tasks listed below. Most of these can be performed by Restricted Event Analyst users also, but their event views are limited to specific IP address ranges.



To continue the initial setup, Intrusion Event Analyst users can:

Access: Any IPS/Admin

1. Begin by reviewing the summary statistics, which can provide you with a high-level view of the activity and events taking place on your network. See Viewing Intrusion Event Statistics in the Analyst Guide for more information.

2. Requires: IPS Use the intrusion event views to determine which hosts on your network are the targets of attacks and the types of attacks that are attempted against them. Note that the events that you see are limited by the options that are enabled in the intrusion policy that is applied to your sensors. See Working with Intrusion Events in the Analyst Guide for more information.

Requires: RNA Note that on the Defense Center, intrusion events are correlated with any available RNA data to generate an impact flag. Events with high impact are more likely to indicate that an attack is targeted against a vulnerable host on your network. See Using Impact Flags to Evaluate Events in the Analyst Guide for more information.

3. Requires: IPS Use the incident handling feature to collect information about your investigation of possible intrusions on your network. You can use an incident to record details about your investigation, and the appliance automatically records the amount of time you have the incident open. You can also add intrusion event data that you believe might be important to your investigation of the incident. See Handling Incidents in the Analyst Guide for more information.

4. Use the report designer to create CSV, HTML, or PDF-based event and incident reports. You can automatically email a report when it is complete, and you can create and save report profiles to use later. See Working with Event Reports on page 232 for more information. You can use the scheduler to automate reporting. See Scheduling Tasks on page 425.

5. Use any of the predefined workflows to view, investigate, and act on the events generated by your sensors. As you grow more experienced with the Sourcefire 3D System, you may want to create your own workflows. See Understanding and Using Workflows in the Analyst Guide for more information.


;Administrator Guide

Chapter 3Using Dashboards

Sourcefire 3D System dashboards provide you with at-a-glance views of current system status, including data about the events collected and generated by the Sourcefire 3D System, as well as information about the status and overall health of the appliances in your deployment.

Each dashboard has one or more tabs, each of which can display one or more widgets in a three-column layout. Widgets are small, self-contained components that provide insight into different aspects of the Sourcefire 3D System. The Sourcefire 3D System is delivered with several predefined widgets. For example, the Appliance Information widget tells you the appliance name, model, current version of the Sourcefire 3D System software running on the appliance, and its remote manager.

Each dashboard has a time range that constrains its widgets. You can change the time range to reflect a period as short as the last hour or as long as the last year.

Each type of appliance is delivered with a default dashboard, named Default Dashboard. This dashboard provides the casual user with basic event and system status information for your Sourcefire 3D System deployment. Note that because not all widgets are useful for all types of appliances, the default dashboard differs depending on whether you are using a Master Defense Center, Defense Center, or 3D Sensor.


Using DashboardsUnderstanding Dashboard Widgets Chapter 3

By default, the home page for your appliance displays the default dashboard, although you can configure your appliance to display a different default home page, including pages that are not dashboard pages.

TIP! If you change the home page, you can access dashboards by selecting Analysis & Reporting > Event Summary > Dashboards. For more information, see Viewing Dashboards on page 91.

In addition to the default dashboard, the Defense Center is delivered with two other predefined dashboards:

• The Flow Summary dashboard uses flow data to create tables and charts of the activity on your monitored network; for more information on flow summary data, see Understanding Flow Data in the Analyst Guide.

Note that Restricted Event Analysts use the Flow Summary page instead of the Flow Summary Dashboard; see Viewing the Flow Summary Page in the Analyst Guide for more information.

• The Detailed Dashboard provides advanced users with detailed information about your Sourcefire 3D System deployment, and includes multiple widgets that summarize collected IPS, RNA, compliance, and system status data.

You can use the predefined dashboards, modify the predefined dashboards, or create a custom dashboard to suit your needs. You can share custom dashboards among all users of an appliance, or you can create a custom dashboard solely for your own use. You can also set a custom dashboard as your default dashboard.

For more information, see the following sections:

• Understanding Dashboard Widgets on page 60

• Understanding the Predefined Widgets on page 65

• Working with Dashboards on page 89

Understanding Dashboard WidgetsRequires: Any Each dashboard has one or more tabs, each of which can display one or more

widgets in a three-column layout. The Sourcefire 3D System is delivered with several predefined dashboard widgets, each of which provides insight into a



different aspect of the Sourcefire 3D System. Widgets are grouped into three categories:

• Analysis & Reporting widgets display data about the events collected and generated by the Sourcefire 3D System.

• Operations widgets display information about the status and overall health of the Sourcefire 3D System.

• Miscellaneous widgets display neither event data nor operations data. Currently the only widget in this category displays an RSS feed.

The dashboard widgets that you can view depend on the type of appliance you are using and on your user role. In addition, each dashboard has a set of preferences that determines its behavior. You can minimize and maximize widgets, add and remove widgets from tabs, as well as rearrange the widgets on a tab.

For more information, see:

• Understanding Widget Availability on page 61

• Understanding Widget Preferences on page 64

• Understanding the Predefined Widgets on page 65


Understanding Widget AvailabilityRequires: Any The Sourcefire 3D System is delivered with several predefined dashboard

widgets. The dashboard widgets that you can view depend on the type of appliance you are using and on your user role:

• An invalid widget is one that you cannot view because you are using the wrong type of appliance.

• An unauthorized widget is one that you cannot view because you do not have the necessary account privileges.

For example, the Appliance Information widget is available on all appliances for all user roles, while the Compliance Events widget is available only on the Defense Center for users with Administrator, Intrusion Event Analyst, or RNA Event Analyst account privileges.

Although you cannot add an unauthorized or invalid widget to a dashboard, if you import a dashboard created either on a different kind of appliance or by a user with different access privileges, that dashboard may contain unauthorized or invalid widgets. These widgets are disabled and display error messages that indicate the reason why you cannot view them.

Also note that widgets cannot display data to which an appliance has no access. For example, the Master Defense Center cannot access flow data, RUA events, RNA events, and so on. If you import a dashboard onto a Master Defense Center that contains a Custom Analysis widget configured to display one of those data types, the widget displays an error message.



Similarly, the content of a widget can differ depending on the type of appliance you are using. For example, the Current Interface Status widget on a 3D Sensor displays the status of its sensing interfaces, but on Defense Centers and Master Defense Centers the widget displays only the status of the management interface. Note than any content generated in table format can be sorted by clicking on the table column header.

You can delete or minimize unauthorized and invalid widgets, as well as widgets that display no data, keeping in mind that modifying a widget on a shared dashboard modifies it for all users of the appliance. For more information, see Minimizing and Maximizing Widgets on page 97 and Deleting Widgets on page 97.

The Sourcefire Appliances and Dashboard Widget Availability table lists the valid widgets for each appliance. An X indicates that the appliance can display the widget.

Sourcefire Appliances and Dashboard Widget Availability

Widget Master Defense Center

Defense Center 3D Sensor with IPS (and RNA)

3D Sensor with RNA (only)

Appliance Information X X X X

Appliance Status X X

Compliance Events X X

Current Interface Status

X X X X

Current Sessions X X X X

Custom Analysis X X X X

Disk Usage X X X X

Interface Traffic X X X X

Intrusion Events X X X X

Network Compliance X

Product Licensing X

Product Updates X X X X

RSS Feed X X X X



The User Roles and Dashboard Widget Availability table lists the user account privileges required to view each widget. An X indicates the user can view the widget.

IMPORTANT! User accounts with Restricted Event Analyst access cannot use dashboards.

System Load X X X X

System Time X X X X

White List Events X X

Sourcefire Appliances and Dashboard Widget Availability (Continued)

Widget Master Defense Center

Defense Center 3D Sensor with IPS (and RNA)

3D Sensor with RNA (only)

User Roles and Dashboard Widget Availability

Widget Administrator Maintenance P&R Admin IPS Analyst RNA Analyst

Appliance Information X X X X X

Appliance Status X X X X

Compliance Events X X X

Current Interface Status

X X X X

Current Sessions X

Custom Analysis X X X

Disk Usage X X X X X

Interface Traffic X X X X

Intrusion Events X X

Network Compliance X X X

Product Licensing X X



Understanding Widget PreferencesRequires: Any Each widget has a set of preferences that determines its behavior.

Widget preferences can be simple. For example, the following graphic shows the preferences for the Current Interface Status widget, which displays the current status of the network interfaces for the appliance. You can only configure the update frequency for this widget.

Widget preferences can also be more complex. For example, the following graphic shows the preferences for the Custom Analysis widget, which is a highly customizable widget that allows you to display detailed information on the events collected and generated by the Sourcefire 3D System.

To modify a widget’s preferences:

Access: Any exceptRestricted

1. On the title bar of the widget whose preferences you want to change, click the show preferences icon ( ).

The preferences section for that widget appears.

Product Updates X X X

RSS Feed X X X X X

System Load X X X X X

System Time X X X X X

White List Events X X X

User Roles and Dashboard Widget Availability (Continued)

Widget Administrator Maintenance P&R Admin IPS Analyst RNA Analyst


Using DashboardsUnderstanding the Predefined Widgets Chapter 3

2. Make changes as needed.

Your changes take effect immediately. For information on the preferences you can specify for individual widgets, see Understanding the Predefined Widgets on page 65.

3. On the widget title bar, click the hide preferences icon ( ) to hide the preferences section.

Understanding the Predefined WidgetsRequires: Any The Sourcefire 3D System is delivered with several predefined widgets that,

when used on dashboards, can provide you with at-a-glance views of current system status, including data about the events collected and generated by the Sourcefire 3D System, as well as information about the status and overall health of the appliances in your deployment.

For detailed information on the widgets delivered with the Sourcefire 3D System, see the following sections:

• Understanding the Appliance Information Widget on page 66

• Understanding the Appliance Status Widget on page 67

• Understanding the Compliance Events Widget on page 67

• Understanding the Current Interface Status Widget on page 68

• Understanding the Current Sessions Widget on page 69

• Understanding the Custom Analysis Widget on page 69

• Understanding the Disk Usage Widget on page 80

• Understanding the Interface Traffic Widget on page 81

• Understanding the Intrusion Events Widget on page 81

• Understanding the Network Compliance Widget on page 82

• Understanding the Product Licensing Widget on page 84

• Understanding the Product Updates Widget on page 85

• Understanding the RSS Feed Widget on page 86

• Understanding the System Load Widget on page 87

• Understanding the System Time Widget on page 87

• Understanding the White List Events Widget on page 88

IMPORTANT! The dashboard widgets you can view depend on the type of appliance you are using and on your user role. For more information, see Understanding Widget Availability on page 61.



Understanding the Appliance Information WidgetRequires: Any The Appliance Information widget provides a snapshot of the appliance.

The widget provides:

• the name, management interface IP address, and model of the appliance

• the versions of the Sourcefire 3D System software, operating system, Snort, SEU, rule pack, module pack, and vulnerability database (VDB) installed on the appliance

• for managed appliances, the name and status of the communications link with the managing appliance

• for Defense Centers in a high availability pair, the name, model, and Sourcefire 3D System software and operating system versions of the peer Defense Center, as well as how recently the Defense Centers made contact

You can configure the widget to display more or less information by modifying the widget preferences to display a simple or an advanced view; the preferences also control how often the widget updates. For more information, see Understanding Widget Preferences on page 64.



Understanding the Appliance Status WidgetRequires: DC/MDC The Appliance Status widget indicates the health of the appliance and of any

appliances it is managing. Note that because the Defense Center does not automatically apply a health policy to managed sensors, you must manually apply a health policy or their status appears as Disabled.

You can configure the widget to display appliance status as a pie chart or in a table by modifying the widget preferences.

The preferences also control how often the widget updates. For more information, see Understanding Widget Preferences on page 64.

You can click a section on the pie chart or one of the numbers on the appliance status table to go to the Health Monitor page and view the compiled health status of the appliance and of any appliances it is managing. For more information, see Using the Health Monitor on page 545.

Understanding the Compliance Events WidgetRequires: DC/MDC The Compliance Events widget shows the average events per second by priority,

over the dashboard time range.



You can configure the widget to display compliance events of different priorities by modifying the widget preferences, as well as to select a linear (incremental) or logarithmic (factor of ten) scale.

Select one or more Priorities check boxes to display separate graphs for events of specific priorities, including events that do not have a priority. Select Show All to display an additional graph for all compliance events, regardless of priority. The preferences also control how often the widget updates. For more information, see Understanding Widget Preferences on page 64.

You can click a graph to view compliance events of a specific priority, or click the All graph to view all compliance events. In either case, the events are constrained by the dashboard time range; accessing compliance events via the dashboard changes the events (or global) time window for the appliance. For more information on compliance events, see Viewing Compliance Events in the Analyst Guide.

Understanding the Current Interface Status WidgetRequires: Any The Current Interface Status widget shows the status of the network interfaces

for the appliance, grouped by type: management, inline, passive, and unused. Note that only 3D Sensors have interface types other than the management interface.

For each interface, the widget provides:

• the name of the interface

• the link state of the interface, represented by a green ball (up) or a gray ball (down)

• the link mode (for example, 100Mb full duplex, or 10Mb half duplex) of the interface



• the type of interface, that is, copper or fiber

• the amount of data received (Rx) and transmitted (Tx) by the interface

The widget preferences control how often the widget updates. For more information, see Understanding Widget Preferences on page 64.

Understanding the Current Sessions WidgetRequires: Any The Current Sessions widget shows which users are logged into the appliance,

the IP address of the machine where the session originated, and the last time each user accessed a page on the appliance (based on the local time for the appliance). The user that represents you, that is, the user currently viewing the widget, is marked with a user icon and is rendered in bold type.

On the Current Sessions widget, you can:

• click any user name to manage user accounts on the User Management page; see Managing User Accounts on page 299

• click the host icon ( ) next to any IP address to view the host profile for that computer; see Using Host Profiles in the nAnalyst Guide (Defense Center with RNA only)

• click any IP address or access time to view the audit log constrained by that IP address and by the time that the user associated with that IP address logged on to the web interface; see Viewing Audit Records on page 567

The widget preferences control how often the widget updates. For more information, see Understanding Widget Preferences on page 64.

Understanding the Custom Analysis WidgetRequires: Any The Custom Analysis widget is a highly customizable widget that allows you to

display detailed information on the events collected and generated by the Sourcefire 3D System.

The Custom Analysis widget is delivered with several presets, which are groups of configurations that are predefined by Sourcefire. The presets serve as examples and can provide quick access to information about your deployment. You can use these presets or you can create a custom configuration.

When you configure the widget preferences, you must select which table and individual field you want to display, as well as the aggregation method that configures how the widget groups the data it displays.



For example, if you are using Sourcefire RNA as part of your deployment, you can configure the Custom Analysis widget to display which operating systems are running on the hosts in your organization by configuring the widget to display OS data from the RNA Hosts table. Aggregating this data by Count tells you how many hosts are running each operating system.

On the other hand, aggregating by Unique OS tells you how many unique versions of each operating system are running on the same hosts (for example, how many unique versions of Linux, Microsoft Windows, Mac OS X, and so on).

Optionally, you can further constrain the widget using a saved search, either one of the predefined searches delivered with your appliance or a custom search that you created. For example, constraining the first example (operating systems



aggregated by Count) using the Local Systems search tells you how many hosts within one hop of your 3D Sensors are running each operating system.

The colored bars in the widget background show the relative number of occurrences of each event; you should read the bars from right to left. You can change the color of the bars as well as the number of rows that the widget displays. You can also configure the widget to display the most frequently occurring events or the least frequently occurring events.

The direction icon ( ) indicates and controls the sort order of the display. A downward-pointing icon indicates descending order; an upwards-pointing icon indicates ascending order. To change the sort order, click the icon.

Next to each event, the widget can display one of three icons to indicate any additions or movement from the most recent results:

• The new event icon ( ) signifies that the event is new to the results.

• The up-arrow icon ( ) indicates that the event has moved up in the standings since the last time the widget updated. A number indicating how many places the event has moved up appears next to the icon.

• The down-arrow icon ( ) indicates that the event has moved down in the standings since the last time the widget updated. A number indicating how many places the event has moved down appears next to the icon.

The widget displays the last time it updated, based on the local time of the appliance. The widget updates with a frequency that depends on the dashboard time range. For example, if you set the dashboard time range to an hour, the widget updates every five minutes. On the other hand, if you set the dashboard time range to a year, the widget updates once a week. To determine when the dashboard will update next, hover your pointer over the Last updated notice in the bottom left corner of the widget.

If you want information on events or other collected data over time, you can configure the Custom Analysis widget to display a line graph, such as one that displays the total number of intrusion events generated in your deployment over



time. For graphs over time, you can choose the time zone that the widget uses as well as the color of the line.

Finally, you can choose a custom title for the widget.

From Custom Analysis widgets, you can invoke event views (that is, workflows) that provide detailed information about the events displayed in the widget.

IMPORTANT! Depending on how they are configured, Custom Analysis widgets can place a drain on an appliance’s resources; a red-shaded Custom Analysis widget indicates that its use is harming system performance. If the widget continues to stay red over time, you should remove the widget.


• Configuring the Custom Analysis Widget on page 72

• Viewing Associated Events from the Custom Analysis Widget on page 78

• Custom Analysis Widget Limitations on page 79

Configuring the Custom Analysis Widget

Requires: Any As with all widgets, the Custom Analysis widget has preferences that determines its behavior. To configure a Custom Analysis widget, show the preferences as described in Understanding Widget Preferences on page 64.

A different set of preferences appears depending on whether you configure the widget to show relative occurrences of events (that is, a bar graph), or you configure the widget to show a graph over time (that is, a line graph).



To configure the widget to show a bar graph, select any value except Time from the Field drop-down list, as shown in the following graphic.

To configure the widget to show a line graph, select Time from the Field drop-down list, as shown in the following graphic.

The following table describes the various preferences you can set in the Custom Analysis widget.

Custom Analysis Widget Preferences

Use this preference...

To control...

Title the title of the widget.

If you do not specify a title, the appliance uses the configured event type as the widget title.

Preset the preset for the widget.The Custom Analysis widget is delivered with several presets, which are groups of configurations that are predefined by Sourcefire. The presets serve as examples and can provide quick access to information about your deployment. You can use these presets or you can create a custom configuration.

For a detailed list of presets, see the Custom Analysis Widget Presets table on page 75.



The following table describes the available presets for the Custom Analysis widget. It also indicates which, if any, Defense Center predefined dashboard uses

Table the table of events which contains the event data the widget displays.

Field the specific field of the event type you want to display.

TIP! To display a graph over time, select Time.

Aggregate the aggregation method for the widget.

The aggregation method configures how the widget groups the data it displays. For most event types, the default aggregation criterion is Count.

Search the saved search you want to use to further constrain the data that the widget displays.

You do not have to specify a search, although some presets use predefined searches.

Show whether you want to display the most frequently occurring events (Top) or the least frequently occurring events (Bottom).

Results the number of results rows you want to display.

You can display from 10 to 25 result rows, in increments of five.

Show Movers whether you want to display the icons that indicate additions or movement from the most recent results.

Time Zone which time zone you want to use to display results.

The time zone appears whenever you select a time-based field.

Color the color of the bars in the widget background that show the relative number of occurrences of each result.

Custom Analysis Widget Preferences (Continued)

Use this preference...

To control...



each preset. (The predefined dashboards on the Master Defense Center and 3D Sensor do not include Custom Analysis widgets.)

.

Custom Analysis Widget Presets

Preset Description Predefined Dashboards

Requires

All Intrusion Events Displays a graph of the total number of intrusion events on your monitored network over the dashboard time range.

Default Dashboard

Detailed Dashboard

IPS or DC/MDC + IPS

All Intrusion Events (Not Dropped)

Displays the most frequently occurring types of intrusion events, by classification, where the packet was not dropped as part of the event.

Detailed Dashboard IPS or DC/MDC + IPS

Client Applications Displays the most active client applications on your monitored network, by application type.

Detailed Dashboard DC + RNA

Dropped Intrusion Events

Displays counts for the most frequently occurring intrusion events, by classification, where the packet was dropped.

Default Dashboard IPS or DC/MDC + IPS

Flows by Initiator IP Displays the most active hosts on your monitored network, based on the number of flows where the host initiated the session.

Flow Summary DC + RNA

Flows by Port Displays the most active ports on your monitored network, based on the number of detected flows.


Flows by Responder IP

Displays the most active hosts on your monitored network, based on the number of flows where the host was the responder in the session.


Flows by Service Displays the most active services on your monitored network, based on the number of detected flows.




Flows over Time Displays a graph of the total number of flows on your monitored network, over the dashboard time range.


Intrusion Events Requiring Analysis

Displays a count of intrusion event requiring analysis, based on event classification.

Detailed Dashboard DC/MDC + IPS + RNA

Intrusion Events by Hour

Displays the most active hours of the day, based on frequency of intrusion events.

none IPS or DC/MDC + IPS

Intrusion Events to High Criticality Hosts

Displays the most frequently occurring types of intrusion events, based on the number of intrusion events occurring on high criticality hosts.

Detailed Dashboard DC/MDC + IPS + RNA

Operating Systems Displays the most common operating system, based on the number of hosts running each operating system within your network.


Services Displays the most common RNA service vendors, based on the number of hosts on the network running services made by that vendor.


Top Attackers Displays the most active hosts on your monitored network, based on the number of intrusion events where the host was the attacking host in the flow that caused the event.


Top Targets Displays the most active hosts on your monitored network, based on the number of intrusion events where the host was the targeted host in the flow that caused the event.


Custom Analysis Widget Presets (Continued)


Requires



Traffic by Initiator IP Displays the most active hosts on your monitored network, based on the number of kilobytes per second of data transmitted by the hosts.

Detailed Dashboard

Flow Summary

DC + RNA

Traffic by Initiator User

Displays the most active RUA users on your monitored network, based on the total number of kilobytes of data received by the hosts where those users are logged in.

Detailed Dashboard DC + RNA + RUA

Traffic by Port Displays the most active responder ports on your monitored network, based on the number of kilobytes per second of data transmitted via the port.


Traffic by Responder IP

Displays the most active hosts on your monitored network, based on the number of kilobytes per second of data received by the hosts.

Detailed Dashboard

Flow Summary

DC + RNA

Traffic by Service Displays the most active services on your monitored network, based on the number of kilobytes per second of data transmitted by the service.

Detailed Dashboard

Flow Summary

DC + RNA

Traffic over Time Displays a graph of the total kilobytes of data transmitted on your monitored network over the dashboard time range.

Detailed Dashboard

Flow Summary

DC + RNA



Requires



Viewing Associated Events from the Custom Analysis Widget

Requires: Any Depending on the kind of data that a Custom Analysis widget is configured to display, you can invoke an event view (that is, a workflow) that provides detailed information about the events displayed in the widget.

When you invoke an event view from the dashbaord, the events appear in the default workflow for that event type, constrained by the dashboard time range. This also changes the appropriate time window for the appliance, depending on how many time windows you have configured and on what type of event you are trying to view.

For example, if you configure multiple time windows on your Defense Center and then access health events from a Custom Analysis widget, the events appear in the default health events workflow, and the health monitoring time window changes to the dashboard time range.

As another example, if you configure a single time window and then access any type of event from the Custom Analysis widget, the events appear in the default workflow for that event type, and the global time window changes to the dashboard time range.

For more information on time windows, see Default Time Windows on page 29 and Specifying Time Constraints in Searches in the Analyst Guide.

Unique Intrusion Events by Destination IP

Displays the most active targeted hosts, based on the number of unique intrusion events per targeted host.

none IPS or DC/MDC + IPS

Unique Intrusion Events by Impact

Displays the number of unique intrusion event types associated with each impact flag level.

none DC/MDC + IPS + RNA

White List Violations Displays the hosts with the most white list violations, by violation count?




Requires



To view associated events from the Custom Analysis Widget:


You have two options, depending on how you configured the widget:

• On widgets configured to show relative occurrences of events (that is, bar graphs), click any event to view associated events constrained by the widget preferences, as well as by that event. You can also click the View All icon in the lower right corner of the widget to view all associated events, constrained by the widget preferences.

• On widgets configured to show flow data over time, click the View All icon in the lower right corner of the widget to view all associated events, constrained by the widget preferences.

For information on working with specific event types, see the following sections:

• Viewing Audit Records on page 567

• Viewing Intrusion Events in the Analyst Guide

• Viewing RNA Network Discovery and Host Input Events in the Analyst Guide

• Viewing Hosts in the Analyst Guide

• Viewing Host Attributes in the Analyst Guide

• Viewing Services in the Analyst Guide

• Viewing Client Applications in the Analyst Guide

• Viewing Vulnerabilities in the Analyst Guide

• Viewing Flow Data in the Analyst Guide

• Viewing RUA Users in the Analyst Guide

• Viewing RUA Events in the Analyst Guide

• Viewing Compliance Events in the Analyst Guide

• Viewing White List Events in the Analyst Guide

• Viewing White List Violations in the Analyst Guide

• Viewing the SEU Import Log in the Analyst Guide

• Working with Active Scan Results in the Analyst Guide

• Understanding Custom Tables in the Analyst Guide

Custom Analysis Widget Limitations

Requires: Any There are some important points to keep in mind when using the Custom Analysis widget.

If you are configuring the widget on a shared dashboard, remember that not all users can view data of all event types, depending on the user’s account privileges. For example, Intrusion Event Analysts cannot view RNA events.

Similarly, if you are using a dashboard imported from another appliance, remember that not all appliances have access to data of all event types. For



example, the Master Defense Center does not store flow data. If your dashboard includes a Custom Analysis widget that displays data that you cannot see, the widget indicates that you are unauthorized to view the data. Note, however, that you (and any other users who share the dashboard) can modify the preferences of the widget to display data that you can see, or even delete the widget. If you want to make sure that this does not happen, save the dashboard as private.

Remember that only you can access searches that you have saved as private. If you configure the widget on a shared dashboard and constrain its events using a private search, the widget resets to not using the search when another user logs in. This affects your view of the widget as well. If you want to make sure that this does not happen, save the dashboard as private.

You enable or disable the Custom Analysis widget from the Dashboard settings in your system policy. For more information, see Configuring Dashboard Settings on page 331.

Understanding the Disk Usage WidgetRequires: Any The Disk Usage widget indicates the percentage of space used on each partition

of the appliance’s hard drive. It also shows the capacity of each partition.

You can configure the widget to display just the root (/) and /volume partition usage, or you can show these plus the /boot partition usage by modifying the widget preferences.

The widget preferences also control how often the widget updates, as well as whether it displays the current disk usage or collected disk usage statistics over the dashboard time range. For more information, see Understanding Widget Preferences on page 64.



Understanding the Interface Traffic WidgetRequires: Any The Interface Traffic widget shows the rate of traffic received (Rx) and transmitted

(Tx) on the appliance’s interfaces over the dashboard time range. Note that only 3D Sensors have interfaces other than the management interface.

The widget preferences control how often the widget updates. On 3D Sensors, the preferences also control whether the widget displays the traffic rate for unused interfaces (by default, the widget only displays the traffic rate for interfaces that belong to an interface set). For more information, see Understanding Widget Preferences on page 64.

Understanding the Intrusion Events WidgetRequires: IPS or DC/

MDC + IPSThe Intrusion Events widget shows the rate of intrusion events that occurred over the dashboard time range. On the Defense Center and Master Defense Center, this includes statistics on intrusion events of different impacts.

On the 3D Sensor, the widget can display statistics for dropped intrusion events, all intrusion events, or both. Note that for managed 3D Sensors, you must enable local event storage or the widget will not have any data to display.

On the Defense Center and Master Defense Center, you can configure the widget to display intrusion events of different impacts by modifying the widget preferences. On the 3D Sensor, you cannot configure the widget to display



intrusion events by impact. On either appliance, you can display dropped events. The following graphic shows the Defense Center version of the widget preferences.

In the widget preferences, you can:

• Requires: DC/MDC select one or more Event Flags check boxes to display separate graphs for events of specific impacts; select All to display an additional graph for all intrusion events, regardless of impact or rule state; see Using Impact Flags to Evaluate Events in the Analyst Guide

• select Show to choose Events per second or Total events

• select Vertical Scale to choose Linear (incremental) or Logarithmic (factor of ten) scale


On the Intrusion Events widget, you can:

• Requires: DC/MDC click a graph corresponding to a specific impact to view intrusion events of that impact

• click the graph corresponding to dropped events to view dropped events

• click the All graph to view all intrusion events

Note that the resulting event view is constrained by the dashboard time range; accessing intrusion events via the dashboard changes the events (or global) time window for the appliance. For more information on intrusion events, see Viewing Intrusion Events in the Analyst Guide.

Understanding the Network Compliance WidgetRequires: DC The Network Compliance widget summarizes your hosts’ compliance with the

compliance white lists you configured (see Using RNA as a Compliance Tool in the Analyst Guide). By default, the widget displays a pie chart that shows the



number of hosts that are compliant, non-compliant, and that have not been evaluated, for all compliance white lists that you have created.

You can configure the widget to display network compliance either for all white lists, or for a specific white list, by modifying the widget preferences.

Note that if you choose to display network compliance for all white lists, the widget considers a host to be non-compliant if it is not compliant with any of the white lists on the Defense Center, including white lists that are no longer in active compliance policies. To bring these hosts into compliance, delete the unused white lists.

You can also use the widget preferences to specify which of three different styles you want to use to display network compliance.

The Network Compliance style (the default) displays a pie chart that shows the number of hosts that are compliant, non-compliant, and that have not been evaluated. You can click the pie chart to view the host violation count, which lists the hosts that violate at least one white list. For more information, see Viewing White List Violations in the Analyst Guide.



The Network Compliance over Time (%) style displays a stacked area graph showing the relative proportion of hosts that are compliant, non-compliant, and that have not yet been evaluated, over the dashboard time range.

The Network Compliance over Time style displays a line graph that shows the number of hosts that are compliant, non-compliant, and that have not yet been evaluated, over the dashboard time range.

The preferences control how often the widget updates. You can check the Show Not Evaluated box to hide events which have not been evaluated. For more information, see Understanding Widget Preferences on page 64.

Understanding the Product Licensing WidgetRequires: DC The Product Licensing widget shows the feature licenses currently installed on

the Defense Center. It also indicates the number of items (such as hosts or users) licensed and the number of remaining licensed items allowed.

The top section of the widget displays all of the feature licenses installed on the Defense Center, including temporary licenses, while the Temporary Licenses section displays only temporary and expired licenses. For example, if you have two feature licenses for RNA Hosts, one of which is a permanent license and



allows 750 hosts, and another that is temporary and allows an additional 750 hosts, the top section of the widget displays an RNA Hosts feature license with 1500 licensed hosts, while the Temporary Licenses section displays an RNA Hosts feature license with 750 hosts.

The bars in the widget background show the percentage of each type of license that is being used; you should read the bars from right to left. Expired licenses are marked with a strikethrough.

You can configure the widget to display either the features that are currently licensed, or all the features that you can license, by modifying the widget preferences. The preferences also control how often the widget updates. For more information, see Understanding Widget Preferences on page 64.

You can click any of the license types to go to the License page of the System Settings and add or delete feature licenses. For more information, see Managing Your Feature Licenses on page 370.

Understanding the Product Updates WidgetRequires: Any The Product Updates widget provides you with a summary of the software

(Sourcefire 3D System software, SEU, and VDB) currently installed on the appliance as well as information on available updates that you have downloaded, but not yet installed, for that software.

Note that the widget displays Unknown as the latest version of the software unless you have configured a scheduled task to download, push, or install software updates; the widget uses scheduled tasks to determine the latest version. For more information, see Scheduling Tasks on page 425.

The widget also provides you with links to pages where you can update the software; the Defense Center version of the widget provides you with similar links so you can update the software on your managed sensors. Note that you cannot update the VDB on a sensor or a Master Defense Center.

You can configure the widget to hide the latest versions by modifying the widget preferences. The preferences also control how often the widget updates. For more information, see Understanding Widget Preferences on page 64.



On the Product Updates widget, you can:

• manually update an appliance by clicking the current version of the Sourcefire 3D System software, SEU, or VDB; see Updating System Software on page 398 and Importing SEUs and Rule Files in the Analyst Guide

• create a scheduled task to download the latest version of the Sourcefire 3D System software, SEU, or VDB by clicking either the latest version or the Unknown link in the Latest column; see Scheduling Tasks on page 425

Understanding the RSS Feed WidgetRequires: Any The RSS Feed widget adds an RSS feed to a dashboard. By default, the widget

shows a feed of Sourcefire company news.

You can also configure the widget to display a preconfigured feed of Sourcefire security news, or you can create a custom connection to any other RSS feed by specifying its URL in the widget preferences.

Feeds update every 24 hours (although you can manually update the feed) and the widget displays the last time the feed was updated based on the local time of the appliance. Keep in mind that the appliance must have access to the Sourcefire web site (for the two preconfigured feeds) or to any custom feed you configure.

When you configure the widget, you can also choose how many stories from the feed you want to show in the widget, as well as whether you want to show descriptions of the stories along with the headlines; keep in mind that not all RSS feeds use descriptions.



On the RSS Feed widget, you can:

• click one of the stories in the feed to view the story

• click the more link to go to the feed’s web site

• click the update icon ( ) to manually update the feed

Understanding the System Load WidgetRequires: Any The System Load widget shows the CPU usage (for each CPU), memory (RAM)

usage, and system load (also called the load average, measured by the number of processes waiting to execute) on the appliance, both currently and over the dashboard time range.

You can configure the widget to show or hide the load average by modifying the widget preferences. The preferences also control how often the widget updates. For more information, see Understanding Widget Preferences on page 64.

Understanding the System Time WidgetRequires: Any The System Time widget shows the local system time, uptime, and boot time for

the appliance.

You can configure the widget to hide the boot time by modifying the widget preferences. The preferences also control how often the widget synchronizes with the appliance’s clock. For more information, see Understanding Widget Preferences on page 64.



Understanding the White List Events WidgetRequires: DC/MDC The White List Events widget shows the average events per second by priority,

over the dashboard time range.

You can configure the widget to display white list events of different priorities by modifying the widget preferences.

In the widget preferences, you can:

• select one or more Priorities check boxes to display separate graphs for events of specific priorities, including events that do not have a priority

• select Show All to display an additional graph for all white list events, regardless of priority

• select Vertical Scale to choose Linear (incremental) or Logarithmic (factor of ten) scale


You can click a graph to view white list events of a specific priority, or click the All graph to view all white list events. In either case, the events are constrained by the dashboard time range; accessing white list events via the dashboard changes the events (or global) time window for the Defense Center. For more information on white list events, see Viewing White List Events in the Analyst Guide.


Using DashboardsWorking with Dashboards Chapter 3

Working with DashboardsRequires: Any You manage dashboards on the Dashboard List page (see Viewing Dashboards on

page 91). You can create, view, modify, export, and delete dashboards.

For each dashboard, the page indicates the owner (that is, the user who created it) and whether a dashboard is private. Note that, unless you have Admin access, you can only see your own private dashboards; you cannot view or modify private dashboards created by other users.

Finally, the page indicates which dashboard is the default. You specify the default dashboard in your user preferences; for more information, see Specifying Your Default Dashboard on page 35.

For more information on working with dashboards, see:

• Creating a Custom Dashboard on page 89

• Viewing Dashboards on page 91

• Modifying Dashboards on page 93

• Deleting a Dashboard on page 97

• Exporting a Dashboard on page 585

Creating a Custom DashboardRequires: Any When you create a new dashboard, you can choose to base it on any pre-existing

dashboard, including the Sourcefire default dashboard, or on any user-defined dashboard. This makes a copy of the pre-existing dashboard; you can modify this copy to suit your needs. Optionally, you can create a blank new dashboard by choosing not to base your dashboard on any pre-existing dashboards.

You must also specify (or disable) the tab change and page refresh intervals. These settings determine how often the dashboard cycles through its tabs and how often the entire dashboard page refreshes.

Refreshing the entire dashboard allows you to see any preference or layout changes that were made to a shared dashboard by another user, or that you made to a private dashboard on another computer, since the last time the dashboard refreshed. This can be useful, for example, in a network operations center (NOC) where a dashboard is displayed at all times. If you want to make changes to the dashboard, you can make the changes at a local computer. Then, the dashboard in the NOC automatically refreshes at the interval you specify and displays your changes without you having to manually refresh the dashboard in the NOC. Note that you do not need to refresh the entire dashboard to see data updates; individual widgets update according to their preferences.



Finally, you can choose to associate the new dashboard with your user account by saving it as a private dashboard. If you choose not to save the dashboard as private, all other users of the appliance can view it.

Keep in mind that because not all user roles have access to all dashboard widgets, users with fewer permissions viewing a dashboard created by a user with more permissions may not be able to use all of the widgets on the dashboard. Although the unauthorized widgets still appear on the dashboard, they are disabled.

You should also keep in mind that any user, regardless of role, can modify shared dashboards. If you want to make sure that only you can modify a particular dashboard, save it as private.

TIP! Instead of creating a new dashboard, you can export a dashboard from another appliance and then import it onto your appliance. You can then edit the imported dashboard to suit your needs. Note that the dashboard widgets you can view depend on the type of appliance you are using and on your user role; for example, a dashboard created on the Defense Center and imported onto a 3D Sensor or Master Defense Center may display some invalid, disabled widgets. For more information, see Importing and Exporting Objects on page 583.

To create a new dashboard:


1. Select Analysis & Reporting > Event Summary > Dashboards.

If you have a default dashboard defined, it appears. If you do not have a default dashboard defined, the Dashboard List page appears.

2. In either case, click New Dashboard.

The New Dashboard page appears.

3. Use the Copy Dashboard drop-down list to select the dashboard on which you want to base the new dashboard.

You can select any predefined or user-defined dashboard. Optionally, select None (the default) to create a blank dashboard.

4. Type a name and optional description for the dashboard.



5. In the Change Tabs Every field, specify (in minutes) how often the dashboard should change tabs.

Unless you pause the dashboard or your dashboard has only one tab, this setting advances your view to the next tab at the interval you specify. To disable tab cycling, enter 0 in the Change Tabs Every field.

6. In the Refresh Page Every field, specify (in minutes) how often the current dashboard tab should refresh with new data. This value must be greater than the Change Tabs Every setting.

Unless you pause the dashboard, this setting will refresh the entire dashboard at the interval you specify. To disable the periodic page refresh, enter 0 in the Refresh Page Every field.

Note that this setting is separate from the update interval available on many individual widgets; although refreshing the dashboard page resets the update interval on individual widgets, widgets will update according to their individual preferences even if you disable the Refresh Page Every setting.

7. Optionally, select the Save As Private check box to associate the dashboard with your user account and to prevent other users from viewing and modifying the dashboard.

8. Click Save.

Your dashboard is created and appears in the web interface. You can now tailor it to suit your needs by adding tabs and widgets (and, if you based it on a pre-existing dashboard, by rearranging and deleting widgets). For more information, see Modifying Dashboards on page 93.

Viewing DashboardsRequires: Any By default, the home page for your appliance displays the default dashboard. If

you do not have a default dashboard defined, the home page shows the Dashboard List page, where you can choose a dashboard to view. To view the details of all available dashboards, click Dashboards from the Dashboard toolbar.

TIP! You can configure your appliance to display a different default home page, including pages that are not dashboard pages. You can also change the default dashboard. For more information, see Specifying Your Home Page on page 35 and Specifying Your Default Dashboard on page 35.

Each dashboard has a time range that constrains its widgets. You can change the time range to reflect a period as short as the last hour (the default) or as long as the last year. When you change the time range, the widgets that can be constrained by time automatically update to reflect the new time range.

Note that not all widgets can be constrained by time. For example, the dashboard time range has no effect on the Appliance Information widget, which provides



information the includes the appliance name, model, and current version of the Sourcefire 3D System software.

Keep in mind that for enterprise deployments of the Sourcefire 3D System, changing the time range to a long period may not be useful for widgets like the Custom Analysis widget, depending on how often newer events replace older events.

You can also pause a dashboard, which allows you to examine the data provided by the widgets without the display changing and interrupting your analysis. Pausing a dashboard has the following effects:

• Individual widgets stop updating, regardless of any Update Every widget preference.

• Dashboard tabs stop cycling, regardless of the Cycle Tabs Every setting in the dashboard properties.

• Dashboard pages stop refreshing, regardless of the Refresh Page Every setting in the dashboard properties.

• Changing the time range has no effect.

When you are finished with your analysis, you can unpause the dashboard. Unpausing the dashboard causes all the appropriate widgets on the page to update to reflect the current time range. In addition, dashboard tabs resume cycling and the dashboard page resumes refreshing according to the settings you specified in the dashboard properties.

IMPORTANT! Although your session normally logs you out after 3.5 hours of inactivity, this will not happen while you are viewing a dashboard, unless the dashboard is paused.

To view a dashboard:


Select Analysis & Reporting > Event Summary > Dashboards. You have two options, depending on whether you have a default dashboard defined:

• If you have a default dashboard defined, it appears. To view a different dashboard, use the Dashboards menu on the toolbar.

• If you do not have a default dashboard defined, the Dashboard List page appears. Click View next to the dashboard you want to view.

The dashboard you selected appears.

To change the dashboard time range:


From the Show the Last drop-down list, choose a dashboard time range.

Unless the dashboard is paused, all appropriate widgets on the page update to reflect the new time range.



To pause the dashboard:


On the time range control, click the pause icon ( ).

The dashboard is paused until you unpause it.

To unpause the dashboard:


On the time range control of a paused dashboard, click the play icon ( ).

The dashboard is unpaused.

Modifying DashboardsRequires: Any Each dashboard has one or more tabs. You can add, delete, and rename tabs.

Note that you cannot change the order of dashboard tabs.

Each tab can display one or more widgets in a three-column layout. You can minimize and maximize widgets, add and remove widgets from tabs, as well as rearrange the widgets on a tab.

You can also change the basic dashboard properties, which include its name and description, the tab cycle and page refresh intervals, and whether you want to share the dashboard with other users.

IMPORTANT! Any user, regardless of role, can modify shared dashboards. If you want to make sure that only you can modify a particular dashboard, make sure to set it as a private dashboard in the dashboard properties.

For more information, see the following sections

• Changing Dashboard Properties on page 93

• Adding Tabs on page 94

• Deleting Tabs on page 95

• Renaming Tabs on page 95

• Adding Widgets on page 95

• Rearranging Widgets on page 97

• Minimizing and Maximizing Widgets on page 97

• Deleting Widgets on page 97

Changing Dashboard Properties

Requires: Any Use the following procedure to change the basic dashboard properties, which include its name and description, the tab cycle and page refresh intervals, and whether you want to share the dashboard with other users.



To change a dashboard’s properties:



If you have a default dashboard defined, it appears; continue with the next step.

If you do not have a default dashboard defined, the Dashboard List page appears; skip to step 3.

2. On the toolbar, click Dashboards.

The Dashboard List page appears.

3. Click Edit next to the dashboard whose properties you want to change.

The Edit Dashboard page appears. See Creating a Custom Dashboard on page 89 for information on the various configurations you can change.

4. Make changes as needed and click Save.

The dashboard is changed.

Adding Tabs

Requires: Any Use the following procedure to add a tab to a dashboard.

To add a tab to a dashboard:


1. View the dashboard where you want to add a tab.

For more information, see Viewing Dashboards on page 91.

2. To the right of the existing tabs, click the add tab icon ( ).

A pop-up window appears, prompting you to name the tab.

3. Type a name for the tab and click OK, or simply click OK to accept the default name. Note that you can rename the tab at any time; see Renaming Tabs on page 95.

The new tab is added.

You can now add widgets to the new tab. For more information, see Adding Widgets on page 95.



Deleting Tabs

Requires: Any Use the following procedure to delete a dashboard tab and all its widgets. You cannot delete the last tab from a dashboard; each dashboard must have at least one tab.

To delete a tab from a dashboard:


1. View the dashboard where you want to delete a tab.


2. On the tab you want to delete, click the delete icon ( ).

3. Confirm that you want to delete the tab.

The tab is deleted.

Renaming Tabs

Requires: Any Use the following procedure to rename a dashboard tab.

To rename a tab:


1. View the dashboard where you want to rename a tab.


2. Click the tab you want to rename.

3. Click the tab title.

A pop-up window appears, prompting you to rename the tab.

4. Type a name for the tab and click OK.

The tab is renamed.

Adding Widgets

Requires: Any To add a widget to a dashboard, you must first decide to which tab you want to add the widget. When you add a widget to a tab, the appliance automatically adds it to the column with the fewest widgets. If all columns have an equal number of widgets, the new widget is added to the left-most column. You can add a maximum of 15 widgets to a dashboard tab.

TIP! After you add widgets, you can move them to any location on the tab. You cannot, however, move widgets from tab to tab. For more information, see Rearranging Widgets on page 97.

To add a widget to a dashboard:


1. View the dashboard where you want to add a widget.




2. Select the tab where you want to add the widget.

3. Click Add Widgets.

The Add Widgets page appears.

The widgets that you can add depend on the type of appliance you are using and on your user role. They are organized according to function: Analysis & Reporting, Operations, and Miscellaneous. You can view the widgets in each category by clicking on the category name, or you can view all widgets by clicking All Categories.

4. Click Add next to the widgets you want to add.

TIP! To add multiple widgets of the same type (for example, you may want to add multiple RSS Feed widgets, or multiple Custom Analysis widgets), click Add again.

The widget is immediately added to the dashboard. The Add Widgets page indicates how many widgets of each type are on the tab, including the widget you just added.

5. Optionally, when you are finished adding widgets, click Done to return to the dashboard.

The tab where you added the widgets appears again, reflecting the changes you made.



Rearranging Widgets

Requires: Any You can change the location of any widget on a tab. Note, however, that you cannot move widgets from tab to tab. If you want a widget to appear on a different tab, you must delete it from the existing tab and add it to the new tab.

To move a widget:


Click the title bar of the widget you want to move, then drag it to its new location.

Minimizing and Maximizing Widgets

Requires: Any You can minimize widgets to simplify your view, then maximize them when you want to see them again.

To minimize a widget:


Click the minimize icon ( ) in a widget’s title bar.

To maximize a widget:


Click the maximize icon ( ) in a minimized widget’s title bar.

Deleting Widgets

Requires: Any Delete a widget if you no longer want to view it on a tab.

To delete a widget:


1. Click the close icon ( ) in the title bar of the widget.

2. Confirm that you want to delete the widget.

The widget is deleted from the tab.

Deleting a DashboardRequires: Any Delete a dashboard if you no longer need to use it.

If you delete your default dashboard, you must define a new default or the appliance will force you to select a dashboard to view every time you attempt to view a dashboard. For more information, see Specifying Your Default Dashboard on page 35.

To delete a dashboard:









3. Click Delete next to the dashboard you want to delete.

4. Confirm that you want to delete the dashboard.

The dashboard is deleted.


Administrator Guide

Chapter 4Using the Defense Center

The Sourcefire Defense Center is a key component in the Sourcefire 3D System. You can use the Defense Center to manage the full range of sensors that are a part of the Sourcefire 3D System, and to aggregate, analyze, and respond to the threats they detect on your network.

By using the Defense Center to manage sensors, you can configure policies for all your sensors from a single location, making it easier to change configurations. In addition, you can push various types of software updates to sensors. You can also push health policies to your managed sensors and monitor their health status from the Defense Center.

The Defense Center aggregates and correlates intrusion events, network discovery information, and sensor performance data, allowing you to monitor the information that your sensors are reporting in relation to one another and to assess the overall activity occurring on your network.

IMPORTANT! Some of the components in the Sourcefire 3D System (such as the Virtual 3D Sensors, 3Dx800 sensors, Intrusion Agents, RNA Software for Red Hat Linux, and Crossbeam-based software sensors) do not provide a web interface that you can use to view events or manage policies. You must use a Defense Center if your deployment includes any of these products.


Using the Defense CenterManagement Concepts Chapter 4

See the following sections for more information about using the Defense Center to manage your sensors:

• Management Concepts on page 100 describes some of the features and limitations involved with managing your sensors with a Defense Center.

• Working in NAT Environments on page 112 describes the principles of setting up the management of your sensors in Network Address Translation environments.

• Working with Sensors on page 113 describes how to establish and disable connections between sensors and your Defense Center. It also explains how to add, delete, and change the state of managed sensors and how to reset management of a sensor.

• Managing Sensor Groups on page 131 describes how to create sensor groups as well as how to add and remove sensors from groups.

• Editing a Managed Sensor’s System Settings on page 133 describes the sensor attributes you can edit and explains how to edit them.

• Managing a Clustered Pair on page 140 describes how to create a clustered pair of 3D9900s and how to remove 3D9900s from clusters.

• Configuring High Availability on page 145 describes how to set up two Defense Centers as a high availability pair to help ensure continuity of operations.

Management ConceptsRequires: DC You can use a Defense Center to manage nearly every aspect of a sensor’s

behavior. You can only use a single Defense Center to manage your sensor unless you are using a second Defense Center as a part of a high availability pair. The sections that follow explain some of the concepts you need to know as you plan your Sourcefire 3D System deployment.

• The Benefits of Managing Your Sensors on page 100

• What Can Be Managed by a Defense Center? on page 101

• Understanding Software Sensors on page 105

• Beyond Policies and Events on page 111

• Using Redundant Defense Centers on page 112

The Benefits of Managing Your SensorsRequires: DC There are several benefits to using a Defense Center to manage your sensors.

First, you can use the Defense Center as a central point of management. Instead of managing each sensor using its own local web interface, you can use the Defense Center’s web interface to accomplish nearly any task on any sensor it manages. For example, you can create an intrusion policy on the Defense Center and apply it to all your managed 3D Sensors with IPS. This saves you from having



to replicate the intrusion policy on each sensor, which can be a laborious task depending on how many of the thousands of intrusion rules you want to enable or disable. There is a similar savings when you create and apply RNA appliance and detection policies to managed 3D Sensors with RNA.

You can also create and apply system policies to your managed sensors. A system policy controls several appliance-level settings such as the login banner and the access control list. Because most of the sensors in your deployment are likely to have similar settings in the system policy, you can create the policy on the Defense Center and push it to the appropriate sensors instead of replicating it locally.

Second, when you manage a sensor with a Defense Center, all the intrusion events and RNA events are automatically sent to the Defense Center. You can view the events from a single web interface instead of having to log into each sensor’s interface to view the events there. You can also generate reports based on events from multiple sensors.

Third, if your Defense Center manages sensors with IPS and RNA, and those sensors view the same network traffic, then the Defense Center can correlate the intrusion events it receives with the information about hosts that RNA provides. The Defense Center can then assign impact flags to each intrusion event. The impact flag indicates how likely it is that an intrusion attempt will affect its target.

Fourth, you can use your Defense Center to configure external authentication through an Lightweight Directory Access Protocol (LDAP) or Remote Authentication Dial In User Service (RADIUS) server. You can use user information from an external server to authenticate users on your Sourcefire 3D System appliances. By pushing a system policy with configured authentication objects to your sensor, you push the external authentication object to the sensor. External authentication cannot be managed on the sensor, so you must use the Defense Center to manage it.

Finally, the Defense Center includes a feature called health monitoring that you can use to check the status of critical functionality across your Sourcefire 3D System deployment. You can take advantage of health monitoring by applying health policies to each of your managed sensors and then reviewing the health data that they send back to the Defense Center. You can also apply a health policy to the Defense Center to monitor its health.

What Can Be Managed by a Defense Center?Requires: DC You can use your Defense Center as a central management point in a Sourcefire

3D System deployment to manage the following devices:

• Sourcefire 3D Sensors

• RNA Software for Red Hat Linux



• 3D Sensor Software for Crossbeam Systems X-Series

• Intrusion Agents on various platforms

IMPORTANT! Sourcefire recommends that you manage no more than three 3D Sensors with the DC500 model Defense Center. You can also use a DC500 to manage Sourcefire 3D Sensor software on approved platforms, as well as intrusion agents and RNA software on approved platforms. For details on DC500 database limitations see Database Event Limits on page 333.

When you manage a sensor (or a software sensor), information is transmitted between the Defense Center and the sensor over a secure, SSL-encrypted TCP tunnel.

The following illustration lists what is transmitted between a Sourcefire Defense Center and its managed sensors. Note that the types of events and policies that are sent between the appliances are based on the sensor type.

If you apply a policy on a sensor before you begin managing it with a Defense Center, you can see a read-only version of the policy on the Defense Center’s web interface.



Similarly, after you set up communications with a Defense Center and apply policies from the Defense Center to your sensor, you can see a read-only version of the running policies on the sensor’s web interface. The following graphics illustrate this process. First, before you set up sensor management, each appliance has its own policies:



Then, after communications are set up, read-only versions of running policies (represented by the dotted lines) are available:

The appliance where you originally create a policy is the policy’s “owner” and is identified that way if you view the policy on a different appliance. For example, the following graphic shows the Detection Engine page on a 3D Sensor with IPS. The Sample Intrusion Policy that is currently applied to the sensor’s two detection engines was created on the Defense Center (pine.example.com).

If you want to edit a policy, you must do it on the appliance where the policy was created.

TIP! After you set up management with a Defense Center, Sourcefire recommends that you use only the Defense Center’s web interface to view events and manage policies for your managed sensors.



The following user-created data and configurations are retained locally on the sensor and are not shared with the Defense Center:

• user accounts

• user preferences

• bookmarks

• saved searches

• custom workflows

• report profiles

• audit events

• syslog messages

• reviewed status for intrusion events (IPS only)

• contents of the clipboard (IPS only)

• incidents (IPS only)

If you create custom fingerprints on the Defense Center, they are automatically shared with managed 3D Sensors with RNA.

Also note that operations you perform on data on one appliance are not transmitted to other appliances. For example, if you delete an intrusion event from the Defense Center, the event remains on the sensor that discovered it. Similarly, deleting an intrusion event from a sensor does not delete it from the Defense Center.

Understanding Software SensorsRequires: DC Several of the sensors you can manage with a Defense Center are software-

based sensors. A software-based sensor is a software-only installation of Sourcefire 3D System sensor software. The following Sourcefire 3D System sensors are software-based:

• Intrusion Agents for various platforms - for more information, see Managing Intrusion Agents on page 106

• 3D5800, 3D3800, and 3D9800 sensors - for more information, see Managing 3Dx800 Sensors on page 107.

• RNA Software for Red Hat Linux - for more information, see Managing RNA Software for Red Hat Linux on page 109

• 3D Sensor Software with RNA for Crossbeam X-Series - for more information, see Managing 3D Sensor Software with RNA for Crossbeam on page 110

• 3D Sensor Software with IPS for Crossbeam X-Series - for more information, see Managing 3D Sensor Software with IPS for Crossbeam on page 110



Software-based sensors do not have a user interface on the sensor; they can only be managed from a Defense Center. In addition, some of the functionality in the Defense Center interface cannot be used with software-based sensors. For some software-based sensors, certain aspects of functionality are managed through the operating system or other features on the appliance.

Managing Intrusion Agents

Requires: DC The Sourcefire Intrusion Agent transmits events generated by open source Snort sensor installations to the Sourcefire Defense Center. These events can then be viewed along with data from 3D Sensors with IPS so you can easily analyze all the intrusion information gathered on your network.

The Defense Center cannot apply intrusion policies to the Intrusion Agent. You must tune your Snort rules and options manually on the computer where the Intrusion Agent resides. Also, high availability is not supported on Intrusion Agents.




See the Supported Features for Intrusion Agents table for more information.

Managing 3Dx800 Sensors

Requires: DC +3D Sensor

Sourcefire 3D Sensor 3800, 3D Sensor 5800, and 3D Sensor 9800 models (usually referred to as the 3Dx800 sensors) provide many of the features found on other 3D Sensors. However, because these models do not have a web interface and because configuration and event data cannot be stored on the sensors,

Supported Features for Intrusion Agents

Supported through Defense Center Supported through CLI and .conf files

Not Supported

• Intrusion event collection and management

• Licensing• Reports generated on the

Defense Center

• Process management• Registration of remote

manager• Rules tuning

• Detection engine management

• Event storage on sensor• Health policy apply• High availability

synchronization• Host Statistics• Interface set

management• Intrusion policy apply• Network interface

management• Network settings• Performance Statistics• Remote backup and

restore• Remote reports• Sensor information

management (System Settings)

• SEU updates• Software updates• System policy apply• Time settings



certain features cannot be used with these sensors. See the Supported Features for 3Dx800 Sensors table for more information.

Supported Features for 3Dx800 Sensors

Supported through Defense Center Supported through CLI Not Supported

All 3Dx800 models:• Detection engine management• Health policy apply• High availability synchronization• Host Statistics• Interface set management• Intrusion policy apply (no OPSEC

support)• Intrusion event collection and

management• Licensing• Performance Statistics (may be

underreported because of multiple detection resources)

• Process management• Reports generated on the

Defense Center• Sensor information management

(System Settings)• SEU updates• Software updates• System policy apply• Time settings

3D3800 and 3D5800 only:• Compliance policy apply• RNA and compliance event

collection and management• RNA detection policy apply• VDB updates

• Network interface management

• Network settings• Registration of remote

manager

• Custom fingerprinting• Event storage on sensor• Remote backup and

restore• Remote reports



Managing RNA Software for Red Hat Linux

Requires: DC RNA Software for Red Hat Linux provides many of the features found on 3D Sensors with RNA. However, not all of the features function in the same manner. See the Supported Features for RNA Software for Red Hat Linux table for more information.

Supported Features for RNA Software for Red Hat Linux

Supported through Defense Center Supported through CLI Not Supported

• Compliance policy apply• Detection engine management• High availability synchronization• Host Statistics• Interface set management• Licensing• Performance Statistics• Reports generated on the

Defense Center• RNA and compliance event

collection and management• RNA detection policy apply• Sensor information management

(System Settings)• Software updates• VDB updates


• Network settings• Process management• Registration of remote

manager• Time settings

• Custom fingerprinting• Event storage on sensor• Health policy apply • Remote backup and

restore• Remote reports• System policy apply



Managing 3D Sensor Software with RNA for Crossbeam

Requires: DC 3D Sensor Software with RNA for Crossbeam provides many of the features found on 3D Sensors with RNA. However, not all of the features function in the same manner. See the Supported Features for RNA on Crossbeam table for more information.

Managing 3D Sensor Software with IPS for Crossbeam

Requires: DC 3D Sensor Software with IPS for Crossbeam provides many of the features found on 3D Sensors with IPS. However, because the Crossbeam sensors do not have a user interface and because configuration and event data cannot be stored on

Supported Features for RNA on Crossbeam

Supported through Defense Center Supported through Crossbeam X-Series CLI

Not Supported

• Compliance policy apply• Detection engine

management• High availability

synchronization• Host Statistics• Interface set management• Licensing• Performance Statistics• Reports generated on the

Defense Center• RNA detection policy apply• RNA and compliance event

collection and management• Sensor information

management (in System Settings)

• Software updates• VDB updates

• Backup and restore


• Network settings

• Process management

• Registration of remote manager

• Time settings

• Custom fingerprinting

• Event storage on sensor

• Health policy apply

• Remote backup and restore

• Remote reports

• System policy apply



the sensors, certain features cannot be used with this software. See the Supported Features for IPS on Crossbeam table for more information.

Beyond Policies and EventsRequires: DC In addition to applying policies to sensors and receiving events from them, you

can also perform other sensor-related tasks on the Defense Center.

Backing Up a SensorIf you are storing event data on your sensor in addition to sending it to the Defense Center, you can use the Defense Center’s web interface to back up those events from the sensor. See Performing Sensor Backup with the Defense Center on page 419 for more information.

Running Remote ReportsYou can create a report profile on the Defense Center and run it remotely using the data on a managed sensor. This is particularly useful if you want to generate a report for the audit events on a managed sensor. Audit events are stored locally

Supported Features for IPS on Crossbeam

Supported through Defense Center Supported through Crossbeam X-Series CLI

Not Supported

• Detection engine management

• High availability synchronization

• Host Statistics• Interface set management• Intrusion policy apply• Intrusion event collection and

management• Licensing• Performance Statistics• Reports generated on the

Defense Center• SEU updates• Sensor information

management (in System Settings)

• Software updates

• Backup and restore


• Network settings

• Process management

• Registration of remote manager

• Time settings

• Custom fingerprinting

• Event storage on sensor

• Health policy apply

• Remote backup and restore

• Remote reports

• System policy apply


Using the Defense CenterWorking in NAT Environments Chapter 4

and are not sent to the Defense Center, but you can design a report on the Defense Center, select a managed sensor, and run the report. If you set up the report so that it is automatically emailed to you, you do not even need a user account on the sensor to read the resulting report. See Working with Event Reports on page 232 for more information.

Updating SensorsFrom time to time, Sourcefire releases updates to the Sourcefire 3D System, including:

• Security Enhancement Updates (SEUs), which can contain new and updated intrusion rules, as well as new and updated preprocessors and protocol decoders

• vulnerability database updates

• software patches and updates

You can use the Defense Center to push an update to the sensors it manages and then automatically install the update.

Using Redundant Defense CentersRequires: DC You can set up two Defense Centers as a high availability pair. This ensures

redundant functionality in case one of the Defense Centers fails. Policies, user accounts, and more are shared between the two Defense Centers. Events are automatically sent to both Defense Centers. See Configuring High Availability on page 145 or more information.

Working in NAT EnvironmentsRequires: Any Network address translation (NAT) is a method of transmitting and receiving

network traffic through a router that involves reassigning the source or destination IP address as the traffic passes through the router. Typical applications using NAT enable multiple hosts on a private network to use a single public IP address to access the public network.

When you add an appliance, you establish connections between appliances and register the appliances with one another. If you establish that communication in an environment without NAT, the two required pieces of common information during registration are the registration key and the unique IP address or the fully qualified domain name of the host. If you establish that communication in an environment with NAT, the two required pieces of common information during registration are the registration key and the unique NAT ID.

In the example diagram, when you set up the remote office 3D Sensors connections to the home office, use the Defense Center’s fully qualified domain name maple.company.com as its host name. For the registration key, you can use snort when adding either sensor, because the registration key does not have to


Using the Defense CenterWorking with Sensors Chapter 4

be unique. However, you must use a unique NAT ID when adding the New York 3D Sensor to the Defense Center, and then use a different unique NAT ID when adding the Miami 3D Sensor. Each NAT ID has to be unique among all NAT IDs used to register sensors on the Defense Center.

Working with SensorsRequires: DC +

3D SensorWhen you manage a sensor, you set up a two-way, SSL-encrypted communication channel between the Defense Center and the sensor. The Defense Center uses this channel to send information (in the form of policies) to the sensor about how you want to analyze your network traffic. As the sensor evaluates the traffic, it generates events and sends them to the Defense Center using the same channel. You can create the following policies on your Defense Center and apply them to managed sensors:

• health policies

• system policies

• RUA policies




• intrusion policies

There are several steps to managing a sensor with a Defense Center:

The procedure for managing a 3Dx800 sensor differs from the procedure for managing other sensors. See Managing a 3Dx800 Sensor on page 125 for more information.

TIP! The process for setting up communications between the Defense Center and other products such as the Crossbeam-based software sensors, RNA Software for Red Hat Linux, and the Intrusion Agents are slightly different. Refer to the configuration guides for those products for more information.

1. Begin by setting up a communications channel between the two appliances.

This is a two-step process, with procedures that you need to perform on each side of the communications channel. See Adding Sensors to the Defense Center on page 117 for more information. (Deleting Sensors on page 121 explains how to remove a sensor from the Defense Center.)

2. Create the appropriate policies on the Defense Center and apply them to the sensor or to the appropriate detection engines on the sensor.

• IPS detection engines require an intrusion policy that determines which types of attacks 3D Sensor with IPS detect. See Using Intrusion Policies in the Analyst Guide for more information.

• RNA detection engines require an RNA detection policy, which controls the networks that 3D Sensors with RNA monitor. See What is an RNA Detection Policy? in the Analyst Guide for more information.

• You can also create and apply system policies, which control certain appliance-level features on your sensors. Note that the system policy applied to the Defense Center controls the types of RNA events that are logged to the database. See Managing System Policies on page 320 for more information.

• You can create and apply health policies that allow you to monitor the processes and status of your sensors. See Configuring Health Policies on page 489 for more information.

3. Confirm that you are receiving the events generated by your sensors. See Viewing Intrusion Event Statistics in the Analyst Guide and Viewing RNA Event Statistics in the Analyst Guide for more information.

Many sensor management tasks are performed on the Sensors page and are described in Understanding the Sensors Page on page 115.



Understanding the Sensors PageRequires: DC +

3D SensorThe Sensors page (Operations > Sensors) provides you with a range of information and options that you can use to manage your sensors (including software-based sensors), intrusion agents, and sensor groups.

The following sections describe some of the features on the Sensors page.

Virtual Sensor Count

When you manage Virtual 3D Sensors from the Defense Center, the field for a Virtual Sensor count appears above the sensor list on the Sensors page. For details about Virtual 3D Sensors, see the Virtual Defense Center and 3D Sensor Installation Guide.

Sort-by Drop-Down ListUse this drop-down list to sort the Sensors page according to your needs. You can sort by:

• Group (that is, sensor group; see Managing Sensor Groups on page 131)

• Model (that is, the sensor model)

Sensor ListThe first column lists the hostname, sensor type, sensor model, and software version for each sensor. You can click the folder icon next to the name of the category to expand and contract the list of sensors. If you use clustered 3D9900 sensors, they are designated in the sensor list by a peer icon.

When you hover over the peer icon, you can see which sensors are paired and if you configured the sensor as a master or a slave.

Health PolicyThe next column lists the health policy for the sensor, if one has been applied. You can click the name of the health policy to view a read-only version of the policy. See Editing Health Policies on page 530 for information about modifying an existing health policy.



System Policy

The next column lists the currently applied system policy. The policy name and the icon for the system policy in the top row highlight a special feature of the Sensors page. If a policy has a different icon and its name is in italics, that indicates the policy was modified after it was applied to the sensor. The icon and the name of the policy in the bottom row indicate that the version applied to the sensor is up to date. Note that this is the case for any policy that you create and apply from the Defense Center.

As with the health policy, you can click the name of the system policy to view a read-only version. See Managing System Policies on page 320 for more information.

Status Icons

The status icons indicate the state of a sensor. The green check mark icon indicates that the sensor and the Defense Center are communicating properly. The red exclamation point icon indicates that the Defense Center has not received communications from the sensor in the last three minutes. If you hover your cursor over the icon, a pop-up window indicates the amount of time (in hours, minutes, and seconds) since the last contact. If the Defense Center has not received a communication from a sensor within the last two minutes, it sends a two-byte heartbeat packet to establish contact and ensure that the communications channel is still running. If your network is constrained in bandwidth, you can contact technical support to change the default time interval.

Edit and Delete Icons

Click the Edit icon next to a sensor if you want to change the sensor’s current system settings. The system settings include the storage settings for the sensor, the time, the remote management configuration, and access to the processes for stopping and restarting the sensor or its software. See Editing a Managed Sensor’s System Settings on page 133 for more information.

If you sort your Sensors page by sensor group, you can click the Edit icon next to the name of a sensor group to modify the list of sensors that belong to the group. See Editing Sensor Groups on page 132 for more information.



Click the Delete icon next to a sensor if you no longer want to manage the sensor with the Defense Center. See Deleting Sensors on page 121 for more information.

If you sort your Sensors page by sensor group, you can click the Delete icon next to the name of a sensor group to remove the sensor group from the Defense Center. See Deleting Sensor Groups on page 133 for more information.

Adding Sensors to the Defense CenterRequires: DC +

3D SensorWhen you manage a sensor, you set up a two-way, SSL-encrypted communication channel between the Defense Center and the sensor. The Defense Center uses this channel to send information about how you want to analyze your network traffic (in the form of policies) to the sensor. As the sensor evaluates the traffic, it generates events and sends them to the Defense Center using the same channel. You can create the following policies on your Defense Center and apply them to managed sensors:

• system policies, which control appliance-level configurations such as database limits, DNS cache settings, and custom login banners

• RNA detection policies, which control RNA data-gathering behavior and determine which networks are monitored which detection engines

• intrusion policies, which control how protocol decoders and preprocessors are configured and which intrusion rules are enabled

• health policies, which monitor the health of your managed sensors

Note that before you add sensors to a Defense Center, you must make sure that the network settings are configured correctly on the sensor. This is usually completed as part of the installation process, but you can refer to Configuring Network Settings on page 377 for details.

You can also add Intrusion Agents to the Defense Center. For more information, see Adding Intrusion Agents on page 130 and the Sourcefire Intrusion Agent Configuration Guide.

IMPORTANT! If you registered a Defense Center and 3D Sensor using IPv4 and want to convert them to IPv6, you must delete and re-register the sensor.



To add a sensor, you need:

• the sensor’s IP address or hostname (in the connection context “hostname” is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address)

• the Defense Center’s IP address or hostname

• to decide if you want to store the events generated by the sensor only on the Defense Center, or on both the Defense Center and the sensor

TIP! Set up the managed appliance first.

You must begin the procedure for setting up the management relationship between a Defense Center and a sensor on the sensor.

Three fields are provided for setting up communications between appliances:

• Management Host - for the hostname or IP address.

• Registration Key - for registration key.

• Unique NAT ID - for a unique alphanumeric ID. Refer to Working in NAT Environments on page 112 for more information.

Valid combinations include:

• Management Host and Registration Key used on both appliances

• Registration Key and Unique NAT ID used on the 3D Sensor with Host, Registration Key, and Unique NAT ID used on the Defense Center.

• Management Host, Registration Key, and Unique NAT ID used on the 3D Sensor with Registration Key and Unique NAT ID used on the Defense Center.

IMPORTANT! The Management Host or Host field (hostname or IP address) must be used on at least one of the appliances.

To add a sensor to a Defense Center:

Access: Admin 1. Log into the web interface of the sensor you want to add.

2. Select Operations > System Settings.

The Information page appears.



3. Click Remote Management.

The Remote Management page appears.

4. Click Add Manager.

The Add Remote Management page appears.

5. In the Management Host field, type the IP address or the host name of the Defense Center that you want to use to manage the sensor.

WARNING! Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses.

TIP! You can leave the Management Host field empty if the management host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields.

6. In the Registration Key field, type the one-time use registration key that you want to use to set up a communications channel between the sensor and the Defense Center.

7. Optionally, in the Unique NAT ID field, type a unique alphanumeric ID that you want to use to identify the sensor.

8. Click Save.

After the sensor confirms communication with the Defense Center, the Pending Registration status appears.



9. Log into the Defense Center’s web interface using a user account with Admin access, and select Operations > Sensors.

The Sensors page appears.

10. Click New Sensor.

The Add New Sensor page appears.

11. Type the IP address or the hostname of the sensor you want to add in the Host field.


12. In the Registration Key field, enter the same registration key that you used in step 6.

13. If you used a NAT ID in step 7, enter the same ID in the Unique NAT ID (optional) field.

14. You can store data on both the Defense Center and the sensor by clearing the Store Events and Packets Only on the Defense Center check box.

By default, data is stored only on the Defense Center and not on the sensor.

IMPORTANT! Software-based sensors such as the 3D Sensor Software for Crossbeam cannot store data locally. You must store events on the Defense Center. For more information on supported functionality for software-based sensors, see Understanding Software Sensors on page 105.

15. You can prevent packet data from leaving a sensor by enabling the Prohibit Packet Transfer to the Defense Center check box.

IMPORTANT! If you elect to prohibit sending packets and you do not store events on the 3D Sensor, packet data is not retained. Packet data is often important for forensic analysis.



16. To add the sensor to a group, select the group from the Add to Group list.

For more information about groups, see Managing Sensor Groups on page 131.

17. Click Add.

The sensor is added to the Defense Center. It can take up to two minutes for the Defense Center to verify the sensor’s heartbeat and establish communication. You can view the sensor’s status on the Sensors page (Operations > Sensors).

IMPORTANT! In some high availability deployments where network address translation is used, you may need to use the Add Manager feature a second time to add the secondary Defense Center. Contact technical support for more information.

Deleting SensorsRequires: DC +

3D SensorIf you no longer want to manage a sensor, you can delete it from the Defense Center. Deleting a sensor severs all communication between the Defense Center and the sensor. To manage the sensor again at a later date, you must re-add it to the Defense Center. To keep the sensor from trying to reconnect to the Defense Center, you should also delete the manager on the sensor.

TIP! If you can no longer communicate with a detection engine on a managed sensor (for example, if the sensor is down or the network interface card is damaged), you should delete the managed sensor from the Defense Center and then re-add it rather than try to delete the non-communicative detection engine.

IMPORTANT! If you delete a sensor from a Defense Center configured in a high availability pair and intend to re-add it, Sourcefire recommends that you wait at least five minutes before re-adding it. This interval ensures that the high availability pair re-synchronizes so that both Defense Centers recognize the deletion. If you do not wait five minutes, it may take more than one synchronization cycle to add the sensor to both Defense Centers.

To delete a sensor from the Defense Center:

Access: Admin 1. Log into the Defense Center web interface and select Operations > Sensors.


2. Click Delete next to the sensor you want to delete.

Communication between the sensor and the Defense Center is discontinued and the sensor is deleted from the Sensors page.



3. Using a user account with Admin access, log into the web interface of the sensor you want to delete.





6. Click Delete next to the Defense Center where you want to reset management.

The manager is removed. If the sensor has a system policy that causes it to receive time from the Defense Center via NTP, the sensor reverts to local time management.

Resetting Management of a SensorRequires: DC +

3D SensorIf communications fail between the Defense Center and one of your sensors, you can reset management of the sensor. If you want to manage a sensor with a different Defense Center, you must also reset management before adding the sensor to another Defense Center. You must first delete the manager on the sensor and delete the sensor on the Defense Center. You can then re-add the manager on the sensor and then add the sensor to a Defense Center.

TIP! To temporarily disable communications between appliances without having to reset management, you can disable the manager on the sensor. For more information, see Managing Communication on a Managed Sensor on page 138.

The procedures for resetting management on the 3Dx800 sensors and on Crossbeam-based software sensors differ from the procedure for other sensors. For more information on resetting management on a 3Dx800 sensor, see Resetting Communications on the 3Dx800 on page 128. For more information on resetting management on a Crossbeam-based software sensor, see the Sourcefire 3D Sensor Software for X-Series Installation Guide.

To reset management:

Access: Admin 1. Log into the web interface of the Defense Center where you want to reset communications.

2. Select Operations > Sensors.





Communication between the sensor and the Defense Center is discontinued and the sensor is deleted from the Sensors page.

If your sensor is no longer communicating with the Defense Center, you can delete the management on the sensor. If you attempt to delete management on the sensor while it is communicating with the Defense Center you will receive an error similar to:Delete failed. You must delete the appliance from its manager, maple.example.com.

To delete management on the sensor:

Access: Admin 1. Log into the web interface of the sensor where you want to reset communications.





4. Click Delete next to the Defense Center where you want to reset management.

The manager is removed.

To re-add the sensor to the Defense Center:

Access: Admin 1. Log into the web interface of the sensor where you want to reset communications and click Add Manager.


2. In the Management Host field, type the IP address or the host name of the Defense Center that you want to use to manage the sensor.


You can leave the Management Host field empty if the management host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields.




4. Optionally, in the Unique NAT ID field, type a unique ID that you want to use to identify the sensor.

5. Click Save.


6. Log into the Defense Center’s web interface using a user account with Admin access, and select Operations > Sensors.






9. In the Registration Key field, type the same one-time use registration key that you used in step 3.

10. If you used a unique NAT ID in step 4, type the same value in the Unique NAT ID field.

11. You can store data on both the Defense Center and the sensor by clearing the Store Events and Packets Only on the Defense Center check box.

By default, data is stored only on the Defense Center and not on the sensor.

12. You can prevent packet data from leaving a sensor by checking the Prohibit Packet Transfer to the Defense Center check box.

If you elect to prohibit sending packets and you do not store events on the 3D Sensor, packet data is not retained. Packet data is often important for forensic analysis.





14. Click Add.

The sensor is added to the Defense Center. It can take up to two minutes for the Defense Center to verify the sensor’s heartbeat and establish communication. You can view the sensor’s status on the Sensors page (Operations > Sensors).

In some high availability deployments where network address translation is used, you may need to use the Add Manager feature a second time to add the secondary Defense Center. Contact technical support for more information.

Managing a 3Dx800 SensorRequires: DC +

3D SensorBecause the Sourcefire 3D Sensor 3800, 3D Sensor 5800, and 3D Sensor 9800 (usually called the 3Dx800 sensors) do not have their own web interfaces, you must add them to a Defense Center as managed sensors so that you can perform procedures such as:

• creating and applying intrusion and RNA detection policies

• viewing events

• generating reports

• uploading and installing software updates

The following sections explain how to manage 3Dx800 sensors with a Defense Center:

• Managing 3Dx800 Sensors with a Defense Center on page 125

• Deleting a 3Dx800 Sensor from the Defense Center on page 127

• Resetting Communications on the 3Dx800 on page 128

Managing 3Dx800 Sensors with a Defense Center


Setting up communications between a 3Dx800 sensor and a Defense Center is a two-step process that involves setting up the sensor and then adding the sensor to the Defense Center.

This procedure assumes that you have completed the setup steps described in the sensor’s Installation Guide.

To manage a 3Dx800 sensor with a Defense Center:

Access: Admin 1. Log into the 3D Sensor using the admin account.

The CLI prompt appears. sensor.domain [admin]



2. Enter the following at the CLI prompt:[admin] configure sensor

3. Use the following command to determine whether remote management is already enabled:

[admin:sensor] show management

If management is already enabled, the sensor may be managed by another Defense Center. See Resetting Communications on the 3Dx800 on page 128 for information about deleting the sensor from the other Defense Center and preparing it for new management.

4. Use one of the following commands to enable management on the 3D Sensor:

• If you are deploying your sensor in a network that does not use network address translation, enter the following command:

[admin:sensor] set management enable ip_address reg_key

where ip_address is the IP address of the Defense Center and reg_key is a unique single-use alphanumeric registration key. The IP address and registration key pair must uniquely identify the communications channel between the sensor and the Defense Center.

• If you are deploying your sensor in a network that does use network address translation, enter the following command:

[admin:sensor] set management enable NONE reg_key nat_id

where NONE is a placeholder for the unresolvable IP address of the Defense Center, reg_key is a unique single-use alphanumeric registration key, and nat_id is a unique alphanumeric string. The NAT ID together with the registration key must uniquely identify the communications channel between the sensor and the Defense Center.

In either case, a message appears indicating that remote management is enabled.

5. If you changed the management port on the Defense Center, you must change it on the 3Dx800 also:

[admin:sensor] set management port port_number

where port_number is the same port number you used on the Defense Center.

6. Use the following command to exit the CLI and return to the login prompt:[admin:sensor] exit

7. Using a user account with Admin access, log into the web interface of the Defense Center where you want to add the sensor.







10. In the Host field, type the IP address or the hostname of the sensor you want to add.

11. In the Registration Key field, type the same one-time use registration key that you used on the sensor.

12. If you used a NAT ID in step 4, type the same value in the Unique NAT ID field.

IMPORTANT! Because 3Dx800 sensors do not have any local storage for events, make sure the Store Events and Packets Only on the Defense Center check box is selected.


If you prohibit sending packets to the Defense Center, packet data, which is often important for forensic analysis, is not retained anywhere.

14. To add the sensor to a group, select the name of the group from the Add to Group list.


15. Click Add.

The 3Dx800 is added to the Defense Center.

It can take up to two minutes for the Defense Center to verify the sensor’s heartbeat and establish communication.

Deleting a 3Dx800 Sensor from the Defense Center


If you want to delete a 3Dx800 sensor from a Defense Center (for example, to manage it with a different Defense Center), you must complete a two-step process to disable remote management and then delete it from the Defense Center.



To delete a 3Dx800 sensor from a Defense Center:

Access: Admin 1. Log into the web interface of the Defense Center where you want to delete the sensor.




The sensor is deleted.

4. On the sensor, access the command prompt and use the admin account to log in.



6. Enter the following command to disable remote management:[admin:sensor] set management disable

A message appears indicating that remote management is disabled.

7. Enter the following command to exit the CLI and return to the login prompt:[admin:sensor] exit

To add the sensor to either the same or a different Defense Center, you must re-enable remote management and then add the sensor to the Defense Center. For more information, see the next section, Resetting Communications on the 3Dx800.

Resetting Communications on the 3Dx800


If communication fails between a 3Dx800 sensor and the Defense Center that manages it, you can manually reset communications on the sensor.

To reset communications between the sensor and the Defense Center:

Access: Admin 1. Log into the web interface of the Defense Center that manages the sensor.



3. Click Delete next to the sensor that is no longer communicating with the Defense Center.

The sensor is deleted.

4. On the sensor, access the command prompt and use the admin account to log in.





6. Enter the following command to disable remote management:[admin:sensor] set management disable

Remote management is disabled.

7. Use one of the following commands to enable remote management.

• If your sensor is in a network that does not use network address translation, enter the following command:

[admin:sensor] set management enable ip_address reg_key

where ip_address is the IP address of the Defense Center and reg_key is a unique single-use alphanumeric registration key. The IP address and registration key pair must uniquely identify the communications channel between the sensor and the Defense Center.

• If your sensor is in a network that does use network address translation, enter the following command:

[admin:sensor] set management enable NONE reg_key nat_id

where NONE is a placeholder for the unresolvable IP address of the Defense Center, reg_key is a unique single-use alphanumeric registration key, and nat_id is a unique alphanumeric string. The NAT ID together with the registration key must uniquely identify the communications channel between the sensor and the Defense Center.

In either case, remote management is enabled again.

8. Enter the following command to exit the CLI and return to the login prompt:[admin:sensor] exit

9. On the Defense Center’s Sensors page, re-add the sensor by clicking New Sensor.


10. In the Host field, type the IP address or hostname of the sensor and make sure the Store Events and Packets Only on the Defense Center check box is selected.

11. Click Add.

Communications are restarted and the sensor is re-added to the Defense Center.



Adding Intrusion AgentsRequires: DC +

Intrusion AgentThe Add Agent page allows you to add an Intrusion Agent.


To add an Intrusion Agent:

Access: Admin 1. Access the Defense Center web interface and select Operations > Sensors.

The Managed Sensors page appears.

2. Click New Agent.

The Agent Administration page appears.

3. In the Name Of Agent field, type an identifying name for the agent.

This is the name that the Defense Center uses to identify the Intrusion Agent. It will appear on the event summary, event view pages, and reports.

4. In the Hostname or IP Address field, type the Intrusion Agent’s host name (if DNS resolution is enabled on the Defense Center) or IP address.

WARNING! If your Intrusion Agent sensor resides behind a NAT device, enter the IP address granted by the NAT device; that is, you should the IP address that the Defense Center will “see” when the Intrusion Agent attempts to communicate with it.

5. Click Add Agent.

The Intrusion Agent is added and the page reloads, displaying a link that allows you to download authentication credentials.

6. Click Download Auth Credentials and save them for later use on the Intrusion Agent.

To download authentication credentials, see Sensor Attributes - Intrusion Agent Page on page 130.

For information on the requirements for the intrusion agent side of the connection, see the Sourcefire Intrusion Agent Configuration Guide.

Sensor Attributes - Intrusion Agent PageRequires: DC +

Intrusion AgentThe Sensor Attributes page for Intrusion Agents allows you to view basic information about the Intrusion Agent and allows you to download authentication credentials. During configuration, you copy this file to the Intrusion Agent appliance to allow the Intrusion Agent to authenticate with the Defense Center.


Using the Defense CenterManaging Sensor Groups Chapter 4

Authentication credentials are unique to each Intrusion Agent appliance and Defense Center and cannot be copied from one appliance to another.

To download authentication credentials from the Sensor Attributes page:

Access: Admin 1. Access the Defense Center web interface and select Operations > Sensors.

The Managed Sensors page appears.

2. Click Edit next to the Intrusion Agent.

The System Settings page for the Intrusion Agent appears.

3. Click Download Credential File.

You are prompted to download the credentials to your local computer.

For more information about copying the credentials, see the Sourcefire Intrusion Agent Configuration Guide.

Managing Sensor GroupsRequires: DC +

3D SensorThe Defense Center allows you to group sensors so that you can easily apply policies and install updates on multiple sensors.


• Creating Sensor Groups on page 131 explains how to create a sensor group on the Defense Center.

• Editing Sensor Groups on page 132 explains how to modify the list of sensors in a sensor group.

• Deleting Sensor Groups on page 133 explains how to delete a sensor group.

Creating Sensor GroupsRequires: DC +

3D SensorGrouping managed sensors allows you to configure multiple sensors with a single system or health policy, and update multiple sensors with new software updates at the same time.

For information about Defense Center groups, see Managing Appliance Groups on page 179.

To create a sensor group and add sensors to it:

Access: Admin 1. On the Defense Center, select Operations > Sensors.



Using the Defense CenterManaging Sensor Groups Chapter 4

2. Click Create New Sensor Group.

The Create Sensor Group page appears.

3. In the Group Name field, type the name of the group you want to create.

4. Click Save.

The group is added.

5. To add sensors to the group, return to the Sensors page (Operations > Sensors) and click Edit next to the name of the sensor group.

The Sensor Group Edit page appears.

6. Select the IP addresses or hostnames of the sensors you want to add from the Available Sensors list and click the arrow to move them into sensor group.

7. Click Save.

The sensors are added to the group.

Editing Sensor GroupsRequires: DC +

3D SensorYou can change the set of sensors that reside in any sensor group.

TIP! You must remove a sensor from its current group before you can add it to a new group.

Moving a sensor to a new group does not change its policy to the policy previously applied to the group. To change the sensor’s policy, you must apply a new policy to the sensor or sensor group. See Applying an Intrusion Policy in the Analyst Guide for details.

To edit a sensor group:




Using the Defense CenterEditing a Managed Sensor’s System Settings Chapter 4

2. Click Edit next to the sensor group you want to edit.

The Sensor Group Edit page appears.

3. Select the sensor you want to move and click the arrow to add or remove it from the group.

• To add a sensor to the group, select it from the Available Sensors list and click the arrow pointing toward the group you are editing.

• To remove a sensor from a group, select it from the list in the group you are editing and click the arrow pointing to the Available Sensors list.

4. Click Done.

Deleting Sensor GroupsRequires: DC +

3D SensorIf you delete a group that contains sensors, the sensors are moved to Ungrouped on the Sensors page. They are not deleted from the Defense Center.

To delete a sensor group:

Access: Admin 1. Select Operations > Sensors.


2. Click Delete next to the group you want to delete.

Editing a Managed Sensor’s System SettingsRequires: DC or

3D SensorEach sensor has a number of system settings. On an unmanaged sensor you can use the sensor’s web interface to modify the settings as needed. When you



manage one or more sensors with a Defense Center, you can modify their system settings through the Defense Center’s web interface.

IMPORTANT! You cannot edit the network settings or add a license file to a sensor through the Defense Center’s web interface. You must perform those tasks on the sensor’s web interface (generally before you begin to manage the sensor with the Defense Center). See Configuring System Settings on page 360 for more information about system settings.

To edit the system settings for a managed sensor:



2. Click Edit next to the name of the sensor where you want to edit the system settings.

The Appliance page appears and includes a list of links on the left side of the page that you can use to navigate between pages.

3. From the System Settings page, you can:

• view detailed information about the sensor. For more information, see Viewing a Sensor’s Information Page on page 135.

• modify the default settings for each network interface on the managed sensor. For more information, see Editing Network Interface Configurations on page 380.

WARNING! Do not modify the settings for the management interface unless you have physical access to the appliance. It is possible to select a setting that makes it difficult to access the web interface.

• reboot or restart the processes on the managed sensor. For more information, see Stopping and Restarting a Managed Sensor on page 137.



• manage communications between the sensor and the Defense Center. For more information, see Managing Communication on a Managed Sensor on page 138.

• manage time settings on the managed sensor. For more information, see Setting the Time on a Managed Sensor on page 139.

• blacklist individual health policy modules on the managed sensor. For more information, see Blacklisting a Health Policy Module on page 537.

Viewing a Sensor’s Information PageRequires: DC or

3D SensorThe Information page for a managed sensor includes the fields described in the Sensor Information table.

When you view the Information page for a managed Defense Center from the Master Defense Center’s web interface, the fields are slightly different. See Editing Settings for a Managed Defense Center on page 175.

Sensor Information

Field Description

Name The assigned name for the managed sensor. Note that is the name of the sensor in the Defense Center web interface, not the hostname.

Product Model The model name for the managed sensor.

Software Version The version of the software currently installed on the managed sensor.

Store Events Only on Defense Center

Enable this check box to store event data on the Defense Center, but not the managed sensor. Clear this check box to store event data on both appliances.

Prohibit Packet Transfer to the Defense Center

Enable this check box to prevent the managed sensor from sending packet data with the events. Clear this check box to allow packet data to be stored on the DC with events.

Operating System

The operating system currently running on the managed sensor.

Operating System Version

The version of the operating system currently running on the managed sensor.

VDB Version The version level of the vulnerability database currently loaded on the managed sensor.

IPv4 Address The IPv4 address of the managed sensor.



To edit a managed sensor’s settings:



IPv6 Address The IPv6 address of the managed sensor.

Current Policies The appliance-level policies currently applied to the managed sensor. If a policy has been updated since it was last applied, the name of the policy appears in italics.

• The name of the current system policy is listed under System.

• The name of the current health policy is listed under Health, if you applied one from the Defense Center that manages the sensor.

Status An icon showing the current status of the managed sensor. If you hover your cursor over the icon, a pop-up message indicates how long it has been (in hours, minutes, and seconds) since the sensor communicated with the Defense Center.

You can click Refresh to update the Status icon and its accompanying pop-up message.

Model Number The model number for the sensor. This number can be important for troubleshooting.

Current Group The sensor group that the sensor belongs to, if any. See Creating Sensor Groups on page 131 for more information.

Sensor Information (Continued)

Field Description



2. Click Edit next to the name of the sensor whose system settings you want to edit.

The Information page for that sensor appears. See the Sensor Information table on page 135 for a description of each field.

3. Change the sensor’s attributes as needed.

You can edit the following:

• the sensor’s hostname

• where events generated by the sensor are stored

• the group in which the sensor resides

WARNING! Sensor host names must be made up of a combination of alphanumeric characters and should not be made up of numeric characters only.

4. Click Save.

The updated sensor attributes are saved.

Stopping and Restarting a Managed SensorRequires: DC For 3D Sensors, you can reboot or restart the processes on a managed sensor

using the Defense Center’s web interface.

You must use the command line interface (CLI) to manage processes on Crossbeam-based software sensors, RNA Software for Red Hat Linux, and Intrusion Agents.



To shut down or restart a managed sensor:



2. Click Edit next to the name of the sensor that you want to restart.

The Information page for that sensor appears.

3. Click Process in the list to the left of the page.

The Process page appears for your managed sensor.

4. Specify what command you want to perform:

• If you want to shut down the sensor, click Run Command next to Shutdown Appliance.

• If you want to reboot the sensor, click Run Command next to Reboot Appliance.

• If you want to restart the software processes on the sensor, click Run Command next to Restart Appliance Console.

• If you want to restart the Snort and RNA processes, click Run Command next to Restart Detection Engines.

WARNING! If you shut down the appliance, the process shuts down the operating system on the appliance, but does not physically shut off power. To shut off power, you must press the power button on the appliance.

Managing Communication on a Managed SensorRequires: DC +

3D SensorFor most 3D Sensors, you can manage communications between a managed sensor and the Defense Center managing it using the Defense Center’s web interface.

You must use the command line interface (CLI) to manage communication on 3Dx800 sensors, Crossbeam-based software sensors, RNA Software for Red Hat Linux, and Intrusion Agents.

To disable communications between the Defense Center and the sensor:





2. Click Edit next to the name of the sensor that you want to manage.


3. Click Remote Management in the list to the left of the page.


4. Click Disable next to the name of the sensor.

Communications between the two appliances are interrupted.

TIP! To enable communications between the two appliances again, click Enable.

For information about editing the remote management communications from a sensor see Configuring Remote Access to the Defense Center on page 386.

Setting the Time on a Managed SensorRequires: DC or

3D SensorIf your managed sensor is receiving its time from an NTP server, which is the recommended setting for a managed sensor and its Defense Center, then you cannot change the time manually. See the NTP Status table on page 390 for a description of the values you are likely to see for a sensor that is synchronized with an NTP server. However, if the system policy applied to the managed sensor allows you to set the time manually, then you can change it as part of the system settings.

For 3D Sensors, you can manage time settings on a managed sensor using the Defense Center’s web interface.

You must use the command line interface (CLI) to manage time settings on Crossbeam-based software sensors and RNA Software for Red Hat Linux. You cannot manage time settings on Intrusion Agents.

To set the time for a managed sensor:



2. Click Edit next to the name of the sensor where you want to set the time.



Using the Defense CenterManaging a Clustered Pair Chapter 4

3. Click Time in the list to the left of the page.

The Time page appears showing the current time.

4. From the Set Time drop-down lists, select the following:

• year

• month

• day

• hour

• minute

5. Click Apply.

The time is updated.

6. If you want to change the time zone, click the time zone link located next to the date and time.

A pop-up window appears.

7. Select your time zone and click Save and, after the time zone setting is saved, click Close to close the pop-up window.

Changing the time zone with this option is equivalent to changing the time zone using the Time Zone Settings option in the user preferences. In other words, this time zone option changes the time setting your user account uses on the Defense Center web interface. This setting does not affect the time zone setting on the managed sensor.

Managing a Clustered PairRequires: DC + 3D9900 You can increase the amount of traffic inspected on a network segment by

connecting two fiber-based 3D9900 sensors in a clustered pair. When you establish a clustered pair configuration, you combine the 3D9900 sensors resources into a single, shared configuration.

When you connect the two 3D9900 sensors you determine which is the master. You connect the master to the network segment you wish to analyze. After you do the cabling, use a Defense Center to establish the clustered pair relationship between the two sensors and manage their joint resources.



After you establish the relationship between the two sensors, they act like two separate sensors with a single, shared detection configuration. For information on the detection engines, interface set, and data from a clustered pair, see:

• Using Detection Engines on Clustered 3D Sensors on page 228

• Understanding Interface Sets on Clustered 3D Sensors on page 229

• Managing Information from a Clustered 3D Sensor on page 230

The Defense Center manages the clustered pair, and local management is blocked on the shared portion of the clustered pair. The following diagram shows interfaces on the master and slave sensors.

For information about the connections between the master and slave 3D9900 sensors, see the Cluster Interconnect table.

Cluster Interconnect

Master Interface

Slave Interface

ethb2 RX ethb0 TX

ethb2 TX ethb0 RX



You connect the master to the network and the slave to the master. You determine the master/slave designation by the way you cable the pair. After you establish the relationship, you cannot change which sensor is the master or slave unless you break and reestablish the relationship using the Defense Center.

For more information, see:

• Establishing a Clustered Pair on page 142

• Separating a Clustered Pair on page 144

Establishing a Clustered PairRequires: DC + 3D9900 You can group two fiber-based 3D9900 sensors in a clustered pair to increase

throughput. Before you begin, you must:

• decide which unit will be the master

• have SEU 2.8.6 or later loaded on your 3D9900 and Defense Center

• cable the units properly prior to designating the master/slave relationship

Connect the master’s ethb0 and ethb1 pair to the network. Connect the master’s ethb2 and ethb3 pair to the slave’s ethb0 and ethb1 pair as shown in the Cluster Interconnect table.

IMPORTANT! You cannot connect the slave’s ethb2 and ethb3 pair when you establish the clustered pairing.

For more information about cabling, see the Sourcefire 3D Sensor Installation Guide.

After you establish the master/slave relationship, the detection engines and interface set are combined on the two sensors.

IMPORTANT! If you apply an RNA detection policy to the RNA detection engines on two different 3D9900 sensors and then establish clustering with those two sensors, you must edit and reapply your detection policy after you establish clustering.

ethb3 RX ethb1 TX

ethb3 TX ethb1 RX

Cluster Interconnect

Master Interface

Slave Interface



There is one detection engine and interface set shared over the paired 3D9900 sensors. They are managed from the Defense Center, instead of the 3D9900 sensors.

If you attempt to manage the combined detection engines and interface set on the paired 3D9900 sensors, the following message is displayed.

To establish 3D9900 clustered pairing:

Access: Admin 1. Select Operations > Sensors on your Defense Center.

The Sensor page appears.

2. The Click Edit next to the 3D9900 sensor that you cabled for master operation.

TIP! If you edit a 3D9900 that is not cabled as the master, you cannot perform the next series of steps.

The System Settings page appears and there is a Clustering field at the bottom.

3. In the Clustering field, under status, select the sensor you want to form a cluster with. For example, if the other member of your pair is birch.example.com, select Clustered with birch.example.com.

Clustering is established and a confirmation message appears.



4. Review the confirmation message and confirm the correct the Master/Slave pairing.

IMPORTANT! While system verifies the cabling configuration, the sensing traffic is interrupted. If the system determines that the cabling is correct, it removes detection configurations (interface sets, detection engines) from the slave.

5. Click OK to confirm the Master/Slave pairing.

6. After clustering is established, verify that the Clustering field changes to indicate the correct state.

• On the master, the field reads: Status Clustered sensor_name, where sensor_name is the name of the sensor you designated as the slave in step 3 and Role Master.

• On the slave, the field reads: Status Clustered and Role Slave

3D9900 clustering is established. Use the managing Defense Center to establish the cluster’s detection configurations for the interface set and detection engines.

Separating a Clustered PairRequires: DC + 3D9900 If you no longer need to use the two 3D9900 sensors as a clustered pair, you can

use the Defense Center to break the cluster.

To separate a 3D9900 clustered pair:

Access: Admin 1. Select Operations > Sensors on your Defense Center.

The Sensor page appears.

2. Click Edit next to the 3D9900 sensor that you designated as the maser sensor when you connected the pair’s cables.

The System Settings page appears with the Clustering field at the bottom.

3. Select Break Cluster in the Clustering field.

For example:

4. Click Save.

5. Review the confirmation message. Note the Master/Slave pairing and click OK to confirm the Master/Slave that you want to separate the clustered pair.

The 3D9900 sensors separate and the confirmation message disappears.


Using the Defense CenterConfiguring High Availability Chapter 4

Configuring High AvailabilityRequires: DC To ensure the continuity of operations, the high availability feature allows you to

designate redundant Defense Centers to manage 3D Sensors. Event data streams from managed sensors to both Defense Centers and certain configuration elements are maintained on both Defense Centers. If one Defense Center fails, you can monitor your network for intrusion events, RNA events, RUA events, and compliance events without interruption using the second Defense Center.

See the following sections for more information about setting up high availability.

• Using High Availability on page 145 list the items that are and are not duplicated when you implement high availability.

• Guidelines for Implementing High Availability on page 149 outlines some guidelines you must follow if you want to implement high availability.

• Setting Up High Availability on page 150 explains how to specify primary and secondary Defense Centers.

• Monitoring the High Availability Status on page 152 explains how to check the status of your linked Defense Centers.

• Disabling High Availability and Unregistering Sensors on page 153 explains how to permanently remove the link between linked Defense Centers.

• Pausing Communication between Paired Defense Centers on page 154 explains how to pause communications between linked Defense Centers.

• Restarting Communication between Paired Defense Centers on page 154 explains how to restart communications between linked Defense Centers.

Using High AvailabilityRequires: DC The DC1000 and DC3000 models of the Defense Center support high availability

configurations. The DC500 model of the Defense Center and the Virtual Defense Center do not support high availability.

Sourcefire strongly recommends that both Defense Centers in an HA pair be the same model. That is, do not attempt to set up high availability between a Defense Center 1000 and a Defense Center 3000.

WARNING! Sourcefire recommends that you change configurations only on the primary Defense Center and that you keep your secondary Defense Center as a backup.



For more information on:

• sensor attributes and user information shared in a high availability pair, see Sensor Configurations and User Information on page 146

• health and system policies shared in a high availability pair, see Health and System Policies on page 147

• feature license operation in a high availability pair, see Feature Licenses on page 148

• details of high availability pair operation, see Understanding High Availability on page 148

Sensor Configurations and User Information

Requires: DC Defense Centers in a high availability pair (also called an HA pair) share the following sensor attributes and user information:

• user account attributes and authentication configurations

WARNING! Before you establish a high availability, if you have any user accounts with the same name on both Defense Centers, make sure you remove duplicate user accounts from one of the Defense Centers. Also, because both Defense Centers must have an admin account, you must make sure that the admin account uses the same password on both Defense Centers.

• custom dashboards

• authentication objects for Sourcefire 3D System user accounts

• custom workflows

• custom tables

• sensor attributes, such as the sensor’s host name, where events generated by the sensor are stored, and the group in which the sensor resides

• intrusion, RNA, and RUA detection engines

• intrusion policies and their associated rule states

• local rules

• custom intrusion rule classifications

• variable values and user-defined variables

IMPORTANT! If your deployment includes intrusion agents and you are also using a Master Defense Center to manage your linked Defense Centers, make sure you register all intrusion agents to the primary Defense Center.


• RNA custom service detectors



• activated custom fingerprints

• host attributes

• traffic profiles

• RNA user feedback, including notes and host criticality; the deletion of hosts, services, and networks from the network map; and the deactivation or modification of vulnerabilities

• compliance policies and their associated rules

• compliance white lists

To avoid launching duplicate responses and remediations when compliance policies are violated, Defense Centers do not share the associations between the policies and their responses and remediations.You must upload and install any custom remediation modules and configure remediation instances on your secondary Defense Center before remediations are available to associate with compliance policies. If the primary Defense Center fails, you should quickly associate your compliance policies with the appropriate responses and remediations on the secondary Defense Center to maintain continuity of operations. For more information, see Creating Compliance Policies in the Analyst Guide and Configuring Remediations in the Analyst Guide.

When you restore your primary Defense Center after a failure, if you created associations between rules or white lists and their responses and remediations on the secondary Defense Center, make sure you remove the associations so responses and remediations will only be generated by the primary Defense Center.

Health and System Policies

Requires: DC Health and system policies for Defense Centers and 3D Sensors are shared in high availability pairs. Allow enough time to ensure that 3D Sensor information about health policies, modules, blacklists, is synchronized on a newly activated Defense Center.

TIP! If you employ an HA paired Defense Center as a NTP server, the NTP function does not automatically switch. However, you can synchronize time with multiple alternative NTP servers. For 3D Sensors, you can point to one Defense Center as your first NTP server and the other Defense Center as your second NTP server. For more information, see Synchronizing Time on page 354.

Although system policies are shared by Defense Centers in a high availability pair, they are not automatically applied. If you want identical system policies on both Defense Centers, apply the policy after it synchronizes.



Defense Centers in an HA pair share the following system and health policy information:

• system policies

• system policy configurations (what policy is applied where)

• health policies

• health monitoring configurations (what policy is applied where)

• which appliances are blacklisted from health monitoring

• which appliances have individual health monitoring policies blacklisted

Feature Licenses

Requires: DC Defense Centers in an HA pair do not share RNA, RUA, and NetFlow licenses:

• Both Defense Centers must have RNA host licenses if you want to manage 3D Sensors with RNA with the high availability pair.

• While NetFlow data and devices are shared, the two Defense Centers must have enough NetFlow licenses to merge the list of devices on each, if you want to use NetFlow data to supplement the data gathered by your 3D Sensors with RNA.

TIP! Both Defense Centers in a high-availability pair must have NetFlow licenses for at least the number of NetFlow-enabled devices you are using. If one Defense Center does not have a NetFlow license, it will not receive data from your NetFlow-enabled devices.

• While RUA LDAP authentication objects are shared, both Defense Centers must have RUA licenses if you want to manage 3D Sensors with RUA with the high availability pair.

IMPORTANT! An RUA Agent can only connect to one Defense Center at a time. In an high-availability environment, if the primary Defense Center fails, you must make sure that your RUA Agents can communicate with the secondary Defense Center. For more information, see Configuring an RUA Agent on an Active Directory Server in the Analyst Guide.

Understanding High Availability

Requires: DC Although Defense Centers in high availability mode are named “primary” and “secondary,” you can make policy or other changes to either Defense Center. Defense Centers periodically update each other on changes to their configurations, and any change you make to one Defense Center should be applied on the other Defense Center within ten minutes. (Each Defense Center has a five-minute synchronization cycle, but the cycles themselves could be out of sync by as much as five minutes, so changes appear within two five-minute



cycles.) However, during this ten-minute window, policies may appear incorrectly on the other Defense Center.

For example, if you create a policy on your primary Defense Center and apply it to a sensor that is also managed by your secondary Defense Center, the sensor could contact the secondary Defense Center before the Defense Centers contact each other. Because the sensor has a policy applied to it that the secondary Defense Center does not recognize, the secondary Defense Center displays a new policy with the name “unknown” until the Defense Centers synchronize.

Also, if you make conflicting policy or other changes to both Defense Centers within the same window between Defense Centers syncs, the last change you make takes precedence, regardless of the designations of the Defense Center as primary and secondary.

Defense Centers configured as a high availability pair do not need to be on the same trusted management network, nor do they have to be in the same geographic location. For more information, see Guidelines for Implementing High Availability on page 149.

Guidelines for Implementing High AvailabilityRequires: DC To take advantage of high availability, you must follow these guidelines.

• You must designate one Defense Center as the primary Defense Center and one as the secondary.

Regardless of their designations as primary and secondary, both Defense Centers can be configured with policies, rules, managed sensors, and so on before you set up high availability.

TIP! To avoid confusion, start with the secondary Defense Center in its original state. That is, you have not created or modified any policies, nor created any new rules, nor have you previously managed any sensors with it. To make sure the secondary Defense Center is in its original state, use the Restore CD to remove changed settings. Note that this also deletes event and configuration data from the Defense Center.

You cannot configure a recurring task schedule on the inactive Defense Center. You must recreate the recurring task schedule on a newly activated Defense Center when it changes from inactive to active.

• By default, the Defense Centers use port 8305/tcp for communications. You can change the port as described in Configuring the Communication Channel on page 383.

• Both Defense Centers must be running the same software version.

• Both Defense Centers must be running the same SEU version.

• The Defense Center software version must be the same or newer than the software version of managed 3D Sensors.



• All RNA software sensors managed by Defense Centers in high availability mode must be the same software version.

• If you use a Master Defense Center to manage a high-availability pair of Defense Centers, use this sequence to establish communications between the three of them: First, set up remote management between each Defense Center and the Master Defense Center as detailed in Adding and Deleting Defense Centers on page 164, then set up high availability as detailed in Setting Up High Availability on page 150.

• The two Defense Centers do not need to be on the same network segment, but each of the Defense Centers must be able to communicate with the other and with the sensors they share. That is, the primary Defense Center must be able to contact the secondary Defense Center at the IP address on the secondary Defense Center’s own management interface, and vice versa. In addition, either each Defense Center must be able to contact the sensors it manages or the sensors must be able to contact the Defense Center.

Setting Up High AvailabilityRequires: DC To use high availability, you must designate one Defense Center as the primary

and another Defense Center of the same model as the secondary. For information about editing the remote management communications between the two appliances, see Editing the Management Virtual Network on page 385.

WARNING! Sourcefire recommends that you change configurations only on the primary Defense Center and that you use your secondary Defense Center as a backup.

Before you configure high availability, make sure you synchronize time settings between the Defense Centers you want to link. For details on setting time, see Synchronizing Time on page 354.

TIP! To add an existing high availability pair of Defense Centers to a Master Defense Center, add the primary Defense Center and the secondary Defense Center is automatically added. For information about adding a Defense Center to a Master Defense Center, see Adding a Master Defense Center on page 165.

To set up high availability for two Defense Centers:

Access: Admin 1. Log into the Defense Center that you want to designate as the secondary Defense Center.

2. Select Operations > Configuration > High Availability.

The High Availability page appears.



3. Click the secondary Defense Center option.

The Secondary Defense Center Setup page appears.

4. Type the hostname or IP address of the primary Defense Center in the Primary DC Host text box.


You can leave the Primary DC Host field empty if the management host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields.

5. Type a one-time-use registration key in the Registration Key text box

6. Optionally, in the Unique NAT ID field, type a unique alphanumeric registration ID that you want to use to identify the primary Defense Center. See Working in NAT Environments on page 112 for more information.

7. Click Register.

A success message appears, and the Peer Manager page appears, showing the current state of the secondary Defense Center.

8. Using an account with Admin access, log into the Defense Center that you want to designate as the primary.



10. Click the primary Defense Center option.

The Primary Defense Center Setup page appears.

11. Type the hostname or IP address of the secondary Defense Center in the Secondary DC Host text box.




12. Type the same one-time-use registration key in the Registration Key text box you used in step 5.

13. If you used a unique NAT ID on the secondary Defense Center, type the same registration ID that you used in step 6 in the Unique NAT ID text box.

14. Click Register.

A success message appears, and the Peer Manager page appears, showing the current state of the primary Defense Center.

Depending upon the number of policies and custom standard text rules they have, it may take up to 10 minutes before all the rules and policies appear on both Defense Centers. You can view the High Availability page to check the status of the link between the two Defense Centers. You can also monitor the Task Status to see when the process completes. See Monitoring the High Availability Status on page 152.

Monitoring the High Availability StatusRequires: DC Once you have identified your primary and secondary Defense Centers, you can

use one of them to view status information about the other, including:

• IP address

• product model

• operating system

• operation system version

• time the Defense Centers last synchronized

To check high availability status:

Access: Admin 1. Log into one of the Defense Centers that you linked using high availability.





3. Under High Availability Status, you can view the following information about the other Defense Center in the high availability pair:

• the IP address

• the model name

• the software version

• the operating system

• the length of time since the last contact between the two Defense Centers

4. The two Defense Centers automatically synchronize within ten minutes (five minutes for each Defense Center) after any action that affects a shared feature. For example, if you create a new policy on one Defense Center, it is automatically shared with the other Defense Center within 5 minutes. However, if you want to synchronize the policy immediately, click Synchronize.

IMPORTANT! If you delete a sensor from a Defense Center configured in a high availability pair and intend to re-add it, Sourcefire recommends that you wait at least five minutes before adding the sensor back. This interval ensures that the high availability pair re-synchronizes first. If you do not wait five minutes, it may take more than one synchronization cycle to add the sensor to both Defense Centers.

5. Click Peer Manager in the toolbar.

The Peer Manager page appears.

You can view the following information:

• the IP address of the other Defense Center in the HA pair

• the status, registered or unregistered, of the communications link

• the state, enabled or disabled, of the HA pair

For information about editing the remote management communications between the two appliances, see Editing the Management Virtual Network on page 385.

Disabling High Availability and Unregistering SensorsRequires: DC If you want to remove one of the Defense Centers from a high availability pair,

you must first disable the high availability link between them.



To disable a high availability pair:

Access: Admin 1. Log into one of the Defense Centers in the HA pair.



3. Select one of the following options from the Handle Registered Sensors drop-down list:

• To control all the managed sensors with the Defense Center where you are accessing this page, select Unregister sensors on the other peer.

• To control all the managed sensors with the other Defense Center, select Unregister sensors on this peer.

• To stop managing the sensors altogether, select Unregister sensors on both peers.

4. Click Disable HA.

After you answer the prompt Do you really want to Disable High Availability? by selecting OK, high availability is disabled and any managed sensors are deleted from the Defense Centers according to your selection.

You can enable high availability with a different Defense Center as described in Setting Up High Availability on page 150.

Pausing Communication between Paired Defense CentersRequires: DC If you want to temporarily disable high availability, you can disable the

communications channel between the Defense Centers.

To disable the communications channel for a high availability pair:

Access: Admin 1. Click Peer Manager.


2. Click Disable to disable the communications channel between the two Defense Centers.


Restarting Communication between Paired Defense CentersRequires: DC If you temporarily disabled high availability, you can enable the communications

channel between the Defense Centers to restart high availability.



To enable the communications channel for a high availability pair:

Access: Admin 1. Click Peer Manager.


2. Click Enable to disable the communications channel between the two Defense Centers.



Administrator Guide

Chapter 5Using the Master Defense Center

The Sourcefire Master Defense Center is a key component in the Sourcefire 3D System. You can use the Master Defense Center to aggregate and analyze intrusion events, compliance events, and white list events from up to ten Defense Centers within your Sourcefire 3D System deployment.


Using the Master Defense CenterUnderstanding Event Aggregation Chapter 5

You can use the Master Defense Center to build and dispatch global detection and intrusion policies. When you apply intrusion policies from a Master Defense Center, the Sourcefire 3D System checks the SEU on the managing Defense Center. If it finds an older SEU, it updates the managing Defense Center’s SEU. The Master Defense Center can also aggregate events related to the health of managed Defense Centers. In this way, you can view the current status of the Defense Centers across your enterprise from a web interface.

IMPORTANT! The Product Compatibility section of the release notes for each version describes which versions of the Defense Center you can manage with a Master Defense Center.

The following sections explain more about using a Master Defense Center in your Sourcefire 3D System deployment.

• Understanding Event Aggregation on page 157 explains which types of events you can send from your Master Defense Centers to your Master Defense Center.

• Understanding Global Policy Management on page 161 explains which policies you can send from your Master Defense Center to 3D Sensors and Defense Centers.

• Adding and Deleting Defense Centers on page 164 explains how to configure a Defense Center to communicate with a Master Defense Center.

• Editing Settings for a Managed Defense Center on page 175 explains how to change some of the settings for a Defense Center from the Master Defense Center’s web interface.

• Managing Appliance Groups on page 179 explains how to use appliance groups to aid in managing 3D Sensors and Defense Centers.

Understanding Event AggregationRequires: MDC A Master Defense Center can aggregate intrusion events and compliance events

(including white list events) from up to ten Defense Centers. You can configure a Defense Center to send intrusion events based on their flag. You can also choose whether to include the packet data collected with the intrusion events.

The settings on the Filter Configuration page determine which events are forwarded from the Defense Center to the Master Defense Center. You can set up a different configuration for each Defense Center, although most deployments will use the same configuration across the enterprise.


• Aggregating Intrusion Events on page 158

• Aggregating Compliance Events on page 158

• Limitations on Event Aggregation on page 159



Aggregating Intrusion EventsRequires: MDC An intrusion event is generated by IPS when it analyzes network traffic and finds

one or more packets that violate the currently applied intrusion policy. Packet decoders, preprocessors, and intrusion rules are all able to generate intrusion events.

When you use the Filter Configuration page to specify which events are forwarded to the Master Defense Center, you can choose one of the following options:

• Do Not Send - Intrusion events are not forwarded to the Master Defense Center.

• Events Only - The intrusion events specified in the Flags section are forwarded to the Master Defense Center; however, any packets captured for the event are not sent.

• Events and Packet Data - The intrusion events specified in the Flags section, along with any related packets, are forwarded to the Master Defense Center.

You can use the Flags section of the Filter Configuration page to forward only the intrusion events that are important to your analysis. For example, you may want to limit the intrusion events on the Master Defense Center to only those with the greatest impact, that is, the red impact flag. If your 3D Sensors are deployed inline and you are using intrusion rules set to Drop and Generate Events, you may also want to send intrusion events with the black inline result flag.

You can also use flag settings to reduce the number of intrusion events that are sent to the Master Defense Center in deployments where large numbers of intrusion events are being generated from your 3D Sensors. For example, you can greatly reduce the number of events sent from a Defense Center by excluding events with the blue or gray impact flags.

IMPORTANT! You must deploy both RNA and IPS on your network to generate intrusion events with meaningful impact flags. If you do not deploy 3D Sensors with RNA on your network, then intrusion events are limited to gray impact flags to indicate unknown impact.

Aggregating Compliance EventsRequires: MDC A compliance event is generated by a Defense Center when the conditions for a

compliance rule in an active compliance policy are met. The conditions that can trigger a compliance rule include intrusion events, RNA events, flow data, and anomalous network traffic.



When you use the Filter Configuration page to specify which events are forwarded to the Master Defense Center, you can choose to send or not send compliance events. See the following sections for more information:

• Adding a Defense Center on page 168

• Editing the Event Filter Configuration on page 176

Limitations on Event AggregationRequires: MDC The Master Defense Center is a powerful tool for analyzing the potential

malicious activity across your enterprise’s network. However, there are certain limitations that you should take into consideration when you design your Master Defense Center deployment. The Master Defense Center and Defense Center Functional Comparison table compares and contrasts Defense Center and Master Defense Center functional areas.

Master Defense Center and Defense Center Functional Comparison

Function Master Defense Center Defense Center

License provisions provides product license provides product license, and NetFlow, RNA and RUA feature licenses

3D Sensor configuration allows you to configure detection engines

allows you to configure detection engines, interface sets, network interfaces.

Analysis and reporting search allows you to search for intrusion events, compliance events, white list events, SEU import log, audit log, health events.

allows you search for intrusion events, RNA events, hosts, host attributes, services, client applications, flow data, vulnerabilities, compliance events, white list events, white list violations, remediation status, SEU import log, audit log, health events, scan results, users, and RUA events.



Data Generated by RNAThe Master Defense Center cannot aggregate RNA events or flow data generated by RNA and forwarded to a Defense Center. In addition, the Master Defense Center does not build a network map or host data for the hosts on your network. However, because you can forward compliance events and white list events from your managed Defense Centers to your Master Defense Center, you can gain insight into RNA-detected activity across your enterprise. To take advantage of this, on your Defense Centers you need to build compliance rules and policies that are triggered by the RNA events that interest you and forward the resulting compliance events to the Master Defense Center.

Event RateThe event rate limit for the Master Defense Center is the same rate limit on Defense Centers. This means that if your Defense Centers are accepting events from their 3D Sensors up to the rate limit, you must adjust the event filter on the Master Defense Center so that only the most important events are forwarded from the Defense Centers. For example, in cases where the intrusion event rate is high, you might want to adjust the filter to send only intrusion events with red impact flags. You can also limit the amount of data transferred between a Defense Center and its Master Defense Center by sending only intrusion event data, and not sending the packet data.

Intrusion AgentsIntrusion events generated by intrusion agents are not forwarded to the Master Defense Center.

Network scans does not provide for Nessus and Nmap scans.

provides Nessus and Nmap scans and results.

Global policies allows you to build intrusion policies and to distribute them through connected Defense Centers to their managed 3D Sensors throughout the enterprise

policies are normally downloaded only to their managed 3D Sensors

Event consolidation allows for collection of events from up to ten Defense Centers

events are collected only from managed 3D Sensors

Master Defense Center and Defense Center Functional Comparison (Continued)

Function Master Defense Center Defense Center


Using the Master Defense CenterUnderstanding Global Policy Management Chapter 5

Understanding Global Policy ManagementRequires: MDC You can use the Master Defense Center to generate global intrusion policies and

coordinate them with potential vulnerabilities detected by RNA policies. Global intrusion policies are beneficial in rapid response scenarios and during enterprise-wide intrusion policy updates. The Master Defense Center sends the policy through a Defense Center to a 3D Sensor’s detection engine. Master Defense Center generated policies are not accessible on an intermediate Defense Center, however if a newer SEU resides on the Master Defense Center than on a Defense Center in the path, then the downstream SEU is updated. This ensures that a global intrusion policies utilize the latest SEU.

RNA compares the data it collects and analyzes with its vulnerability database to determine the potential vulnerabilities on the detected host. You can build, apply edit, delete and export RNA on a Master Defense Center. Existing RNA policies are available for viewing so that you can determine:

• RNA policy name and description

• Detection policy settings such as update interval, if banners and HTTP URLs are captured, if client application are being detected, and so on.

• Which networks and ports are monitored by the RNA policy

• If NetFlow is used to generate host information, which networks and NetFlow-enabled devices are monitored by NetFlow.

For information on creating and applying as well as deleting RNA policies, see What is an RNA Detection Policy? in the Analyst Guide.

You can also import and export compliance policies and rules, custom service decoders, as well as intrusion, system, and health policies. For information on import and export functions, see Importing and Exporting Objects on page 583.

Managing Global Intrusion PoliciesRequires: MDC Refer to the following sections for information about managing intrusion policies:

• Creating an Intrusion Policy in the Analyst Guide explains how to create an intrusion policy.

• Editing an Intrusion Policy in the Analyst Guide explains how to modify existing intrusion policies.

• Applying an Intrusion Policy in the Analyst Guide explains how to apply a new or updated intrusion policy to the appropriate IPS detection engines.

• Defining IP Addresses and Ports for Your Network in the Analyst Guide provides the syntax used to specify IP addresses and port numbers within the variables and rules in your policy.

• Managing Variables in the Analyst Guide explains how to create and manage variables that you can use within intrusion policies.



• Managing Intrusion Rules in the Analyst Guide explains how to enable and disable intrusion rules within an intrusion policy. This section also explains how to configure rules in inline intrusion policies so that they drop malicious packets.

• Importing SEUs and Rule Files in the Analyst Guide explains how to download and import Security Enhancement Updates (SEUs) that contain new intrusion rules. Note that SEUs can also contain new and updated decoders and preprocessors.

Using RNA Detection Policies on a Master Defense CenterRequires: MDC You can create, edit, delete, export, and apply RNA detection policies from a

Master Defense Center. Refer to the following, for information on the following RNA detection policy functions:

• Creating RNA Detection Policies in the Analyst Guide

• Applying an RNA Detection Policy in the Analyst Guide

• Editing an RNA Detection Policy in the Analyst Guide

• Deleting an RNA Detection Policy in the Analyst Guide

Using Health Policies on a Master Defense CenterRequires: MDC You can edit, delete, and apply default health policies to the Master Defense

Center and to connected Defense Centers. For information about health policies see the following:

• Understanding Health Monitoring on page 483

• Configuring Health Policies on page 489

• Using the Health Monitor Blacklist on page 534

• Configuring Health Monitor Alerts on page 539

• Using the Health Monitor on page 545

• Using Appliance Health Monitors on page 547

• Working with Health Events on page 555

See Health Policies on page 164 to distinguish the health policy modules that are useful on a Master Defense Center or Defense Center from those that are not, and for brief descriptions of those modules that are used.

Using System Policies on a Master Defense CenterRequires: MDC System policies allow you to manage the following functions on your Defense

Centers or Master Defense Center:

• access configuration

• authentication profiles (Defense Center only)



• database limits

• DNS cache settings

• the mail relay host and a notification address for database prune messages

• language selection (English or Japanese)

• login banner

• the kinds and amount of RNA data stored in the database (Defense Center only)

• time synchronization settings

See Managing System Policies on page 320 for information about system policy usage.

Master Defense Center Policy Management LimitationsRequires: MDC There are several types of policies including detection and prevention, RNA

detection, RUA detection, and health policies. The Defense Center and Master Defense Center do not handle these policies in the same manner.

Detection and Prevention PoliciesYou can create, edit, delete, export, and apply intrusion detection and prevention policies from a Master Defense Center. The Sourcefire 3D System bases intrusion policies on SEUs residing on the appliance where the policy is built. When you apply an intrusion policy to a 3D Sensor’s detection engines from a Master Defense Center, the Sourcefire 3D System checks for any older SEUs on Defense Center(s) managing those detection engines. If it finds SEUs older than those on the Master Defense Center, they are updated. Therefore, a warning message with a check box appears. After you acknowledge the message by clicking its check box, the Apply button activates.

You can apply one or more custom intrusion policies filtered to monitor VLAN or subnetwork traffic on the network monitored by the detection engine where you apply the policy.

TIP! Before applying a filtered policy, you must apply a non-filtered policy to the detection engine from the same Defense Center or Master Defense Center. You cannot apply a non-filtered policy from a Defense Center then add filters to it from a managing Master Defense Center.

RNA Detection PoliciesRNA analysis and reporting functions such as using the network map, listing RNA hosts and events, and listing client applications and vulnerabilities are performed on Defense Centers and not on Master Defense Centers. However, if your


Using the Master Defense CenterAdding and Deleting Defense Centers Chapter 5

deployment includes RNA, you can view host profiles from event views by

clicking the host profile icon ( ) next to an IP address.

RUA Detection PoliciesThere are currently no Real-Time User Awareness functions on a Master Defense Center. RUA functions are available only on properly licensed Defense Centers.

Health PoliciesThe Master Defense Center monitors its health and the health of connected Defense Centers. Master Defense Centers apply health policies only to Master Defense Centers and Defense Centers. Default 3D Sensor, Default IPS, Default IPS (3Dx800 only), and Default RNA Health Policies are not used on the Master Defense Center.

Currently, only the generic Default Health Policy is available for editing and application to appliances. For a listing of the health policy modules that apply to Defense Centers, see the Enabled Defense Center Health Modules - Default Health Policy table on page 493. For a listing of the health policy modules that apply to Master Defense Centers, see the Enabled MDC Health Modules - Default Health Policy table on page 494. Policies that are not applicable are implicitly disabled when there is an attempt to apply them to a Defense Center or an Master Defense Center. For details about editing appropriate health policies, see Editing Health Policies on page 530.

System PoliciesSystem policies are applied only to Master Defense Centers and Defense Centers from a Master Defense Center.

Adding and Deleting Defense CentersRequires: MDC + DC When you manage a Defense Center with your Master Defense Center, you set

up a two-way, SSL-encrypted communication channel between the appliances. The Defense Center uses this channel to send events to the Master Defense Center. As the Defense Center receives events from its sensors, it evaluates which events, based on filter configuration, it should send to the Master Defense Center using the same channel.

• Adding a Defense Center on page 168

• Deleting a Defense Center on page 171

• Resetting Management of a Defense Center on page 171



Adding a Master Defense CenterRequires: MDC + DC You can add a Master Defense Center connection to your Defense Center,

however before you do, you must make sure that the network settings are configured correctly on both appliances. This is usually completed as part of the installation process, but you can see Configuring Network Settings on page 377 for details.

TIP! To add an existing high availability pair of Defense Centers to a Master Defense Center, add the primary Defense Center and the secondary Defense Center is automatically added.


• Management Host or Host- for the hostname or IP address.

• Registration Key - registration key

• Unique NAT ID (optional) - for a unique alphanumeric ID. See Working in NAT Environments on page 112 for more information.

TIP! Set up the managed appliance first. At a Defense Center, add the remote management then at the managing Master Defense Center, add the Defense Center.


• Management Host or Host and Registration Key used on both appliances

• Registration Key and Unique NAT ID used on the Defense Center with Host, Registration Key, and Unique NAT ID used on the Master Defense Center

• Management Host, Registration Key, and Unique NAT ID used on the Defense Center with Registration Key and Unique NAT ID used on the Master Defense Center

IMPORTANT! The Management Host or Host field (hostname or IP address) must be used on at least one of the appliance.

To add a Master Defense Center, you need to determine which events on the Defense Center you want to forward to the Master Defense Center.

To add a Master Defense Center to a Defense Center:

Access: Admin 1. Log into the web interface of the Defense Center you want to add.









5. In the Management Host field, type the IP address or the host name of the Master Defense Center that you want to use to manage the Defense Center.


You can leave the Management Host field empty if the management host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields

6. In the Registration Key field, type the one-time use registration key that you want to use to set up a communications channel between the Master Defense Center and the Defense Center.

7. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that you want to use to identify the Defense Center.

8. Click Save.

After the Defense Center confirms communication with the Master Defense Center, the Pending Registration status appears.

9. Log into the Master Defense Center’s web interface using a user account with Admin access, and select Operations > Appliances.

The Defense Centers page appears.



10. Click New Defense Center.

The New Defense Center page appears.

11. Type the IP address or the hostname of the Defense Center you want to add in the Host field.


You can leave the Host field empty if the host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields


13. If you used an unique NAT ID in step 6, type the same value in the Unique NAT ID (optional) field.

14. Under Filter Configuration, identify the types of events you want to forward from the Defense Center to the Master Defense Center.

Note that if you select intrusion events, you can send events or events and packet data. You can also filter which intrusion events are forwarded based on their impact flag. If you chose to send compliance events to the Master Defense Center, white list events are also sent. See Editing the Event Filter Configuration on page 176 for more information.

IMPORTANT! You must select at least one type of flag if you want to send intrusion events.



15. Click Add.

The Defense Center is added to the Master Defense Center. It can take up to two minutes for the Defense Center to establish communication with the Master Defense Center. You can view the status on the Defense Centers page (Operations > Appliances).

16. After communications between the two appliances are established, continue with the procedure in Adding a Defense Center.

Adding a Defense CenterRequires: MDC + DC Before you add a Defense Center to a Master Defense Center, you must make

sure that the network settings are configured correctly on both appliances. This is usually completed as part of the installation process. For more information see Configuring Network Settings on page 377.

IMPORTANT! If you registered a Master Defense Center and Defense Center using IPv4 and want to convert them to IPv6, you must delete and re-register the Defense Center.


• Management Host or Host- for the hostname or IP address.

• Registration Key - one-time use registration key

• Unique NAT ID (optional) - for a unique alphanumeric ID. See Working in NAT Environments on page 112 for more information.

TIP! Set up the managed appliance first. At a Defense Center, add the remote management, then at the managing Master Defense Center add the Defense Center.


• Management Host or Host and Registration Key used on both appliances

• Registration Key and Unique NAT ID used on the Defense Center with Host, Registration Key, and Unique NAT ID used on the Master Defense Center

• Management Host, Registration Key, and Unique NAT ID used on the Defense Center with Registration Key and Unique NAT ID used on the Master Defense Center

IMPORTANT! The Management Host or Host field (hostname or IP address) must be used on at least one of the appliance.



To add a Defense Center, you need to predetermine which events on the Defense Center you want to forward to the Master Defense Center.

To add a Defense Center to a Master Defense Center:

Access: Admin 1. Using a user account with Admin access, log into the web interface of the Defense Center you want to add.









TIP! You can leave the Management Host field empty if the management host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields.

6. In the Registration Key field, type the one-time use registration key that you want to use to set up a communications channel between the Master Defense Center and the Defense Center.

7. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that you want to use to identify the Defense Center.

8. Click Save.




9. Log into the Master Defense Center’s web interface using a user account with Admin access, and select Operations > Appliances.



The New Defense Center page appears.




13. If you used a NAT ID in step 7, type the same value in the Unique NAT ID (optional) field.

14. Under Filter Configuration, identify the types of events you want to forward from the Defense Center to the Master Defense Center.

Note that if you select intrusion events, you can send events or events and packet data. You can also filter which intrusion events are forwarded based on their impact flag. If you chose to send compliance events to the Master Defense Center, white list events are also sent. See Editing the Event Filter Configuration on page 176 for more information.

IMPORTANT! You must select at least one type of flag if you want to send intrusion events.



15. Click Add.

The Defense Center is added to the Master Defense Center. It can take up to two minutes for the Defense Center to establish communication with the Master Defense Center. You can view the status on the Defense Centers page (Operations > Appliances).

Deleting a Defense CenterRequires: MDC + DC If you no longer want to manage a Defense Center, you can delete it from the

Master Defense Center. Deleting a Defense Center severs all communication between the Defense Center and the Master Defense Center. To manage the Defense Center again at a later date, you must re-add it to the Master Defense Center. To keep the Defense Center from trying to reconnect to the Master Defense Center, you should also delete the manager on the Defense Center.

To delete a Defense Center from the Master Defense Center:

Access: Admin 1. Log into the Master Defense Center web interface, and select Operations > Appliances.


2. Click Delete next to the Defense Center you want to delete.

Communication between the Master Defense Center and the Defense Center is discontinued and the Defense Center is deleted from the Defense Centers page.

3. Log into the web interface of the Defense Center you want to delete.





6. Click Delete next to the Master Defense Center that was managing the Defense Center.


Resetting Management of a Defense CenterRequires: MDC + DC If communications fail between the Master Defense Center and one of your

Defense Centers, you can reset management of the Defense Center. If you want to manage a Defense Center with a different Master Defense Center, you must also reset management before adding the Defense Center to the another Master Defense Center. To do this, you must first delete the manager on the Defense Center and delete the Defense Center on the Master Defense Center. You can then re-add the Master Defense Center on the Defense Center and then add the Defense Center to a Master Defense Center.



To reset management from a Master Defense Center:

Access: Admin 1. Log into the web interface of the Master Defense Center where you want to reset communications.

2. Select Operations > Appliances.


3. Click Delete next to the Defense Center you want to delete.

Communication between the Defense Center and the Master Defense Center is discontinued and the Defense Center is deleted from the Defense Centers page.

To delete management on the Defense Center:

Access: Admin 1. Log into the web interface of the Defense Center where you want to reset communications.





4. Click Delete next to the Master Defense Center where you want to reset management.


To re-add the Defense Center to the Master Defense Center:

Access: Admin 1. Log into the web interface of the Defense Center where you want to reset communications and click Add Manager.




TIP! You can leave the Management Host field empty if the management host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields


Using the Master Defense CenterUsing the Appliances Page Chapter 5

3. In the Registration Key field, type the one-time use registration key that you want to use to set up a communications channel between the Defense Center and the Master Defense Center.

4. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that you want to use to identify the Defense Center. See Working in NAT Environments on page 112 for more information.

5. Click Save.


6. Log into the Master Defense Center’s web interface and select Operations > Appliances.



The Add New Defense Center page appears.




10. If you used an alphanumeric NAT ID in step 4, type the same value in the Unique NAT ID (optional) field.

11. To add the Defense Center to a group, select the group from the Add to Group list.

For more information about Defense Center groups, see Managing Appliance Groups on page 179.

12. Click Add.

The Defense Center is added to the Master Defense Center. It can take up to two minutes for the Master Defense Center to verify communication with the Defense Center. You can view the Defense Center’s status on the Defense Centers page (Operations > Appliances).

Using the Appliances PageRequires: MDC + DC The Appliances page (Operations > Appliances) provides you with a range of

information and options that you can use to manage your Defense Centers. The following sections describe the features on the Appliances page.


Using the Master Defense CenterUsing the Appliances Page Chapter 5

Sort-by Drop-Down ListUse this drop-down list to sort the Appliances page according to your needs. You can sort by:

• Group, which sorts by Appliance group (see Managing Appliance Groups on page 179)

TIP! High availability Defense Center pairs are automatically listed as an appliance group. An HA pair is listed as a group named with the name of the active Defense Center.

• Manager, which sorts by the Defense Center then the 3D Sensor connected to it.

• Model, which sorts by appliance model number, that is, the Defense Center 1000 and the Defense Center 3000, 3D Sensor 2100, and so on.

Status Icons

The status icons indicate the state of a Defense Center. The green check mark icon indicates that the Master Defense Center and the Defense Center are communicating properly. The red exclamation point icon indicates that the Master Defense Center has not received communications from the Defense Center in the last three minutes. If you hover your cursor over the icon, a pop-up window indicates the amount of time (in hours, minutes, and seconds) since the last contact. If the Master Defense Center has not received a communication from a Defense Center within the last two minutes, it sends a two-byte heartbeat packet to establish contact and ensure that the communications channel is still running. If your network is constrained in bandwidth, you can contact technical support to change the default time interval.

Edit and Delete Icons

Click the Edit icon next to a sensor if you want to change the Defense Center’s current system settings. The system settings include the filter configuration for the Defense Center, the remote management configuration, the health blacklist settings, and the high availability settings. See Editing Settings for a Managed Defense Center on page 175 for more information.

Click the Delete icon next to a Defense Center if you no longer want to manage the Defense Center with the Master Defense Center. See Deleting a Defense Center on page 171 for more information.


Using the Master Defense CenterEditing Settings for a Managed Defense Center Chapter 5

Editing Settings for a Managed Defense CenterRequires: MDC + DC After you configure management of a Defense Center by a Master Defense

Center, you can use the Master Defense Center web interface to view and edit the configuration of the Defense Center. See the following sections for more information.

• Viewing the Defense Center Information Page on page 175

• Editing the Event Filter Configuration on page 176

• Editing or Disabling Remote Management Communications on page 178

• Managing the Health Blacklist on page 178

• Managing High Availability Defense Centers on page 178

Viewing the Defense Center Information PageRequires: MDC + DC To access the system settings information page for a managed Defense Center,

select Appliances from the Operations menu, then click Edit next to the Defense Center. The Information page for a managed Defense Center includes the fields described in the Defense Center Information table.

Defense Center Information

Field Description

Name The assigned name for the Defense Center. Note that this is the name of the Defense Center in the Master Defense Center web interface, not the hostname.

Product Model The model name for the managed Defense Center.

Software Version The version of the software currently installed on the managed Defense Center.

Operating System

The operating system currently running on the managed Defense Center.


The version of the operating system currently running on the managed Defense Center.

VDB Version The Vulnerability Database version on the managed Defense Center.

IP Address The IP address of the managed Defense Center.



To edit a managed Defense Center’s settings:

Access: Admin 1. Change the Defense Center’s attributes as needed.

You can edit the following:

• the name of the Defense Center

• the group in which the Defense Center resides

WARNING! The name must be made up of a combination of alphanumeric characters and should not be made up of numeric characters only.

2. Click Save.

The updated Defense Center attributes are saved.

Editing the Event Filter ConfigurationRequires: MDC The settings on the Filter Configuration page control which events are sent from

the Defense Center to the Master Defense Center that manages it. Your options are to send intrusion events, intrusion events and related packet data, and compliance events.

If you want to send intrusion events (with or without packet data), you can also specify which intrusion events are sent based on their impact flag. See the Impact Flags table in the Analyst Guide for an explanation of what each impact

Status An icon showing the current status of the managed Defense Center. If you hover your cursor over the icon, a pop-up message indicates how long it has been (in hours, minutes, and seconds) since the Defense Center communicated with the Master Defense Center.

You can click Refresh to update the Status icon and its accompanying pop-up message.

Model Number The model number for the Defense Center. This number can be important for troubleshooting.

Current Group The group that the Defense Center belongs to, if any.

Defense Center Information (Continued)

Field Description



flag means. Note that you must deploy both RNA and IPS as part of your Sourcefire 3D System deployment to generate meaningful impact flags.

TIP! If you set up the 3D Sensor so it does not send packet data to the intermediate Defense Center, then packet data is not forwarded to the Master Defense Center.

To modify the event filter configuration:

Access: Admin 1. On the Master Defense Center’s web interface, select Operations > Appliances.

The Appliances page appears.

2. Next to the Defense Center whose filter configuration you want to change, click Edit.

The Filter Configuration page appears.

3. In the Intrusion Events area, use the drop-down list to indicate whether you want to forward intrusion events to the Master Defense Center. The options are Do Not Send, Events Only, and Events and Packet Data.

4. If you indicated that you want to send intrusion events, then you must specify which events you want to send based on their impact flag. The Flags options are:

• All

• Black (or Drop)

• Red (or Vulnerable)

• Orange (or Potentially Vulnerable)

• Yellow (or Currently Not Vulnerable)

• Blue (or Unknown Target)

• Gray (or Unknown)

TIP! If you select All, then all the options are immediately selected. If you want to send intrusion events to the Master Defense Center, then you must select at least one impact flag option.



5. In the Compliance Events area, use the drop-down list to indicate whether you want to forward compliance events to the Master Defense Center. The options are Do Not Send and Send.

6. Click Save.

Your settings are saved and the Defense Center begins forwarding the events you specified to the Master Defense Center that manages it.

Editing or Disabling Remote Management CommunicationsRequires: MDC + DC You can manage communications between a managed Defense Center and its

Master Defense Center using the Master Defense Center’s web interface. For example, if a Defense Center is no longer responding, you can temporarily disable communications between the Defense Center and its Master Defense Center.

IMPORTANT! Master Defense Centers do not currently use a Management Virtual Network. You cannot edit the Management Virtual Network field of a Master Defense Center. The field is filled with 0.0.0.0/24 to indicate that the Management Virtual Network is disabled on a Master Defense Center.

To disable communications between the Defense Center and the Master Defense Center:

Access: Admin Click Disable next to the name of the Defense Center. Communications between the two appliances are interrupted.

To enable communications between the two appliances again, click Enable.

For more information about editing the Management Virtual Network, see Editing the Management Virtual Network on page 385.

Managing the Health BlacklistRequires: MDC + DC You can blacklist individual health policy modules on Defense Centers. You may

want to do this to prevent events from the module from changing the status for the appliance to warning or critical.

For information on using the blacklisting function, see Using the Health Monitor Blacklist on page 534.

Managing High Availability Defense CentersRequires: MDC + DC You can configure, monitor, disable, pause and restart Defense Center High

Availability from a Defense Center. See the following sections for more information:

• Using Redundant Defense Centers on page 112

• Setting Up High Availability on page 150


Using the Master Defense CenterManaging Appliance Groups Chapter 5

• Monitoring the High Availability Status on page 152

• Disabling High Availability and Unregistering Sensors on page 153

• Pausing Communication between Paired Defense Centers on page 154

• Restarting Communication between Paired Defense Centers on page 154

If High Availability is configured, you can activate Defense Center High Availability from a Master Defense Center.

TIP! When using Intrusion Agents registered to Defense Centers configured for high availability and managed by a Master Defense Center, register all Intrusion Agents to the primary Defense Center.

To activate a redundant Defense Center:

Access: Admin 1. Select Operations > Appliances.


2. Click Edit next to the appropriate Defense Center.

The System Settings page for that Defense Center appears.

3. Click High Availability.

The high availability page appears with the paired Defense Centers.

TIP! A light bulb icon shows which of the high availability paired Defense Centers is currently active.

4. Click Activate to activate the redundant Defense Center.

The redundant Defense Center is activated.

Managing Appliance GroupsRequires: MDC The Master Defense Center allows you to group appliances so that you can easily

search for events based on whether they were forwarded by one of a specific group of appliances.

TIP! High availability Defense Center pairs are automatically listed as an appliance group. An HA pair is listed as a group with the name of the active Defense Center.


Using the Master Defense CenterManaging Appliance Groups Chapter 5


• Creating Appliance Groups on page 180 explains how to create a Defense Center group on the Master Defense Center.

• Editing Appliance Groups on page 180 explains how to modify the list of Defense Centers in a Defense Center group.

• Deleting Appliance Groups on page 181 explains how to delete a Defense Center group.

Creating Appliance GroupsRequires: MDC Grouping managed appliances allows you to use the group name as a search

criterion when you search for specific compliance or intrusion events.

To create an appliance group and add appliances to it:

Access: Admin 1. On the Master Defense Center, select Operations > Appliances.


2. Click Create New Appliance Group.

The Create Appliance Group page appears.

3. In the Group Name field, type the name of the group you want to create.

4. Click Save.

The group is added.

5. To add appliances to the group, return to the Appliances page (Operations > Appliances) and click Edit next to the name of the group.

The Appliance Group Edit page appears.

6. Select the IP addresses or hostnames of the appliances you want to add from the Available Appliances list and click the arrow to move them into the group.

7. Click Save.

The appliances are added to the group and the Appliances page appears again.

Editing Appliance GroupsRequires: MDC You can change the set of appliances that reside in any appliance group.

TIP! You must remove an appliance from its current group before you can add it to a new group.

Moving an appliance to a new group does not change any of its policies or configurations.


Using the Master Defense CenterEditing Master Defense Center System Settings Chapter 5

To edit an appliance group:

Access: Admin 1. On the Master Defense Center, select Operations > Appliances.


2. Click Edit next to the Appliance group you want to edit.

The Appliance Group Edit page appears.

3. Select the appliance you want to move and click the arrow to add or remove it from the group.

• To add an appliance to the group, select it from the Available Appliances list and click the arrow pointing toward the group you are editing.

• To remove an appliance from a group, select it from the list in the group you are editing and click the arrow pointing to the Available Appliances list.

4. Click Save.

Deleting Appliance GroupsRequires: MDC If you delete a group that contains appliances, the appliances are moved to

Ungrouped on the Appliances page. They are not deleted from the Master Defense Center.

To delete an appliance group:

Access: Admin 1. Select Operations > Appliances.


2. Click Delete next to the group you want to delete.

The appliances group is removed from the Master Defense Center.

Editing Master Defense Center System SettingsRequires: MDC With a few exceptions, the Master Defense Center system settings are the same

as those of a Defense Center. See the following sections for information on each of the listed system settings:

IMPORTANT! NetFlow-enabled devices cannot currently be added to a Master Defense Center.

• Listing Master Defense Center Information on page 182

• Viewing a Master Defense Center License on page 182

• Configuring Network Settings on page 377

• Shutting Down and Restarting the System on page 182



• Setting System Time on page 183

• Blacklisting Health Policies on page 184

Listing Master Defense Center InformationRequires: MDC For details on information listed under the Master Defense Center system

settings, see Defense Center Information on page 175.

To edit a Master Defense Center’s settings:

Access: Admin 1. Change the name of the Master Defense Center attributes as needed.

WARNING! The name must be made up of a combination of alphanumeric characters and should not be made up of numeric characters only.

2. Click Save.

The updated Master Defense Center attributes are saved.

Viewing a Master Defense Center LicenseRequires: MDC Unlike a Defense Center, a Master Defense Center cannot manage the licenses

of Defense Centers or 3D Sensors.

To view information about the Master Defense Center license:

Access: Admin 1. Select Operations > System Settings.


2. Click License.

The License page appears.

Configuring Network SettingsRequires: MDC The network settings are identical to those of the Defense Center. For

information on configuring the Master Defense Center network settings, see Configuring Network Settings on page 377.

Shutting Down and Restarting the SystemRequires: MDC You have several options for controlling the processes on your Master Defense

Center. You can:

• shut down the appliance

• reboot the appliance

• restart the appliance



To shut down or restart your appliance:



2. Click Process.

The Appliance Process page appears.

3. Specify the command you want to perform:

• If you want to shut down the Master Defense Center, click Run Command next to Shutdown Master Defense Center.

• If you want to reboot the system, click Run Command next to Reboot Master Defense Center.

• If you want to restart the Defense Center, click Run Command next to Restart Master Defense Center Console. Note that restarting the Defense Center may cause deleted hosts to reappear.

Configuring Remote Management NetworkingRequires: MDC A Master Defense Center’s Management Virtual Network is disabled.

IMPORTANT! Master Defense Centers do not currently use a Management Virtual Network. You cannot edit the Management Virtual Network field if the Defense Center is in the Master Defense Center operational mode. The field is filled with the address range 0.0.0.0/24 to disable the Management Virtual Network.

Setting System TimeRequires: MDC The system time is set and synchronized in accordance with the system policy.

On the Time Synchronization page you can choose to serve time from the Master Defense Center by selecting Enabled in the Serve Time via NTP field.

TIP! Because Master Defense Centers do not currently use Management Virtual Networks, their real IP network is used to serve time.



To specify how the Master Defense Center clock is set:

Access: Admin You have two options:

• To set the time manually, select Manually in the System Settings.

• To receive time through NTP from a different server, select Via NTP Server from and, in the text box, type the IP address of the NTP server or, if DNS is enabled, type the fully qualified host and domain name.

WARNING! If the appliance is rebooted and your DHCP server sets an NTP server record different than the one you specify here, the DHCP-provided NTP server will be used instead. To avoid this situation, you should configure your DHCP server to set the same NTP server.

For more information about setting system time, see Synchronizing Time on page 354.

Blacklisting Health PoliciesRequires: MDC You can blacklist health policy modules when required. The Master Defense

Center supports the following health policy modules:

• Appliance Heartbeat

• CPU Usage

• Data Correlator Process

• Defense Center Status

• Disk Usage

• eStreamer Process

• Event Stream Status

• Memory Usage

For more information on blacklisting a health policy, see Blacklisting a Health Policy Module on page 537.


Administrator Guide

Chapter 6Using Detection Engines and

Interface Sets

To give you increased flexibility in your deployment choices, the Sourcefire 3D System provides a feature called the detection engine. You can think of a detection engine as a collection of one or more sensing interfaces (called an interface set) on a 3D Sensor plus a portion of the sensor’s computing resources (called a detection resource).

3D Sensors support three types of detection engines:

• IPS

• RNA

• RUA

TIP! You cannot use the RUA feature on Crossbeam-based software sensors. In addition, you cannot use RUA or RNA on 3D9800 sensors. However, you can combine the data from those sensors with RUA or RNA on a Defense Center.

The number of detection engines per sensor is limited by the number of detection resources that are available. Most 3D Sensor models have at least three detection resources available and can support at least three detection engines: one for IPS, one for RNA, and the third for RUA. See the Detection Resources by Model table on page 190 for more information.


Using Detection Engines and Interface SetsUnderstanding Detection Engines Chapter 6

The following sections describe the detection engines and interface set features and how you can use them in your Sourcefire 3D System deployment:

• Understanding Detection Engines on page 186 explains detection engines in more detail, including some of the limitations based on the sensor model. This section also describes how default detection engines are configured.

• Managing Detection Engines on page 193 explains how to create, edit, and delete detection engines.

• Using Detection Engine Groups on page 197 explains how to create and use detection engine groups.

• Using Variables within Detection Engines on page 199 explains how to use detection engine-specific variable values to tailor your detection capabilities to more closely match your infrastructure.

• Using Interface Sets on page 207 describes how to create interface sets and how to use them with detection engines.

• Using Interface Set Groups on page 223 describes how to create and use interface sets groups.

• Inline Fail Open Interface Set Commands on page 225 explains how to force an interface set in and out of bypass mode when using an inline fiber fail open interface set.

• Using Clustered 3D Sensors on page 227 explains how to use detection engines and interface sets in a clustered 3D9900 sensor pairing.

Understanding Detection EnginesRequires: DC or

3D SensorA detection engine is the mechanism on a 3D Sensor that is responsible for analyzing the traffic on the network segment where the sensor is connected.

To list the available detection engines:

Access: Admin Select Operations > Configuration > Detection Engines > Detection Engines.

The Available Detection Engines page appears. The figure below shows the Defense Center version of the page.

You can sort the available detection engines by group, sensor, policy, detection engine type, or interface set type.



Detection Engine Type, Resources, and Interface SetDepending on which components are licensed on the sensor, 3D Sensors can support three types of detection engines: IPS, RNA, and RUA.

A detection engine has two main components:

• an interface set, which can include one or more sensing interfaces

• a detection resource, which is a portion of the sensor’s computing resources

For information about detection engines and detection resources, see Understanding Detection Resources and 3D Sensor Models on page 189

PEP PolicyOnly 3D9900 sensors provide the PEP feature. For more information on the PEP feature, see Using PEP to Manage Traffic in the Analyst Guide.

Set TypeAn interface set refers to a grouping of one or more sensing interfaces on a sensor, although a sensing interface can belong to only one interface set at a time. The Sourcefire 3D System supports three types of interface sets, but the interface options available to you depend on the type of sensor and the capabilities of its sensing interfaces. The three interface types are described in the Interface Set Types table.

Interface Set Types

Type Description

Passive Use a passive interface set if you deployed the sensor out of band from the flow of network traffic.

Inline Use an inline interface set if you deployed the sensor inline on your network and the sensing interfaces do not support automatic fail-open capabilities. Note that you can use any two of the non-fail-open interfaces on the sensor’s network interface cards as part of an inline interface set. (The exception is on 3D9900s, where pairs are pre-determined).

Inline with Fail Open

Use an inline with fail open interface set if you deployed the sensor inline on your network and the sensing interfaces do support automatic fail-open capabilities. Note that you must use paired fail-open interfaces on the sensor’s network interface cards for an inline with fail open interface set.



You can use RNA or RUA to monitor the traffic that passes through any of the three types of interface sets.

IMPORTANT! On a 3D3800 or 3D5800 sensor, if you plan to use RNA to monitor either an inline or inline with fail open interface set, you must either configure an IPS detection engine that uses that interface set, as well as apply an intrusion policy to that detection engine, or configure the interface set in tap mode. Otherwise, the RNA detection engine monitoring that interface set will not see any traffic. If you are monitoring the same inline interface set with both IPS and RNA or RUA, and the IPS detection engine fails for any reason, the RNA or RUA detection engine monitoring that interface set will not see any traffic until the IPS detection engine restarts. Neither RNA nor RUA are supported on the 3D9800 sensor.

See Using Interface Sets on page 207 for more information about creating and editing interface sets.

Policy3D Sensors have different capabilities and limitations depending on whether you licensed IPS, RUA, or RNA. You can determine what the name and state of IPS and RNA policies from the following information in the policy column:

• If you change an IPS and RNA policy and have not applied it to the detection engine since the change, then the icon has an exclamation point and the name is italicized.

TIP! After you upgrade your sensor to version 4.9 you have the advantage of the following listed features.

• You can click the name of an IPS policy to see details about the running policy. For more information see Viewing an Intrusion Policy Report in the Analyst Guide.



• If there is a network or VLAN filter applied to the IPS policy, you can click More or the down icon ( ) and view the type (Net for network or VLAN for virtual LAN) filter. If you hover above the name you can view the network or VLAN range of the filter. If you want to remove the currently applied filter from the IPS policy, click the delete icon ( ) next to the filter name.

• If you want to remove the currently applied IPS policy from the detection engine, click the delete icon ( ) next to the intrusion policy name. The delete icon only appears next to the base policy when there are no network or VLAN filters applied.

IMPORTANT! Initially, the Available Detection Engines page does not indicate that the filtered or base intrusion policy is deleted. Select Monitor > Task Status to track the progress of the deletion process, which takes approximately 30 seconds.

SensorThe sensor column provides the name of the sensor where the policy is applied. It also provides the following capabilities:

• If you want to edit or delete a detection engine, click Edit or Delete next to its sensor name. See Editing a Detection Engine on page 194 and Deleting a Detection Engine on page 197 for more information.

• If you want to list, add, edit, reset, or delete variables associated with a detection engine’s IPS or RNA policy, click Variables. See Using Variables within Detection Engines on page 199 for more information.

• If you want to reapply all policies for the detection engine, click Reapply All, then OK to confirm.

For more information see Understanding Detection Resources and 3D Sensor Models on page 189

When you configure a new sensor, it has a predefined detection engine that you can choose to modify to meet your needs. See Understanding Default Detection Engines for more information.

Understanding Detection Resources and 3D Sensor ModelsRequires: DC or

3D Sensor3D Sensors with IPS can use multiple detection resources per detection engine, which allows you to use more computing resources when network traffic is high. For example, if you plan to use the 3D3500 sensor in inline mode, you could assign two detection resources to your detection engine to allow processing of more events per second. As a best practice, use one detection resource per application per core on your appliance. Different sensor models have different



numbers of detection resources available as shown in the Detection Resources by Model table.

• The Optimal column indicates the per-sensor total number of detection resources you should use if you want to maximize the performance of the sensor. It also indicates the maximum number of detection resources you can assign a single detection engine.

• The Maximum column indicates the total number of detection resources available on the sensor.

• The Combination Restrictions column indicates the permitted combinations of detection resources that you can allocate to detection engines on the same sensor; 3D Sensors can run combinations of IPS, RNA and RUA.

Detection Resources by Model

Model Optimalper Sensor

Maximumper Sensor

Combination Restrictions

3D500 1 2 Maximum of one IPS and either one RNA or one RUA

3D1000 1 2 Maximum of two; can be any type

3D2000 1 2 Maximum of two; can be any type

3D2100 2 3 No restrictions












General Recommendations with Two or More Detection ResourcesFor improved 3D Sensor performance on sensors with optimal detection resources of two or greater, you can reduce latency by distributing your network traffic across all available interfaces on the sensor, then distribute the detection engines and detection resources across all operative interfaces on the sensor.

Crossbeam-based Software Sensor ConsiderationsDepending upon the capabilities of your X-Series and the products you are licensed to use, you have several deployment options for 3D Sensor Software. Consider how your network is configured and how you want to deploy the Sourcefire 3D System within it. As with other 3D Sensors, the maximum number of detection engines that you can create is equal to the number of available detection resources. The number of detection resource depends on the Crossbeam System hardware.

Refer to the Sourcefire 3D Sensor Software for X-Series Installation Guide for information on deployment scenarios, current Crossbeam System hardware and software support, and detection resources available on Crossbeam System hardware.

Understanding Default Detection EnginesRequires: DC or

3D SensorWhen you install a new 3D Sensor, you can use initial interface sets and default detection engines to quickly begin evaluating network traffic. After initial installation can modify interface sets and detection engines.

Virtual 3D Sensor

3 3 No restrictions

Crossbeam-based software sensors

Refer to Crossbeam-based Software Sensor Considerations on page 191

Detection Resources by Model (Continued)

Model Optimalper Sensor

Maximumper Sensor

Combination Restrictions



Initial Interface SetsThe initial interface sets for 3D Sensors are:

• Inline with Fail-Open, the default that builds paired fail-open interface sets on all 3D Sensor interfaces, less the management interface.

• Passive that builds a single passive interface set for all 3D Sensor interfaces, less the management interface.

Choose from these initial interface sets based on how you deployed the sensor. Select Inline with Fail-Open Mode if you cabled the sensing interfaces inline on your network as an IPS. Depending on the 3D Sensor, typically you pair adjacent interfaces; for example, a 3D2000 Sensor uses eth1 and eth2 as one inline fail-open interface set and it uses eth3 and eth4 as another inline fail-open interface set.

Select Passive Mode if the sensing interfaces are not cabled inline.

Default Detection EnginesDefault detection engines are configured with the optimal (rather than maximum) number of detection resources as described in the Detection Resources by Model table on page 190. With this configuration, you can connect any of the non-management interfaces to your network and apply the appropriate policy to the detection engine and begin analyzing your network.

Second On-Board InterfaceSome Sourcefire sensors have a second on-board interface, usually near the management interface, that is automatically included in the default detection engine. However, on some of the older models, the second on-board interface cannot support the same high-performance standards as the interfaces on the network interface cards. If your appliance has one of these extra interfaces, and you have deployed it in a high-bandwidth environment where the traffic load is likely to reach the design limits of the appliance, Sourcefire recommends that you remove the second on-board interface from the detection engine for improved performance.

IMPORTANT! For the 3D3000 on the IBM xSeries 346 appliance, note that the default detection engine does not include the second on-board interface. If you modify the default detection engine to include it, the detection engine may not provide optimum performance.

If you want to change either the number of detection resources or the interfaces assigned to the default detection engine, see Editing a Detection Engine on page 194.


Using Detection Engines and Interface SetsManaging Detection Engines Chapter 6

Managing Detection EnginesRequires: DC/MDC or

3D SensorSee Understanding Detection Engines on page 186 and Using Interface Sets on page 207 for more information about the capabilities of detection engines and the interface sets they depend on. The following sections explain how to create, edit, and delete detection engines.

• Creating a Detection Engine on page 193

• Editing a Detection Engine on page 194

• Deleting a Detection Engine on page 197

Creating a Detection EngineRequires: DC or

3D SensorYou can create a detection engine if you have an available interface set and at least one available detection resource. You can use interface sets that include multiple inline interface pairs, when they are available on your 3D Sensor.

To create a detection engine:

Access: Admin 1. Select Operations > Configuration > Detection Engines > Detection Engines.

The Detection Engines page appears. The figure below shows the Defense Center version of the page.

2. Click Create Detection Engine.

The Create Detection Engine page appears.

3. In the Name and Description fields, enter a name and description for the new detection engine.

You can use alphanumeric characters, punctuation, and spaces.



4. Select the type of detection engine that you want to create from the Type drop-down list, IPS, RNA, or RUA.

5. Optionally, add the detection engine to an existing detection engine group.

See Using Detection Engine Groups on page 197 for information on creating and modifying detection engine groups.

6. Select the interface set that you want to assign to this detection engine.

See Using Interface Sets on page 207 for information about creating and modifying interface sets.

7. Select the number of detection resources for this detection engine.

IMPORTANT! On the 3D500, you can only use one of the two detection resources for IPS. The second detection resource is available only if you want to create a second detection engine for RNA or RUA. See the Detection Resources by Model table on page 190 for more information.

8. Optionally, if you are creating an IPS detection engine and if you are using a 3D Sensor other than a 3D500, 3D1000, or 3D3800, you can select Inspect Traffic During Policy Apply.

TIP! This option may degrade performance when you apply a policy and may result in longer policy-apply periods. However, if this option is employed, the detection engine does not restart and interrupt traffic inspection when the policy is applied.

9. Click Save.

The detection engine is created.

Editing a Detection EngineRequires: DC or

3D SensorIn some circumstances, editing an interface set or detection engine can cause the detection engines on the sensor to restart, which can cause a short pause in processing.

IMPORTANT! For most 3D Sensors with inline interface sets, a software bridge is automatically set up to transport packets when the sensor restarts. Although some packets are transmitted without inspection during this time, no packets are lost.

The following sections describe some of the cases where a detection engines is affected by changes to the detection engines and interface sets:



3Dx800 Sensors

• If you change the number of network interfaces, the interface set type, or the setting for tap mode or transparent mode for an interface set, all the detection engines using that interface set are restarted.

• If you change the number of detection resources, which interface set is used, or the detection engine type, only that detection engine is restarted (although other CPUs may be restarted to rebalance the processing load).

IMPORTANT! If you have an 3Dx800 health policy applied to a 3D9800 sensor when you change the number of detection resources, it will generate hardware alarms. Contact Sourcefire Support for information about how to clear those hardware alarms.

• If you create a detection engine, only that detection engine is started (although other CPUs may be restarted to rebalance the processing load).

• If you delete a detection engine or interface set, all detection engines on the sensor are restarted.

• If you create an interface set, nothing is restarted.

• If you change the name or description of an interface set or detection engine, nothing is restarted.

Other Sensors

• If you change which network interfaces are used by an interface set, all the detection engines on the sensor are restarted.

• If you change an interface set’s transparent mode setting, or interface set type, all detection engines assigned to that interface set are restarted.

• If you change a detection engine’s interface set, all detection engines on the sensor are restarted.

• If you change the number of detection resources allocated to a detection engine, all the detection engines on the sensor are restarted.

• If you change the detection engine type for a detection engine, that detection engine is restarted.

• When you create a detection engine, all the detection engines on the sensor are restarted because the total number of allocated resources has changed.


• If you create an interface set, nothing is restarted. A restart occurs only when you assign a detection engine to the interface set.




Make sure you plan these actions for times when they will have the least impact on your deployment.

TIP! On your 3D Sensor Software for Crossbeam Systems X-Series, you may want to remove any affected VAPs from the load-balanced list until the associated detection engines restart, then reinstate the VAPs. For more information, see the Sourcefire 3D Sensor Software for X-Series Installation Guide.

To edit an existing detection engine:


The Detection Engines page appears.

2. Click Edit next to the detection engine you want to modify.

The Edit Detection Engine page appears.

You can modify the name, description, group, and number of detection resources for the detection engine. You cannot modify the detection engine type. If you need to change the detection engine type, you must delete the detection engine and create a new one. In the case of an IPS detection engine you can also select if traffic is inspected while a policy is being applied.

TIP! The Inspect Traffic During Policy Apply option is not available on 3D500, 3D1000, or 3D3800 sensors.

3. Click Save.

Your changes are saved.


Using Detection Engines and Interface SetsUsing Detection Engine Groups Chapter 6

Deleting a Detection EngineRequires: DC or

3D SensorUse the following procedure to delete a detection engine.

WARNING! Do not delete a detection engine that is in use. Also, you should not delete a detection engine that is used as a constraint in one or more compliance rules; you should first delete (or modify) the constraint in all rules in which it is used. For information on modifying compliance rules, see Modifying a Rule in the Analyst Guide.

To delete a detection engine:



2. Click Delete next to the detection engine you want to delete.

3. At the prompt, confirm that you want to delete the detection engine.

The detection engine is deleted; however, a record of the detection engine is retained so that events generated by that detection engine are viewable.

Using Detection Engine GroupsRequires: DC/MDC or

3D SensorYou can use detection engine groups to combine similar detection engines. These groups make it easier to apply policies to detection engines that have similar purposes.


• Creating Detection Engine Groups on page 197

• Editing Detection Engine Groups on page 198

• Deleting Detection Engine Groups on page 199

Creating Detection Engine GroupsRequires: DC/MDC or

3D SensorThe following procedure explains how to create a detection engine group.

To create a detection engine group:




Using Detection Engines and Interface SetsUsing Detection Engine Groups Chapter 6

2. Click Create Detection Engine Group.

The Create Detection Engine Group page appears.

3. Type a name for the detection engine group in the Group Name field.

4. Click Save.

The Detection Engine page appears again. You can add detection engines to this group by clicking Edit next to a detection engine name and, on the Edit Detection Engine page, adding the detection engine to the group and clicking Update.

Editing Detection Engine GroupsRequires: DC/MDC or

3D SensorThe following procedure explains how to edit a detection engine group. You must create a detection engine group before you can edit it. See Creating Detection Engine Groups on page 197.

To edit a detection engine group:



2. Click Edit for the detection engine group.

The Detection Engine Group Edit page appears.

3. Select available detections engines and to move them to the detection engine group with the arrow buttons.

You can also move detection engines out of the detection engine group.

4. Click Save to add the selected detection engines to the detection engine group.

The Available Detection Engines page appears.


Using Detection Engines and Interface SetsUsing Variables within Detection Engines Chapter 6

Deleting Detection Engine GroupsRequires: DC/MDC or

3D SensorWhen you delete a detection engine group, any detection engines in the group are automatically ungrouped; they are not deleted.

To delete a detection engine group:



2. Click Delete next to the name of the detection engine group.

The detection engine group is deleted.

Using Variables within Detection EnginesRequires: IPS or

DC/MDC + IPSA system default variable sets a variable value on your Sourcefire 3D Sensor or Defense Center that IPS uses by default unless it is overridden by a policy-specific or detection engine-specific value for the same variable. You can associate a system default variable with a specific detection engine and give the resulting detection engine-specific variable an explicit value for that detection engine. When you apply an intrusion policy to that detection engine, IPS can use the value of the detection engine-specific variable in rules you enable in your policy to monitor network traffic and generate events. For information on policy-specific variables, which are specific to the policy in which they are created, see Creating New Policy-Specific Variables in the Analyst Guide.

For example, the intrusion rules in an intrusion policy take advantage of certain system default variables such as HOME_NET and EXTERNAL_NET to look for exploits that originate outside your network and are targeted against hosts within your network. You can define HOME_NET in your system default variable to encompass your internal address range (for example, 10.10.0.0/16).

However, if you have created your detection engines so that one detection engine monitors one class of hosts (in this example, hosts in your network’s DMZ in the range 10.10.30.0/24) and another monitors a different class (for example, hosts in your accounting department in the address range 10.10.90.0/24), you can use detection engine-specific variable values to tailor your detection capabilities to more closely match your infrastructure.

In the system default variable used in the intrusion policy:

HOME_NET = 10.10.0.0/16

In the detection engine named DE_DMZ:

HOME_NET = 10.10.30.0/24

In the detection engine named DE_ACCT:

HOME_NET = 10.10.90.0/24

If you later create another detection engine that monitors the rest of your network, which includes a mixed address space, you can use the system default



variable value rather than creating another detection engine-specific value for HOME_NET.

You can also create new variables for use only within the context of the detection engine. You can create detection engine-specific variables and set detection engine-specific values for system default variables within an intrusion policy or from the detection engine Variable List page. Configuration details in this section relate to the detection engine Variable List page. For configuration details related to setting detection engine-specific variables within an intrusion policy, see Creating New Variables in the Analyst Guide.

Creating a detection engine-specific variable from the detection engine Variable List page also creates a corresponding system default variable with the value set to any. You can view the explicit detection engine-specific value you configured in the list of variables for the detection engine within each policy, or on the detection engine Variable List page for the detection engine. You can view the corresponding new system default variable in the list of system default variables within each policy, and on the Variable list page for all other detection engines where it is listed with the value set to Policy Defined, which means that the value specified in the policy will be used when you apply the policy. Optionally, you can modify the variable in the intrusion policies and detection engines where it is added automatically to give it a specific definition. When they exist, a detection engine-specific variable value takes precedence over a policy-specific or system default value for the same variable. If you disable a variable defined on the Variable List page by resetting the variable, the definition reverts to the definition in the intrusion policy the next time you apply the policy.

Variables use the same syntax and must follow the same guidelines regardless of whether you create or define them from within intrusion policies or from the detection engine Variable List page. See Creating New Variables in the Analyst Guide and Modifying Variables in the Analyst Guide for more information.

IMPORTANT! You cannot use variables with RNA detection engines.


• Assigning Values to System Default Variables in Detection Engines on page 200

• Creating New Variables for Detection Engines on page 202

• Deleting and Resetting Variables on page 203

• Configuring Custom Variables in Detection Engines on page 204

• Using Portscan-Only Detection Engines on page 205

Assigning Values to System Default Variables in Detection EnginesRequires: IPS or

DC/MDC + IPSYou can assign detection engine-specific values to system default variables. For an explanation see Using Variables within Detection Engines on page 199.



To assign a detection engine-specific value to a system default variable:



2. Click Variables next to the detection engine where you want to define a variable value.

The Variable List page appears. The value for each of the variables defaults to the value within the intrusion policy that is applied to the detection engine.

3. Click Edit next to the variable you want to define.

The Variable Binding page appears.

4. Enter a value for the variable and click Save. See Creating New Variables in the Analyst Guide for information about variable syntax.

The Variable List page appears again and shows the new value for the variable. The variable takes effect the next time you apply an intrusion policy to the detection engine, as described in Applying an Intrusion Policy in the Analyst Guide.



Creating New Variables for Detection EnginesRequires: IPS or

DC/MDC + IPSWhen you create an intrusion policy, you can associate detection engine-specific variable definitions with the policy. For an explanation see Using Variables within Detection Engines on page 199.

To create a new variable for a detection engine:



2. Click Variables next to the detection engine where you want to define a variable value.

The Variable List page appears.

3. Click Add Variable.

The Variable page appears.

4. In the Variable Name field, enter a name for the variable.

5. From the Variable Type drop-down list, select IP, Port, or Custom.

• See Defining IP Addresses in Variables and Rules in the Analyst Guide for more information if you are defining a IP address-based variable.

• See Defining Ports in Variables and Rules in the Analyst Guide for more information if you are defining a port-based variable.

• See Understanding Custom Variables in the Analyst Guide if you are defining a special-purpose custom variable with one of the reserved variable names described in the Custom Variables table in the Analyst Guide.



6. In the Value field, enter a value for the variable and click Save. See Creating New Variables in the Analyst Guide for information about the syntax for variables.

The Variable List page appears again and shows the new variable and its value.

The variable is created and is accessible to all policies as a system default variable. It is listed in the variable list for the detection engine in all intrusion policies with the explicitly set value, and listed for all other detection engines on the Variable List page with a value of Policy Defined. The variable takes effect the next time you apply an intrusion policy to the detection engine, as described in Applying an Intrusion Policy in the Analyst Guide.

IMPORTANT! Each new detection engine variable adds a system variable with a value of any that is accessible in all your intrusion policies. Creating the new detection engine variable also lists the description Policy Defined for all other IPS detection engines on the Variable List page, meaning that the value specified in the policy will be used when you apply the policy. In any intrusion policy that you apply to a different detection engine and do not explicitly set a policy-defined or detection engine-specific variable to override the value of the system variable, the value any will be used.

Deleting and Resetting VariablesRequires: IPS or

DC/MDC + IPSYou can reset the value of a variable on the Variable List page and the variable reverts to the value defined in the intrusion policy the next time you apply the intrusion policy to the detection engine. You can also delete variables that you created within the context of the detection engine. You cannot delete predefined system variables within an intrusion policy. You can delete predefined system variables on the detection engine Variable List page, but only if they are not used in any active or inactive rule within the system.

To delete or reset variables on a detection engine:





2. Click Variables next to the detection engine where you want to delete or reset a variable value.

The Variable List page appears.

3. You have two options:

• To disable the variable value defined in the IPS detection engine and revert to the variable value defined in the policy, click Reset next to the name of the variable.

The variable is reset and Policy Defined appears in the Value column.

• To delete a locally created variable, click Delete next to the name of the variable.

The variable is deleted from the detection engine the next time you apply an intrusion policy to the detection engine.

Configuring Custom Variables in Detection EnginesRequires: IPS or

DC/MDC + IPSCustom variables allow you to configure special IPS features that you cannot otherwise configure via the web interface. You create a detection engine-specific custom variable by setting an explicit value for a reserved predefined system variable, or by creating a variable using a specific reserved name. You then define the variable value with a set of instructions appropriate to the function the variable provides. For more information, see Understanding Custom Variables in the Analyst Guide.

You can set an explicit detection engine value for the predefined SNORT_BPF custom system variable.

You can add a new USER_CONF detection engine variable using the reserved name USER_CONF.



To configure the SNORT_BPF custom variable for a detection engine:

Access: P&RAdmin/Admin

To set an explicit detection engine-specific value for SNORT_BPF using the existing system default variable, see Assigning Values to System Default Variables in Detection Engines on page 200.

To configure the USER_CONF custom variable for a detection engine:


To create USER_CONF as a new detection engine-specific variable using the reserved name USER_CONF, see Creating New Variables for Detection Engines on page 202.

Using Portscan-Only Detection EnginesRequires: IPS or

DC/MDC + IPSIf you configure a sensor to use multiple detection resources within a single IPS detection engine, a portion of the traffic that the 3D Sensor sees is directed to each detection resource for processing. Internal logic on the sensor ensures that packets belonging to the same session are directed to the same resource for analysis. In this way, the sensor can process more packets with greater efficiency.

One downside to using multiple detection resources is that no single resource sees all the traffic on a network segment, which is a requirement for the portscan preprocessor. To overcome this issue, you can create a portscan-only intrusion policy and apply it to a portscan-only detection engine on the sensor. The following steps outline the process you can use to configure your sensor to detect portscans in addition to other exploits against your network assets.

1. Using the Defense Center’s web interface, create an interface set that includes the network interfaces you want to use on the sensor. Multiple detection engines will use this interface set.

The interface set can be passive, inline, or inline with fail open depending on how your sensor is deployed.

2. Create an IPS portscan-only detection engine and assign one detection resource to it. Make sure you use the interface set that you created in step 1.

3. Create another IPS detection engine that uses up to the remaining number of detection resources and the interface set that you created in step 1.

IMPORTANT! A portscan-only intrusion policy is able to process up to three times more traffic than a more complex intrusion policy because it uses fewer CPU resources. However, Sourcefire recommends that you monitor the performance of your sensor to make sure that the portscan-only detection engine is able to keep up with the multi-resource detection engine. Depending on the traffic mix on your network, you may need to adjust the number of resources in the multi-resource detection engine. Remember that the portscan-only detection engine can use only one detection resource.



4. Create and apply an intrusion policy for the multi-resource detection engine.

Make sure you match the type of intrusion policy to the type of interface set that you created in step 1. Also, make sure you disable portscan detection in this policy.

5. Create and apply an intrusion policy to the portscan-only detection engine. The policy should inherit or be set to the following settings in the layer in your intrusion policy where you enable portscan detection (See Creating an Intrusion Policy in the Analyst Guide, Working with Layers, and Applying an Intrusion Policy in the Analyst Guide for more information):

• Select the No Rules Active Base Policy and make sure the Protection Mode is Passive. See Selecting the Base Policy in the Analyst Guide for more information. Note that all rules are disabled on the Rules page.

• Ensure that the DCE/RPC Configuration preprocessor, the HTTP Configuration preprocessor, the SMTP Configuration preprocessor (under Application Layer Preprocessors), and Back Orifice Detection (under Specific Threat Detection) are disabled. See Enabling and Disabling Advanced IPS Features in the Analyst Guide for more information.

• Ensure that OPSEC Configuration (under External Responses) is disabled.

• Enable IP Defragmentation (under Transport/Network Layer Preprocessors) and make sure it is configured for your environment (using the Hosts option) See Enabling and Disabling Advanced IPS Features in the Analyst Guide for more information.

• You should not change the default settings for Checksum Verification or Packet Decoding (under Transport/Network Layer Preprocessors), items listed under Performance Statistics, or Rule Processing Configuration.

• Enable Portscan Detection and configure it for your network environment. See Detecting Portscans in the Analyst Guide for more information.

• Make sure portscan rules are enabled for the types of portscans you configure.

IMPORTANT! Note that when portscan detection is enabled, you must enable rules on the Rules page with generator ID (GID) 122 for enabled portscan types for the portscan detector to generate portscan events. See the Portscan Detection SIDs (GID:122) table in the Analyst Guide for more information.

You do not need to set up variables for this policy.

6. Review the resulting intrusion events to ensure that you are receiving the events you expect.


Using Detection Engines and Interface SetsUsing Interface Sets Chapter 6

Using Interface SetsRequires: DC or

3D SensorAn interface set is a collection of one or more sensing interfaces on your appliance.

To list the available interface sets:

Access: Admin Select Operations > Configuration > Detection Engines > Interface Sets.

You can sort the available interface sets by group, set type, sensor, or PEP policy.

See the following sections for more information about interface sets:

• Understanding Interface Set Configuration Options on page 207

• Creating an Interface Set on page 213

• Creating an Inline Interface Set on page 216

• Editing an Interface Set on page 221

• Deleting an Interface Set on page 223

• Inline Fail Open Interface Set Commands on page 225

• Using Clustered 3D Sensors on page 227

Understanding Interface Set Configuration OptionsRequires: DC or

3D SensorThere are a number of configuration variables to consider when you configure interface sets.

• With the exception of the Virtual 3D Sensor, you can set up any of your 3D Sensor interfaces in passive, inline, or inline with fail-open mode. The Virtual 3D Sensor supports only passive mode operation.

• You can also set interfaces on most sensors in transparent inline mode.

• On selected sensors you can set interfaces to tap mode.

• Some installations require that the link state be propagated and most sensor interfaces provide that option.

• Sensors with Gigabit Ethernet interfaces can employ jumbo frames.

• 3D Sensors deployed in networks that are highly sensitive to latency can use the automatic application bypass option.

• Only 3D9900 sensors provide a fail-safe option that works with inline interface sets.

• Only 3D9900 sensors provide the PEP feature. For more information on the PEP feature, see Using PEP to Manage Traffic in the Analyst Guide.



See the following table for a list of 3D Sensors and each of their applicable interfaces features.


• Types of Interface Sets on page 209

• Transparent Inline Mode on page 209

• Tap Mode on page 210

• Link State Propagation Mode on page 211

• Jumbo Frames on page 212

• Automatic Application Bypass on page 212

• Enabling Fail-Safe on page 213

Supported Features by 3D Sensor Model

3D SensorModel

Transparent Inline Mode

Link State Propagation Mode

Tap Mode Jumbo Frames

Automatic Application Bypass

Enable Fail-safe

PEP

Virtual 3D Sensor

Yes Yes

3D500 Yes Yes

3D1000 Yes Yes Yes

3D2000 Yes Yes Yes

3D2100 Yes Yes Yes

3D2500 Yes Yes Yes

3D3000 Yes Yes Yes

3D3500 Yes Yes Yes

3D3800 Yes Yes Yes Yes

3D4500 Yes Yes Yes




3D9900 Yes Yes Yes Yes Yes Yes Yes



Types of Interface SetsWhen you create an interface set, you can choose one of three types:

• Passive

A passive interface set can encompass any number of the available sensing interfaces on a sensor.

IMPORTANT! If you include an on-board sensing interface (instead of, or in addition to, interfaces on the network cards), the appliance’s performance could be degraded.

• Inline

For most sensors, an inline interface set can include any two interfaces. The interfaces do not have to be on the same network cards, but you should avoid using an on-board interface.

However, an inline interface set on a 3D3800 or 3D5800 sensor can include up to four interface pairs, and an inline interface set on a 3D9800 sensor can include up to the total number of interface pairs on the sensor. Note that interface pairs on the same fiber-based NIM will act as fail open interfaces even if you assign them to an inline interface set. That is, if the power fails or the Snort process halts, network traffic continues to flow through the sensor as it would for an inline with fail open interface set.

• Inline with Fail Open

For most sensors, an inline with fail open interface set must include exactly one interface pair. However, an inline with fail open interface set on a 3D3800 or 3D5800 sensor can include up to four interface pairs, and an inline with fail open interface set on a 3D9800 sensor can include up to the total number of interface pairs on the sensor.

You can set up multiple detection engines to use a single interface set, except on the 3D9800 sensor, which only supports a single IPS detection engine. For example, you could create a single passive interface set and create two detection engines, one for an IPS and the other for RNA, then apply different policies to the detection engines.

Transparent Inline ModeTransparent inline mode is a feature for inline interface sets and is not available for Passive interface sets.

If you choose the Inline or Inline with Fail Open option, the Transparent Inline Mode option is enabled by default, except for the 3D500 and the Virtual 3D Sensor. It is not available on the 3D500 and available but not a default configuration on the Virtual 3D Sensor. This allows the sensor to act as a “bump in the wire” and means that the sensor forwards all the network traffic it sees regardless of its source and destination.



If you disable this option, a sensor acts as a bridge. Over time, the sensor learns which hosts are on which side of the inline interface, and forwards packets accordingly. For example, consider the following diagram.

If your sensor is deployed inline (or more precisely, if your sensor includes a detection engine with an inline interface set) and the Transparent Inline Mode option is selected, then if the sensor sees network traffic from Host A to Host B, it allows the traffic to pass through the interface even though Host A and Host B are on the same side of the sensor.

If the sensor is inline and you are not using transparent inline mode, when the sensor sees traffic from Host A to Host B, it does not allow the traffic to pass through the interface to the side of the network with Host C. Only traffic between Host A and Host C or between Host B to Host C is allowed to pass.

Keep in mind that if you create an inline interface set but do not use transparent inline mode, you must be especially careful not to create loops in your network infrastructure.

3Dx800 sensors run in transparent inline mode, and you cannot disable it.

Tap ModeTap mode is available for the 3D3800, 3D5800, 3D9900, and on later versions of 3D9800 3D Sensor when you create an inline or inline with fail open interface set.

TIP! 3D9800 sensors with earlier versions of firmware do not support tap mode. The Sourcefire 3D System checks the 3D9800 firmware version and displays the optional tap mode check box in the Create Interface Set page when appropriate.

With tap mode, the sensor is deployed inline, but instead of the packet flow passing through the sensor, a copy of each packet is sent to the sensor and the network traffic flow is undisturbed. Because you are working with copies of packets rather than the packets themselves, rules that you set to Drop and rules that use the replace keyword do not affect the packet stream. However, rules of these types do generate intrusion events when they are triggered.



There are benefits to using tap mode with sensors that are deployed inline. For example, you can set up the cabling between the sensor and the network as if the sensor were inline and analyze the kinds of intrusion events the sensor generates. Based on the results, you can modify your intrusion policy and add the drop rules that best protect your network without impacting its efficiency. When you are ready to deploy the sensor inline, you can disable tap mode and begin dropping suspicious traffic without having to reconfigure the cabling between the sensor and the network.


Link State Propagation ModeLink state propagation mode is a feature for interface sets in the inline fail-open mode so both pairs of an inline pair track state. It is also available on 3D9900s in both the inline and inline fail-open mode. It is not available for passive interface sets.

IMPORTANT! Fiber interface sets configured as inline fail-open, other than those on 3D9900s must be in hardware bypass mode for link state propagation to function correctly. For more information about fiber interface sets and hardware bypass, see Removing Bypass Mode on Inline Fail Open Fiber Interfaces on page 225.

Link state propagation mode automatically brings down the second interface in the interface pair when one of the interfaces in an inline interface set goes down. When the downed interface comes back up, the second interface automatically comes back up, too. In other words, if the link state of one interface changes, the link state of the other interface is changed automatically to match it. Link state propagation is available for both copper and fiber fail-open NIMs.

IMPORTANT! Crossbeam-based software sensors and 3D9800 sensors do not support link state propagation.



Link state propagation is especially useful in resilient network environments where routers are configured to reroute traffic automatically around network devices that are in a failure state.

Jumbo FramesJumbo frames are Ethernet frames with a frame size greater than the standard 1518 bytes. Typical maximum sized jumbo frames are 9018 bytes. Most gigabit Ethernet network interface cards support jumbo frames to increase efficiency. If your 3D Sensor and interface supports jumbo frames, set the maximum frame size for the interface using the Create Interface Set page.

3D Sensor that support jumbo frames include:

• 3D6500

• 3D9800 (9018-byte jumbo frames are always accepted)

• 3D9900

Note that since the 3D9800 is set to always accept the maximum size frame, you do not need to set it in the Create Interface Set page.

Note also that frames larger than the configured maximum frame size are silently dropped by the sensor.

Automatic Application BypassThe automatic application bypass feature allows you to balance packet processing delays with your network’s tolerance for packet latency. You can apply automatic application bypass on an interface set basis. The feature functions with both passive and inline interface sets; however, it is most valuable in inline deployments.

Automatic application bypass limits the time allowed to process packets through an IPS, RNA, or RUA detection engine and allows packets to bypass the detection engine if the time is exceeded. The automatic application bypass option is off by default. You can change the bypass threshold if the option is selected. The default setting is 750 milliseconds (ms). The valid range is from 250 ms to 60,000 ms.

WARNING! If a detection engine is bypassed, a core file is automatically generated for potential troubleshooting by Sourcefire Support. If the application bypass triggers repeatedly, excessive numbers of core files can result in disk usage health alerts.

To see a list of which 3D Sensors you can use Automatic Application Bypass Monitoring on, see the Supported Features by 3D Sensor Model table on page 208.

If a detection engine is bypassed, 3D Sensors generate a health monitoring alert. For more information on the health monitoring alert, see Configuring Automatic Application Bypass Monitoring on page 502.



Enabling Fail-SafeThe Create Interface Set page includes an additional option for 3D9900 sensors: the Enable Fail-Safe option. The Enable Fail-Safe option is only available on inline interface configurations. When you enable the Enable Fail-Safe option, traffic is allowed to bypass detection and continue through the sensor. 3D9900 sensors monitor internal traffic buffers and bypass detection engines if those buffers are full.

Creating an Interface SetRequires: DC or

3D SensorAn interface set is a collection of one or more sensing interfaces on your appliance. For information about their use, see Using Interface Sets on page 207.

IMPORTANT! The procedure for creating an inline interface set for 3Dx800 sensors is slightly different. For more information, see the next section, Creating an Inline Interface Set.

To create an interface set:

Access: Admin 1. Select Operations > Configuration > Detection Engines > Interface Sets.

The Interface Sets page appears.

2. Click Create Interface Set.

The Create Interface Set page appears.

3. Type a name and description for the new interface set in the Name and Description fields.

You can use alphanumeric characters and spaces.

4. Select the type of interface you want to create, Passive, Inline, or Inline with Fail Open, from the Interface Set Type drop-down list.

TIP! Some sensors do not support every interface set type.



5. Optionally, select an existing interface set group or select Create New Group to create a new interface set group. See Using Interface Set Groups on page 223 for more information.

6. Optionally, if you selected the Inline or Inline with Fail Open option, clear the Transparent Inline Mode check box to disable transparent mode.

7. If you selected either the Inline or Inline with Fail Open option and you are not configuring a Crossbeam-based software sensor, then optionally, select Link State Propagation Mode. This option is especially useful if the routers on your network are able to re-route traffic around a network device that is down.

IMPORTANT! Link state propagation and automatic application bypass are not supported on Sourcefire 3D Sensor Software for X-Series platforms. You can, however, set jumbo frame options on the Crossbeam CLI.

8. Optionally, select Automatic Application Bypass if your network is sensitive to latency. When the option selected, you can select a Bypass Threshold in milliseconds (ms). The default setting is 750 ms and the valid range is from 250 ms to 60,000 ms. Automatic Application Bypass is most useful in inline applications.

9. Optionally, and if you are configuring an inline interface set on a 3D9900, you can select the Enable Fail-safe check box to enable traffic pass-though during application bypass.



10. Optionally, and if you are configuring an interface set on a 3D6500 or 3D9900 type a maximum frame size for your IP traffic in the Maximum Frame Size field. You can set any jumbo frame size between 1518 and 9018 bytes, inclusive.

On the Defense Center only, a list of sensor groups appears, including a list of ungrouped sensors.

The following shows a 3D9900 interface set.

11. Defense Center Only Select the sensor group containing the sensors where you want to create the interface set. You can also select the ungrouped sensors.

A list of sensors appears.

12. Defense Center Only Select one of the sensors from the list.

A list of network interfaces on the sensor appears.



13. Select the interfaces that you want to add from the Available Interfaces list and click the arrow button to add the interface to the Selected Interfaces list. You can use the Shift and Ctrl keys to select multiple interfaces at once.

Determining which interface name corresponds with a physical interface on your sensor depends on the model:

• For most 3D Sensors, log into the console and disconnect the network cable from the interface. A message appears on the console indicating the name of the interface (eth1, eth2, and so on). Remember to reconnect the network cable when you are finished.

• For 3Dx800 sensors, the names that appear in the Available Interfaces list correspond to the slot number and interface location. For example, s0.e0 corresponds to the leftmost interface on the network interface module (NIM) in I/O Slot 0 on the back of your appliance.

• For 3D Sensor Software for Crossbeam Systems X-Series, the names that appear in the Available Interfaces list correspond to the device names you assigned to the circuits you created on the X-Series.

For more information, see the Installation Guide for your sensor or sensor software.

Different types of interface sets have different requirements. For example, you can include all of the available interfaces in a passive interface set, but inline interface sets must contain exactly two interfaces (except on 3Dx800 sensors). Inline with fail open interface sets must contain one pair of interfaces from the same fail-open network card.

IMPORTANT! If you select an on-board interface rather than an interface on a network card, your sensor may not provide optimum performance.

14. Click Save.

The interface set is created.

TIP! After you create an interface set, make sure you reapply intrusion policies to the IPS detection engines on the affected sensor.

Creating an Inline Interface SetRequires: DC or

3D SensorYou can add multiple interface pairs to an inline interface set on 3D Sensors and Crossbeam-based software sensors. This is the default behavior during 3D Sensor installations. Using one interface set that includes all available inline interface pairs, you can apply a single policy and rapidly complete your initial



3D Sensor deployment. Later, you can refine policies for specific connected network segments and their requirements.

TIP! Although the default interface set on 3D Sensors includes all the available inline interface pairs, in many cases you can improve performance by modifying the interface set to include only the inline interface pairs your network requires.

You can also use multiple interface pairs when your network employs asynchronous routing, as shown in the following graphic.

Your network may be set up to route traffic between a host on your network and external hosts through different interface pairs depending on whether the traffic is inbound or outbound. If you include only one interface pair in an interface set, the sensor might not correctly analyze your network traffic because a detection engine might see only half of the traffic.



For most 3D Sensors with inline interface sets, a software bridge is automatically set up to transport packets when the sensor restarts. Although some packets are transmitted without inspection during this time, no packets are lost.


To create an inline interface set:



2. Click Create Interface Set.


3. Type a name and description for the new interface set in the Name and Description fields.

You can use alphanumeric characters and spaces.

4. Select the type of inline interface you want to create.

• For an 3Dx800 sensor, choose either Inline or Inline with Fail Open, from the Interface Set Type drop-down list.

• For Crossbeam-based software sensors, choose Inline from the Interface Set Type drop-down list.

A list of sensor groups appears, including a list of ungrouped sensors.

5. Optionally, select an existing interface set group or select Create New Group to create a new interface set group. See Using Interface Set Groups on page 223 for more information.



6. Optionally, select Automatic Application Bypass if your network is sensitive to latency. When the option selected, you can select a Bypass Threshold in milliseconds (ms). The default setting is 750 ms and the valid range is from 250 ms to 60,000 ms.

IMPORTANT! Link state propagation and automatic application bypass are not supported on Sourcefire 3D Sensor Software for X-Series platforms. You can, however, set jumbo frame options on the Crossbeam CLI.

7. Optionally, and if you are configuring an interface set on a 3D9900, you can select the Enable Fail-safe check box to enable traffic pass-though during application bypass.

8. Optionally, and if you are configuring an interface set on a 3D6500 or 3D9900 type a maximum frame size for your IP traffic in the Maximum Frame Size field. You can set any jumbo frame size between 1518 and 9018 bytes, inclusive.

On the Defense Center only, a list of sensor groups appears, including a list of ungrouped sensors.

The following shows a 3D9900 interface set.

9. Select one of the sensors from the list.

If you are creating an inline interface set, a list of network interfaces on the sensor appears.

If you are creating an inline with fail open interface set, a list of paired network interfaces on the sensor’s fail-open cards appears.



10. Add the interfaces to your interface set.

• If you are creating an inline interface set, select two interfaces that you want to designate as an inline pair from the Available Interfaces list and click the arrow button to add the interface to the Selected Interfaces list. Repeat to add additional interface pairs.

• If you are creating an inline with fail open interface set, select at least one interface pair from the Available Interfaces list and click the arrow button to add the interface to the Selected Interfaces list.

Use the Shift and Ctrl keys to select multiple interfaces or interface pairs at once.

Determining which interface name corresponds with a physical interface on your sensor depends on the model:

• For 3Dx800 sensors, the names that appear in the Available Interfaces list correspond to the slot number and interface location. For example, s0.e0 corresponds to the leftmost interface on the network interface module (NIM) in I/O Slot 0 on the back of your appliance.

• For 3D Sensor Software for Crossbeam Systems X-Series, the paired interface names that appear in the Available Interfaces list correspond to the device names you assigned to the transparent bridge-mode bridge circuits you created on the X-Series. Note that 3D Sensor Software for Crossbeam Systems X-Series does not support inline with fail open interface sets.

For more information, see the Installation Guide for your sensor or sensor software.

You can configure inline interface sets on 3D3800 and 3D5800 sensors to contain up to four pairs of interfaces. Inline with fail open interface sets on 3D3800 and 3D5800 sensors can also contain up to four pairs of interfaces, but each pair must reside on a single fail-open network card. On the 3D9800 sensor, inline and inline with fail open interface sets can include up to the total number of interface pairs on the sensor.

11. Optionally, for a 3DX800 or 3DX900 sensor, select the Enable Tap Mode check box to use tap mode.




12. Optionally, for a 3D3800 or 3D5800 sensor, select Link State Propagation Mode.

This option is especially useful if the routers on your network are able to re-route traffic around a network device that is down.

TIP! The link lights on fiber fail-open NIMs remain lighted even when the link state is down on 3D3800 or 3D5800 sensors with link state propagation enabled.

IMPORTANT! Note that link state propagation is not available for Crossbeam-based software sensors or 3D9800 sensors.

13. Click Save.

The interface set is created.

TIP! After you create an interface set, make sure you reapply intrusion policies to the IPS detection engines on the affected sensor.

Editing an Interface SetRequires: DC or

3D SensorIn some circumstances, editing an interface set or detection engine can cause the detection engines on the sensor to restart, which can cause a short pause in processing.

IMPORTANT! For most 3D Sensors with inline interface sets, a software bridge is automatically set up to transport packets when the sensor restarts. Although some packets are transmitted without inspection during this time, no packets are lost.

The following sections describe some of the cases where a detection engine is affected by changes to the detection engines and interface sets:



3Dx800 Sensors

• If you change the number of network interfaces, the interface set type, or transparent mode for an interface set, all the detection engines using that interface set are restarted.

• If you change an interface set’s tap mode setting, all detection engines assigned to that interface set are restarted.


• If you change the number of detection resources, which interface set is used, or the detection engine type, only that detection engine is restarted (although other CPUs may be restarted to rebalance the processing load).

• If you create a detection engine, only that detection engine is started (although other CPUs may be restarted to rebalance the processing load).


• If you create an interface set, nothing is restarted.


Other Sensors

• If you change which network interfaces are used by the interface set, all the detection engines on the sensor are restarted.

• If you change an interface set’s transparent mode setting or interface set type, all detection engines assigned to that interface set are restarted.

• If you change a detection engine’s interface set, all detection engines on the sensor are restarted.

• If you change the number of detection resources allocated to a detection engine, all the detection engines on the sensor are restarted.

• If you change the detection engine type for a detection engine, that detection engine is restarted.

• When you create a detection engine, all the detection engines on the sensor are restarted because the total number of allocated resources has changed.



Using Detection Engines and Interface SetsUsing Interface Set Groups Chapter 6

• If you create an interface set, nothing is restarted. A restart occurs only when you assign a detection engine to the interface set.


Make sure you plan these actions for times when they will have the least impact on your deployment.

To edit an interface set:



2. Click Edit next to the interface set that you want to modify.


3. Make any changes to the interface set and click Update.

Your changes are saved.

TIP! After you edit an interface set used by an IPS detection engine, make sure you reapply your intrusion policy on the affected sensor.

Deleting an Interface SetRequires: DC You cannot delete an interface set that is being used by a detection engine. You

must delete the detection engine before you can delete the interface set.

To delete an interface set:



2. Click Delete next to the interface set that you want to delete, and, at the prompt, confirm that you want to delete the interface set.

The interface set is deleted.

Using Interface Set GroupsRequires: DC You can use interface set groups to combine similar interface sets. These groups

make it easier to apply PEP policies to interface sets that have similar purposes. For more information on PEP policies, see Understanding PEP Traffic Management in the Analyst Guide.


• Creating Interface Set Groups on page 224

• Deleting Interface Set Groups on page 225


Using Detection Engines and Interface SetsUsing Interface Set Groups Chapter 6

Creating Interface Set GroupsRequires: DC The following procedure explains how to create an interface set group.

To create a interface set group:


2. Click Create Interface Set Group or click Create Interface Set then click Create New Group in the Group field.

The Create Interface Set Group page appears.

Type a name for the interface set group in the Group Name field.

3. Click Save.

The Interface Set page appears again.

You can add interface sets to an interface set group by clicking Edit next to a interface set group name and, on the Interface Group Edit page, adding available interfaces to the group and clicking Save.

Editing Interface Set GroupsRequires: DC/MDC or

3D SensorThe following procedure explains how to edit an interface set group. You must create an interface set group before you can edit it. See Creating Interface Set Groups on page 224.

To edit an interface set group:


The Available Interface Sets page appears.

2. Click Edit for the interface set group.

The Interface Group Edit page appears.


Using Detection Engines and Interface SetsInline Fail Open Interface Set Commands Chapter 6

3. Select available interface sets and to move them to the interface set group with the arrow buttons.

You can also move interface sets out of the interface set group.

4. Click Save to add the selected interfaces to the interface set group.

The Available Interface Sets page appears.

Deleting Interface Set GroupsRequires: DC When you delete an interface set group, any interface sets in the group are

automatically ungrouped; they are not deleted.

To delete a interface set group:



2. Click Delete next to the name of the interface set group.

The interface set group is deleted.

Inline Fail Open Interface Set CommandsRequires: 3D Sensor When you use fiber inline fail open interfaces sets and the interface set goes into

bypass, you can force the interface out of bypass mode. See Removing Bypass Mode on Inline Fail Open Fiber Interfaces. You can force a copper or fiber inline fail open interface in or out of bypass. See Forcing an Inline Fail Open Interface Set into Bypass Mode on page 226.

Removing Bypass Mode on Inline Fail Open Fiber InterfacesRequires: 3D Sensor When link state propagation is enabled on a sensor with an inline fail open

interface set and the sensor goes into bypass mode, all network traffic passes through the interface pair without being analyzed. When the links restore, most fiber inline fail open interface sets do not return from bypass automatically. You can use a command line tool to force the interface set out of bypass mode.

TIP! This tool works on most 3D Sensors with inline with fail open fiber interface pairs. It is not necessary to use this tool on inline with fail open copper interface pairs or to use this tool with 3D9900 sensors.

IMPORTANT! Make sure you contact Technical Support if you are having issues with the fail open interfaces on your sensor.


Using Detection Engines and Interface SetsInline Fail Open Interface Set Commands Chapter 6

To force a fiber inline fail open interface set out of bypass mode:

Access: Admin 1. Open a terminal window on your 3D Sensor and enter the command su and the root password to switch to the root user.

2. Enter the following at the command line:/var/sf/bin/unbypass_cards.sh

3. When the interfaces switch out of bypass mode, a message in syslog indicates the 3D Sensor is analyzing traffic. For example:

Fiber pair has been reset by un_bypass

Forcing an Inline Fail Open Interface Set into Bypass ModeRequires: 3D Sensor When the sensor with an inline fail open interface set fails, it goes into bypass

mode, a state where all network traffic passes through the interface pair without being analyzed. If you are troubleshooting an interface set, or if the interface card does not fail open on its own, you can use a command line tool to force the interface set into bypass mode.

TIP! Note that this tool works only with inline with fail open interface pairs. You cannot use it with non-fail open inline interface sets.

To force an inline fail open interface set into bypass mode, you must know which two interfaces are included in the interface set. You can determine this information on the Interface Sets page.

IMPORTANT! Make sure you contact Technical Support if you are having issues with the fail open interfaces on your sensor.

To force an inline fail open interface set into bypass mode:

Access: Admin 1. On the appliance’s web interface, select Operations > Configuration > Detection Engines > Interface Sets.


2. Under Available Interface Sets, click Edit next to the inline with fail open interface set you are investigating.

The Create Interface Set page appears. The Selected Interfaces column displays the names of the interfaces in the interface set.

3. Log in as root onto the sensor and, at the prompt, enter the correct password.


Using Detection Engines and Interface SetsUsing Clustered 3D Sensors Chapter 6

4. Enter the following at the command line:failopen_pair.pl open eth#:eth#

For example, if the interfaces in the interface set are eth2 and eth3, enter the following:

failopen_pair.pl open eth2:eth3

The following message appears:NOTE: You must already have a failopen interface set

and detection engine configured on the pairyou are forcing open or closed for this utilityto work.

Then, if you specified the correct interfaces, the following message appears:Mode changed for interfaces eth2:eth3

The interfaces switch to bypass mode and the traffic is no longer analyzed.

If you did not specify the correct interfaces, the following message appears:No failopen interface set configured for interfaces eth2:eth3...

To return an inline fail open interface set to normal mode:

Access: Admin 1. Log in as root onto the sensor and, at the prompt, enter the correct password.

2. Enter the following at the command line:failopen_pair.pl close eth#:eth#

For example, if the interfaces in the interface set are eth2 and eth3, enter the following:

failopen_pair.pl close eth2:eth3

The following message appears:Mode changed for interfaces eth2:eth3

The interfaces return to normal mode and the traffic flowing through the detection engines on the interface set is analyzed as you would expect.

Using Clustered 3D SensorsRequires: DC + 3D9900 You can increase the amount of traffic inspected on a network segment by

connecting two fiber-based 3D9900 sensors in a clustered pair. When you establish a clustered pair configuration, you combine the 3D9900 sensors resources into a single, shared configuration. For information on establishing and separating clustered pairs, see Managing a Clustered Pair on page 140. After the cluster is established, you can identify them on the Sensor list page. Select Operation > Sensors and note that clustered sensors have a peer icon.



You can see if the sensor is a master or slave, and which sensor it is paired with, when you hover over the peer icon.

By combining two 3D9900 sensors as a clustered pair, you can combine their detection engines. In a clustered pair, the slave’s ethb0 and ethb1 connect to the master and the its ethb2 and ethb3 are not connected. Because the detection engines and interface sets are combined, you can only manage them from a Defense Center and not from one of the clustered sensors.

When you combine two 3D9900 sensors as a clustered pair, the Defense Center displays the single interface set of the master sensor. You use the combined detection engines as a single entity except when viewing information from the clustered pair. For more information, see:

• Using Detection Engines on Clustered 3D Sensors on page 228

• Understanding Interface Sets on Clustered 3D Sensors on page 229


Using Detection Engines on Clustered 3D SensorsRequires: DC + 3D9900 For information about using detection engines with clustered 3D9900s, see:

• Managing Clustered 3D Sensor Detection Engines on page 228

• Using Clustered 3D Sensor Detection Engines in Policies on page 229


For information about how to manage detection engines, see:

• Creating a Detection Engine on page 193

• Editing a Detection Engine on page 194

• Deleting a Detection Engine on page 197

Managing Clustered 3D Sensor Detection Engines

Requires: DC + 3D9900 Use the managing Defense Center to create, edit, and list the detection engines of paired 3D Sensors. You cannot manage detection engines on the local GUI of a paired 3D Sensor; the Edit page is replaced with an informational page.

Both 3D9900 sensors are listed as a part of the detection engine formed by the clustered 3D Sensors. When you create a detection for a clustered pair, both sensors are listed in the interface set. The format is DetectionEngineName (MasterSensorName, SlaveSensorName). For example, a clustered 3D Sensors detection engine could be: Z inline DE (birch.example.com, fir.example.com); where Z inline DE is the name of the detection engine, birch.example.com is the name of the master in the pair, and fir.example.com is the name of the slave in the pair of 3D9900 sensors.



When you create or edit a detection engine formed by the clustered 3D Sensors, the detection resources are listed as from both sensors.

Using Clustered 3D Sensor Detection Engines in Policies

Requires: DC + 3D9900 Use the managing Defense Center to manage policies and responses of paired 3D Sensors.

IMPORTANT! You cannot use the Policy & Response menu on the local GUI of a paired 3D Sensor; those pages are replaced with an informational page.

Clustered 3D Sensors detection engines present their names in the form DetectionEngineName (MasterSensorName, SlaveSensorName) when you use them in:

• IPS policies

• PEP policies


• compliance rules

For example, a clustered 3D Sensors detection engine could be: Z inline DE (birch.example.com, fir.example.com); where Z inline DE is the name of the detection engine, birch.example.com is the name of the master in the pair, and fir.example.com is the name of the slave in the pair of 3D9900 sensors.

Understanding Interface Sets on Clustered 3D SensorsRequires: DC + 3D9900 After you set up the clustered pair, a master/slave relationship is established

between the two 3D9900 sensors. The master’s ethb0 and ethb1 pair are used for sensing connections. The master’s ethb2 and ethb3 pair connect to the slave’s ethb0 and ethb1 pair. The slave’s ethb2 and ethb3 pair are not functional and must not be connected when you establish the clustered pairing.



To view the clustered pair interface sets:

Access: Admin Select Operations > Configuration > Detection Engines > Interface Sets.

The Interface Sets page appears. A clustered pair interface set displays both the master and the slave in the Sensor column.

Do not attempt to change the interface settings while a clustered sensor is paired.

For information about using interface sets in the detection engines of clustered 3D9900s, see Using Detection Engines on Clustered 3D Sensors on page 228.

Managing Information from a Clustered 3D SensorRequires: DC + 3D9900 Clustered sensors report information from each of the sensors. Analysis &

Reporting tools display the information from each half of the detection engine independently, in the form DetectionEngineName/MasterSensorName and DetectionEngineName/SlaveSensorName.

IMPORTANT! If you collect statistics from clustered 3D9900s, add data from both sensor of the detection engine to measure the total.

For example, the clustered 3D Sensors detection engine could be: Z inline DE (birch.example.com, fir.example.com), where Z inline DE is the detection engine, birch.example.com is the master sensor, and fir.example.com is the slave sensors. When you examine information from the clustered pair, it is listed as from both Z inline DE / birch.example.com and from Z inline DE / fir.example.com.

A Select Detection Engines list from the Intrusion Event Statistics page is show below.

These reports include:

• intrusion event statistics

• intrusion events

• event graphs



• dashboards

• RNA statistics

• network map

• searches

IMPORTANT! If you use eStreamer to stream event data from a clustered pair of 3D9900s to an external client application, collect the data from both 3D9900s and ensure that you configure each 3D9900 identically. The eStreamer settings are not automatically synchronized over the pair.


Sourcefire 3D System Administrator Guide

Chapter 7Working with Event Reports

The Sourcefire 3D System provides a flexible reporting system that you can use to generate a variety of event reports. Event reports include the data that you see on the event view pages for each type of event presented in a report format.

The Report Types table describes the reports you can create and the components required for producing them. For example, the RNA Events report appears under the RNA report category on the Report Designer page. You must have an RNA host license on the Defense Center managing your 3D Sensor, and you must configure the RNA component for that sensor to collect RNA events. Similarly, the Intrusion Events report appears under the IPS report category and requires the IPS component on a 3D Sensor. You can run the report on the 3D Sensor or on the Defense Center that manages the sensor.

Report Types

Report Report Category Requires

Intrusion Events with Destination Criticality

IPS or RNA DC + RNA + IPS

Intrusion Events with Source Criticality

IPS or RNA DC + RNA + IPS

Intrusion Events IPS DC + IPS

SEU Import Log IPS DC + IPS

Host Attributes RNA DC + RNA


Working with Event ReportsChapter 7

You can use a predefined report profile to generate your report, or use it as a template for an event report profile which can be customized by modifying field settings as appropriate and saving the report with the new values. For information on modifying a predefined or existing report profile, see Editing Report Profiles on page 263.

You can create a new report profile through the use of the Report Designer. For more information on how to create and save report profiles, see Understanding Report Profiles on page 241.

RNA Hosts RNA DC + RNA

Scan Results RNA DC + RNA

RNA Client Applications RNA DC + RNA

RNA Events RNA DC + RNA

RNA Services RNA DC + RNA

Vulnerabilities RNA DC + RNA

Hosts with Services RNA DC + RNA

Flow Data RNA DC + RNA

RUA Events RUA DC + RUA

Users RUA DC + RUA

White List Violations Compliance DC + RNA

Compliance Events Compliance DC + RNA

White List Events Compliance DC + RNA

Remediation Status Compliance DC + RNA

Health Events Health Monitoring DC

Audit Log Events Audit Log Any

Report Types (Continued)

Report Report Category Requires


Working with Event ReportsWorking with Event Reports Chapter 7


• Working with Event Reports on page 234

• Working with Report Profiles on page 234

• Managing Generated Reports on page 237

• Understanding Report Profiles on page 241

• Working with Report Information on page 248

• Working with Report Sections on page 255

• Working with Report Options on page 258

• Using a Report Profile on page 260

Working with Event ReportsRequires: IPS or DC/

MDCYou can generate reports manually or automatically on any subset of events in an event view. You can also specify which detection engine to use when generating the report. For information on how to generate a report for the data that appears in an event view, see Generating Reports from Event Views on page 235.

You can view, download, or delete previously generated reports, as well as move reports to a remote storage location. For more information on how to manage your reports, see Managing Generated Reports on page 237.

You can run reports remotely from the Defense Center using the data on the sensors for the report, if you use a Defense Center to manage your sensors. For more information on how to how to generate reports on managed sensors and view the results on the Defense Center, see Running Remote Reports on page 240.

You can store reports locally or remotely. For more information on how to configure a Defense Center to store reports in a remote location using SSH, NFS, or SMB, see Managing Remote Storage on page 393.

Working with Report ProfilesRequires: IPS or DC/

MDCYou can use a predefined report profile to generate your report. For information on how to generate a report from a report profile view, see Using a Report Profile on page 260.

You can use a predefined report profile as a template for an event report which can be customized by modifying field settings as appropriate and saving the report with the new values. For information on how to modify a report profile, see Editing Report Profiles on page 263.

You can create a new report profile through the use of the Report Designer. For more information on how to create and save report profiles, see Creating a Report Profile on page 246.


Working with Event ReportsGenerating Reports from Event Views Chapter 7

You can include a summary report for intrusion events and RNA events by selecting the appropriate radio button in your report profile. For more information on each of the summary reports, see Using Summary Reports on page 255.

You can generate reports in PDF, HTML or comma-separated value (CSV) formats, and include custom options such as a corporate logo or footers, and a short description of the report. For information on how to incorporate these options into your reports, see Working with Report Options on page 258.

Generating Reports from Event ViewsRequires: IPS or DC/

MDCYou can generate reports on any subset of events in an event view. You can also specify how you want the report formatted: PDF, HTML, or as comma-separated values (CSV).

To generate a report for a specific set of events:

Access: Any Analyst/Admin

1. Populate an event view with the events you want to include in the report. You can do this several ways:

• Use an event search to define the type of events you want to view. For details on using the event search, see Searching for Events in the Analyst Guide.

• Drill down through a workflow until you have the proper events in your event view. For details on using workflows and constraining events within a workflow, see Understanding and Using Workflows in the Analyst Guide.

TIP! In addition to generating reports in an event view, as described in this section, you can also create a report profile and then either use it to generate a report or save it to use later. For more information, see Understanding Report Profiles on page 241.


Working with Event ReportsGenerating Reports from Event Views Chapter 7

2. Click Report Designer in the toolbar.

The Report Designer page appears. The settings on the page reflect the parameters that you selected for the search or through the drill-down pages. The following graphic shows the Defense Center version of the page.

TIP! If you need to go back to the drill-down page where you opened the Report Designer, click Return to Calling Page at the bottom of the Report Designer page.

3. Change any of the parameters as necessary to meet your needs.

For details on the parameters for a report, see Creating a Report Profile on page 246.

4. Select the check boxes next to the output options you want in the report: PDF, HTML, or CSV. Note that you may select more than one format.

5. Click Generate Report.


Working with Event ReportsManaging Generated Reports Chapter 7

6. Click OK to confirm that you want to save the current parameters as a report profile.

The report profile is saved and the report generates in the output formats you selected.

7. To view the report, click Reports in the toolbar, then click the report name on the Reporting page that appears.

The report appears.

Managing Generated ReportsRequires: IPS or DC/

MDCManage previously generated reports on the Reporting page. You can view, download, or delete reports. If you are using a Series 2 Defense Center, you can move reports to a remote storage location.

Each report is listed with the report name as defined in the report profile plus the date and time the report was generated, who generated it, and whether it is stored locally or remotely. The default location for report storage is listed at the top of the page; for local, NFS, and SMB storage, the appliance provides the disk usage of the storage device.

Each report has one of the following file extensions appended to the report name:

• .csv for comma-separated value reports

• .pdf for PDF reports

• .zip for HTML reports (HTML reports are zipped along with the necessary graphics)

Finally, the appliance lists the status of each of the reports, which indicates whether it has yet to be generated (for example, for scheduled tasks), it has already been generated, or whether the generation failed (for example, due to lack of disk space).

Note that only Series 2 Defense Centers support remote storage of reports. You can enable or disable remote storage using the Enable Remote Storage for Reports check box. If you disable remote storage, the Defense Center hides any previously generated remotely stored reports. In addition, if you change the remote storage location, the Defense Center hides reports not stored in the new location. To configure remote storage, click Remote Storage on the toolbar. For more information, see Managing Remote Storage on page 393.



For information on managing reports, see the following topics:

• Viewing Generated Reports on page 238

• Downloading Generated Reports on page 238

• Deleting Generated Reports on page 239

• Moving Reports to a Remote Storage Location on page 239

• Running Remote Reports on page 240

Viewing Generated ReportsRequires: IPS or DC/

MDCUse the following procedure to view generated reports. You can view one report at a time. Note that users with Admin access can view all reports generated on the appliance; other users can only view reports that they generated themselves.

TIP! You can also save reports locally. For more information, see the next section, Downloading Generated Reports.

To view a generated report:


1. Select Analysis & Reporting > Report Profiles.

The Report Profiles page appears.

2. On the toolbar, click Reports.

The Reporting page appears.


• Enable the check box next to the report you want to view, then click View.

• Click the name of the report.

In either case, the report opens.

Downloading Generated ReportsRequires: IPS or DC/

MDCUse the following procedure to download generated reports.

To download generated reports:








3. Enable the check boxes next to the reports you want to download, then click Download.

TIP! Enable the check box at the top left of the page to download all reports on the page. If you have multiple pages of reports, a second check box appears that you can enable to download all reports on all pages.

4. Follow your browser’s prompts to download the reports.

The reports are downloaded in a single .zip file.

Deleting Generated ReportsRequires: IPS or DC/

MDCUse the following procedure to delete generated reports.

To delete generated reports:






3. Enable the check boxes next to the reports you want to delete, then click Delete.

TIP! Enable the check box at the top left of the page to delete all reports on the page. If you have multiple pages of reports, a second check box appears that you can enable to delete all reports on all pages.

4. Confirm that you want to delete the reports.

The reports are deleted.

Moving Reports to a Remote Storage LocationRequires: DC/MDC On Series 2 Defense Centers, you can move locally stored reports to a remote

storage location. Note that after you move a report to a remote location, you cannot move it back. For information on configuring a remote storage location and enabling remote storage of reports, see Managing Remote Storage on page 393.

To move generated reports:








3. Enable the check boxes next to the reports you want to move, then click Move.

TIP! Enable the check box at the top left of the page to move all reports on the page. If you have multiple pages of reports, a second check box appears that you can enable to move all reports on all pages.

4. Confirm that you want to move the reports.

The reports are moved.

Running Remote ReportsRequires: DC +

3D SensorIf you use a Defense Center to manage your sensors, you have the option of running reports remotely from the Defense Center using the data on the sensors. For example, if you use your Defense Center to manage a 3D Sensor with IPS, and you store IPS data on the sensor in addition to sending it automatically to the Defense Center, you can run the report on the data that is resident on the sensor.

There are several limitations that you need to keep in mind:

• If you do not store data on the sensor, then the remote report will be empty.

• If your report uses a logo or image file, the logo or image file must exist on both the Defense Center and the managed sensor where you run the report.

• You cannot run incident reports remotely on managed 3D Sensors with IPS.

• You cannot run remote reports on 3Dx800 or Crossbeam-based software sensors.

To run a remote report:




2. Click Create Report Profile.

The Report Designer page appears.

3. Create the report that you want to run on the managed sensor.

See Generating Reports from Event Views on page 235 for details.

4. From the drop-down list at the bottom of the page, select the sensor where you want to run the report and click Run Remote Report.

A prompt appears asking you to confirm that you want to run the report remotely.

5. Click OK.

The report is run on the sensor that you selected.


Working with Event ReportsUnderstanding Report Profiles Chapter 7

6. In the toolbar, click Reports.

The Reporting page appears, listing the report you just generated on the managed sensor. Note that remote- is prepended to the name of the report.

7. You can view or download the remote report as you would with any other locally generated report.

TIP! You can also use report profiles as the basis for remote reports by creating a profile as described in Creating a Report Profile on page 246. When you run the report, make sure you select the name of the sensor and click Run Report Remotely.

Understanding Report ProfilesRequires: IPS or DC/

MDCReport profiles provide the structure for the generated report. You can use a predefined report profile to either generate your report, or use as a template for a new report profile by modifying field settings as appropriate and saving the report with the new values. Additionally, a new report profile can be created through the use of the Report Designer. You can then manually run these reports or schedule them to run automatically (for information about scheduling tasks, see Scheduling Tasks on page 425).

Whether you use a predefined report profile or create your own, all report profiles contain the same three configurable areas: Report Information, Reports Sections, and Report Options. Note that not all options are available for all categories or types.

Report Information defines the basic nature of the report profile by first giving the report profile a name, and then selecting the report category and type. Depending upon your choices, you will have other options to define, such as detection engine, search query, and workflow. For more information, see Working with Report Information on page 248.

Report Sections identifies which sections to include in the report, such as a drill down of events, table view of events, or the inclusion of an image file. For more information, see Working with Report Sections on page 255.

Report Options specifies the outputs of the report format (PDF, HTML, or comma-separated (CSV format), inserts a logo, adds a custom footer, and provides an option to email the report. For more information, see Working with Report Options on page 258.


• Understanding the Predefined Report Profiles on page 242

• Modifying a Predefined Report Profile on page 246

• Creating a Report Profile on page 246






• Using a Report Profile on page 260

• Generating a Report using a Report Profile on page 261

• Deleting Report Profiles on page 263

Understanding the Predefined Report ProfilesRequires: IPS or DC/

MDCA predefined report profile provides you with predefined setting for event reports. As with custom report profiles that you create (see Creating a Report Profile on page 246), you can use a predefined report profile as a template for an event report. You can modify field settings as appropriate, save the report with the new values, and run the report manually or automatically.



Predefined reports are provided by the Sourcefire system: Blocked Events, High Priority Events, and Host Audit. The following graphic shows the Blocked Events report profile on the Defense Center version of the page.

The following tables provide the default settings for each of the predefined report profiles. Note that if you modify the default settings, you have created a new report profile; you must save the report profile with a new name to preserve your new settings. The Report Options area is not included in these charts.



The Blocked Events report profile provides information on blocked intrusion events for all detection engines for the past twenty-four hours. This report profile is available on the Defense Center or on a 3D Sensor with IPS.

The High Priority Events report profile provides information on intrusion events as well as the host criticality of hosts involved in the intrusion events for the past

Default Settings for the Blocked Events Report Profile

Field Setting

Report Category IPS

Report Type Intrusion Events

Detection Engine All

Search Query Blocked Events

Workflow Impact and Priority (on the Defense Center)

Destination Port (on the 3D Sensor)

Time Last day, sliding time window

Add Summary Report Quick

Impact Based Event Summary (on the Defense Center)

Enabled

Drill Down of Source and Destination IPS (on the Defense Center)

Enabled

Drill Down of Destination Port (on the 3D Sensor)

Enabled

Drill Down of Events (on the 3D Sensor)

Enabled

Table View of Events Disabled

Packets (limit 50 pages) Disabled



twenty-four hours. This report profile is available only on a Defense Center that manages 3D Sensors with RNA and IPS.

The Host Audit report profile provides operating system details for the past week on systems less than two network hops away from 3D Sensors with RNA. This report profile is available only on the Defense Center that manages 3D Sensors with RNA.

Default Settings for the High Priority Events Report Profile

Field Setting

Report Category IPS

Report Type Intrusion Events with Destination Criticality


Search Query High Priority Events

Workflow Events by Impact, Priority, and Host Criticality

Time Last day, sliding time window

Add Summary Report Quick

Impact to Criticality Summary Enabled

Source Destination Drill Down Enabled


Enabled


Default Settings for the Host Audit Report Profile

Field Setting

Report Category RNA

Report Type RNA Hosts


Search Query Local Systems



Modifying a Predefined Report ProfileRequires: IPS or DC/

MDCYou can use a predefined report profile as a template to create a new report profile by modifying the field settings as appropriate, and saving the report with the new values. For more information on how to modify a predefined report profile, see Editing Report Profiles on page 263.

Creating a Report ProfileRequires: IPS or DC/

MDCYou can create the report profile by defining category and type, and then specifying which detection engines to search, the criteria for the search, and which workflows to examine. Not all options are available for all reports. For example, in the IPS report category, selecting the Intrusion Events report type gives you the option to select which detection engines to search; selecting the Intrusion Events with Source Criticality report type does not provide that option.

You perform three steps to create the a report profile: first, create the report profile in the system; second, configure the options in each of three report areas (Report Information, Report Sections, and Report Options); and, finally, save the report profile.

Working with Report Information on page 248 explains how to set the type of report and how to specify which detection engines, queries, and workflows to apply. Working with Report Sections on page 255 explains how to specify which the sections to be included in the report, such as a drill down of events, table view of events, or an image file. Note that all reports contain the option for a summary report and an image file, but not all options are available for all reports.

Workflow Operating System Summary

Time Last week, sliding time window

Add Summary Report summary

Summary of OS Names Enabled

Summary of OS Versions Enabled

OS Details with IP, NetBIOS, Criticality

Enabled

Table View of Events Disabled


Default Settings for the Host Audit Report Profile (Continued)

Field Setting



Working with Report Options on page 258 section explains how to set the output of the report (PDF, HTML or comma-separated value (CSV) format), adds a custom footer or logo, and how to use the option which emails the report.

To create a report profile:




2. Click Create Report Profile.

The Report Designer page appears. The following graphic shows the Defense Center version of the page.

TIP! You can also reach the Report Designer page from any event view by clicking Report Designer on the toolbar.

3. Continue with Defining Report Information on page 254.


Working with Event ReportsWorking with Report Information Chapter 7

Working with Report InformationRequires: IPS or DC/

MDCYou define the basic nature of the report profile by first giving the report profile a name, and then selecting the report category and type. Depending upon your choices, you will have other options to define, such as detection engine, search query, and workflow. Note that not all options are available for all categories or types. The following graphic is an example of the Report Information section.

The Report Name can be any name using 1-80 alphanumeric characters, periods, dashes, parentheses, and spaces.



The Report Category defines which system feature is examined in the report. Select from the Report Categories table

.

The Report Type is a subset of the Report Category and provides a greater level of detail to the report. Options vary depending upon Report Type. In many cases, such as the Compliance or Audit Log report categories, report types are limited and self-explanatory. However IPS and RNA report types options are extensive and provide detailed options for defining your report profile. See Using Report Types on page 250 for more information.

Report Categories

Select... If you...

IPS have an IPS license and you want to report on intrusion events with or without source or destination criticality, or the SEU import log.

Use this option to select a workflow on one or more detection engines to search for blocked events, high impact or high priority events, common concerns, public or private addresses only, or exploits that target client/server issues, or various services. For example, you can create a report which searches for IP-specific high impact intrusion events on a specified detection engine. For information on IPS Report Type options, see IPS Category Report Types on page 251.

RNA are using a Defense Center with an RNA host license and you want to report on host attributes, RNA client applications, vulnerabilities, intrusion events with source criticality, hosts with services, RNA hosts, RNA events, RNA services, or scan results.

Use this option to search hosts for blocked or high priority events.For example, you can create a report which searches selected detection engines for RNA client applications. For more information on RNA Report Type options, see RNA Category Report Types on page 252.

RUA are using a Defense Center with an RUA host license and you want to search one or more detection engines to examine the RUA Events and users, and generate a report which can include sections with a Table View of Events and Users. For example, you can create a report which searches selected detection engines for RUA events.

Compliance are using a Defense Center with an RNA host license and you want to report on white list violations, remediation status, compliance events, or white list events. For example, you can create a report which searches a selected detection engine for RNA compliance events.

Health Monitoring are using a Defense Center and you want to report on the health of your sensors.

Audit Log want to report on audit log events.



The Detection Engine allows you to select which detection engines are to be searched for the report. This option is available when searching for events, such a intrusion, RNA, white list, or compliance events, or when searching the network for RNA hosts, host attributes, client applications, and health monitoring.

The Search Query identifies the search criteria for the report. Options vary depending upon Report Type, and can include a list of exploits (such as Sasser Worm Search or non-standard service attempts) or areas of concern such as IRC Events or Kerberos Client/Server issues.

The Workflow allows you to select which workflow to examine. Options vary depending upon which options you selected for Report Type, Detection Engine, and Search Query, and can include such options as Network Services by Count or Host Violations, and IP-Specific or Impact and Priority.

The Time option allows you to define the period of time for which the report is generated. Click in the current time field to open a pop-up window from which you can select a static, expanding, or sliding time frame. For more information, see Setting Event Time Constraints in the Analyst Guide.


• Using Report Types on page 250

• Defining Report Information on page 254

Using Report TypesRequires: IPS or DC/

MDCThe Report Type is a subset of the Report Category and provides a greater level of detail to the report. Options for the report type vary depending upon which Report Category is selected. Some report categories, such as the Compliance or Audit Log report categories, have limited report types and are self-explanatory. However, the report types available to the IPS and RNA report categories are extensive and provide detailed options for defining your report profile.


• IPS Category Report Types on page 251

• RNA Category Report Types on page 252



IPS Category Report TypesYou can choose from the following IPS Category Report Types

:

IPS Category Report Types

Select... To...

Intrusion Events search one or more detection engines using user-specified search queries and workflows to generate a report which can include sections with a drill down of the destination port and events, a table view of events, and the packets.

Search queries include: Blocked Events, Bootstrap Client/Server, Common Concerns, DNS Service, DirectX Service, FTP Service, Finger Service, High Impact Events, High Priority Events, IRC Events, Impact1/Not Dropped Events, Kerberos Client/Server, LDAP Services, Mail Services, Oracle Service, Private Addresses Only, Public Addresses Only, RPC Services, and Reserved Port TCP Scan.

Workflows include: Destination Port, Event-Specific, Events by Priority and Classification, Events to Destinations, IP-Specific, Impact and Priority, Impact and Source, Impact to Destination, Source Port, and Source and Destination.


search using the Blocked Events or High Priority events search queries to generate a report on the Intrusion Events with Source Criticality default workflow which can include sections on Intrusion Events with Source Criticality, and the packets.


search using the Blocked Events or High Priority Events search queries on your choice of three workflows:

Events by Impact, Priority, and Host Criticality, which can include sections on Impact to Criticality Summary, Source Destination Drill Down, Intrusion Events with Destination Criticality, and the packets.

Events with Destination, Impact, and Host Criticality, which can include sections on Current Events Monitor, Intrusion Events with Destination Criticality, and the packets.

Intrusion Events with Destination Criticality default workflow, which can include sections on Intrusion Events with Destination Criticality, and the packets.

SEU Import Log generate a report on the SEU Detail View workflow.



RNA Category Report TypesYou can choose from the following RNA Category Report Types:

RNA Category Report Types

Select... To...

Host Attributes search one or more detection engines to examine the Attributes workflow, and generate a report which can include sections with a table view of host attributes and the packets.

RNA Client Applications

search one or more detection engines to examine the Client Application Summaries or RNA Client Applications workflows, and generate a report which can include sections with a table view of client applications and the packets.

Vulnerabilities examine the Vulnerabilities workflow and generate a report which can include sections with a table view of vulnerabilities, vulnerabilities on the network, and the packets.


search using the Blocked Events or High Priority events search queries on the Intrusion Events with Source Criticality default workflow, and generate a report which can include sections on Intrusion Events with Source Criticality, and the packets.

Host with Services examine the Hosts with Services Default Workflow or the Service and Host Details, and generate a report which can include sections on Hosts with Services and the hosts.

RNA Hosts search one or more detection engines to examine the operating system summary or RNA hosts for local, remote, unidentified, or unknown systems, and generate a report which can include sections with a Summary of Operating System Names, Summary of Operating System Versions, Operating System Details with IP, NetBIOS Criticality, Table View of Hosts, and Hosts.

Scan Results generate a report on the Scan Results workflow.

RNA Events search one or more detection engines using the NetSky.S Worm Search, New Events, Sasser Worm Search, Subseven Trojan Search, Timeout Events, and Update Events, and generate a report which can include sections with a Table View of Events, and Hosts.



RNA Services search one or more detection engines for non-standard service events (such as non-standard HTML, non-standard mail, non-standard SSH) in Network Services by Count, Network Services by Hit, and RNA Services workflows, and to generate a report which can include sections with Active Services, Service Application Activity, Service Version Audit, Service by Host, and Hosts.


search using the Blocked Events, Events to High Criticality Hosts, or High Priority Events search queries, and generate a report on your choice of three workflows:

Events by Impact, Priority, and Host Criticality, which can include sections on Impact to Criticality Summary, Source Destination Drill Down, Intrusion Events with Destination Criticality, and the packets.

Events with Destination, Impact, and Host Criticality, which can include sections on Current Events Monitor, Intrusion Events with Destination Criticality, and the packets.

Intrusion Events with Destination Criticality default workflow, which can include sections on Intrusion Events with Destination Criticality, and the packets.

Flow Data search one or more detection engines using user-specified search queries and workflows, and generate a report which can include sections with the Top Ten workflows, Table View of Flow Summary Data, Table View of Flow Data drill down of the destination port and events, a table view of events, and the packets.

Search queries include: Possible Database Access, Standard HTTP, Standard Mail, Standard SSL, and Unauthorized SMTP.

Workflows include: Flow Summaries, Flows by Detection Engine, Flows by Initiator, Flows by Port, Flows by Responder, Flows by Service, Flows Over Time, RNA Flows, Traffic by Detection Engine, Traffic by Initiator, Traffic by Port, Traffic by Responder, Traffic by Service, Traffic Over Time, Unique Initiators by Responder, and Unique Responders by Initiator.

RNA Category Report Types (Continued)

Select... To...



Defining Report InformationRequires: IPS or DC/

MDCAfter you have determined which options you need for your report, use the following procedure to define the report information options.


To define the Report Information:

1. From the Report Category drop-down list, select the report category for which you want to create a report.

You can choose from:

• IPS (with an IPS license)

• RNA (on a Defense Center with an RNA host license)

• RUA (on a Defense Center with an RUA host license)

• Compliance (on a Defense Center with an RNA host license)

• Health Monitoring (on a Defense Center)

• Audit Log

2. From the Report Type drop-down list, select the type of report you want to create.

3. Optionally, if the report type you selected includes the Detection Engine option, select a specific Detection Engine on which to report.

4. Requires: DC Optionally, if you are reporting on health events, select a specific sensor or sensor group from the Sensor drop-down list.

5. From the Search Query drop-down list, either use the Use Current Query option (which retains any query parameters you specified on the search page or event page) or select one of the existing search queries.

Note that if you did not previously specify a search query, the Use Current Query option places no constraints on the events.

6. From the Workflows list, select the workflow you want to use to build the report.

For information on workflows, see Understanding and Using Workflows in the Analyst Guide.


Working with Event ReportsWorking with Report Sections Chapter 7

7. Specify the time range for the report.

Depending on your default time window, the time range matches either the time window for the event view you are using to building the report profile, or the global time window. You can change time range by clicking it and using the Date/Time pop-up window to select a new time range. For more information, see Setting Event Time Constraints in the Analyst Guide.

8. Continue with Defining the Report Sections on page 258.

IMPORTANT! For report profiles that you plan to use multiple times, such as in scheduled tasks, Sourcefire strongly recommends that you use a sliding time range. If you create a report profile with a static time range, the appliance will generate a report using the same time range (and therefore the same events) every time you use the report profile.

Working with Report SectionsRequires: IPS or DC/

MDCThe Report Sections area is populated based on the workflow you selected. Select the check box for each report section you want to include in the report.

Reports can include up to 10,000 records for each report section you select.


• Using Summary Reports on page 255

• Including an Image File on page 257

• Defining the Report Sections on page 258

Using Summary ReportsRequires: IPS or DC/

MDCDepending on the components you are licensed to use in your Sourcefire 3D System deployment, you can include summary reports for intrusion events and RNA events. You can append these summary reports to the beginning of any report by selecting the appropriate radio button in the report profile.

Intrusion event reports require the IPS component. If your deployment includes IPS, you can include either a Quick Summary or a Detail Summary report in your report profile definition.



The Comparison of Quick Summary and Detail Summary Reports table shows which information is included in the reports

.

IMPORTANT! On the Defense Center, the report includes summary information for all the managed 3D Sensors with IPS that you include in the report.

RNA-related event reports require the RNA component. If your deployment includes 3D Sensors with RNA and a Defense Center that manages the sensors,

Comparison of Quick Summary and Detail Summary Reports

Report Information Quick Summary

Detail Summary

Pie chart showing the percentage of events in each event type (which maps to the rule category for the rule that generated the event)

X X

List of the 10 most active and 10 least active events X X

Graph showing the number of events over time X X

Pie charts showing the percentage of events by protocol (for example, TCP, UDP, or ICMP) and event classification (which maps to the value for the classtype keyword in the rule that generated the event)

X X

Tables listing the 50 most active and least active events X X

Tables listing the 50 most active source and destination ports X X

Tables listing the 25 most active source and destination hosts and host combinations.

X X

Tables listing the 25 most active source and destination hosts as well as the 25 most active source and host combinations

X

Tables listing the most active events for each of the 25 most active destination hosts

X

Tables listing the most active events for the 25 most active source and destination host combinations

X



you can add the RNA Summary to RNA event, host, client application, service, and flow data reports. The RNA Summary includes:

• RNA event statistics including total number of events, events in the last day and hour, total services, total hosts, total routers, total bridges, and host limit usage

• a list of events divided by event type with counts for the last hour and total number within the report range

• pie charts showing the percentage of events by protocol (for example, TCP, UDP, or ICMP), service, and operating system

Including an Image FileRequires: IPS or DC/

MDCYou can add an image to your report which will be displayed after the summary report and before the drill down or table views. This can be useful for providing information best displayed in a visual, non-graphical format, or simply as a break between sections.

You can use JPEG, PNG, and TIFF files as image files, but only JPEG and PNG graphics are supported in most browsers.


Working with Event ReportsWorking with Report Options Chapter 7

Defining the Report SectionsRequires: IPS or DC/

MDCAfter you have determined which options you need for your report, use the following procedure to define the report section options.


To define the Report Sections:

1. If a summary is available for the report type you selected, specify whether you want to include it as part of your report.

• To include a summary with intrusion event-based reports, select quick or detailed. For a full description of the information provided in Quick and Detailed summaries, see Using Summary Reports on page 255.

• On a Defense Center with an RNA host license, to include a summary with an RNA-based report, select summary. For a full description of the information provided in the RNA summary, see Using Summary Reports on page 255.

• To exclude the summary, select none, which is the default.

2. If you want to include an image in the report, type the path to the image in the Include Image File text box, or navigate to a JPEG, PNG, or TIFF file.

3. Select the check boxes next to the sections of the workflow you want to include in the report. The options in this section depend on the workflow you selected in step 6.

4. Continue with Working with Report Options on page 258.

TIP! Note that if you select a table view of events, the report is limited to 10,000 records as noted in step 6, regardless of the number of events.

Working with Report OptionsRequires: IPS or DC/

MDCReport Options define the look of the report, and provide the option to email the report

You can generate a report in PDF, HTML or comma-separated value (CSV) format. You can also generate the same report in multiple formats. Note that graphics are not available in the CSV format.


Working with Event ReportsWorking with Report Options Chapter 7

You can include a logo on your report. In PDF formats, the logo is included on every page. In HTML formats, the logo is included at the top of the report.

You can add a description which will be included on the front page summary of the report.


To define the report options:

1. Select the check boxes next to one or more output options for your report: PDF, HTML, or CSV.

2. Optionally, for PDF and HTML reports, select a logo from the list of image files that were previously added to the system.

See Including an Image File on page 257 for information about how to make more logos available to the report designer.

3. Optionally, for PDF and HTML reports, type a description in the Description field. You can use alphanumeric characters and spaces. The description appears in the report header.

4. Optionally, for PDF reports, type the text you want to include as the footer in the Custom Footer field. You can use 1 - 80 alphanumeric characters and spaces.

5. Optionally, you can specify that reports are automatically emailed after they are generated. To email a report, type one or more email addresses in a comma-separated list in the Email to field.

IMPORTANT! You must make sure that the mail host is identified: Click Not available. You must set up your mail relay host. The System Policy page appears. Click Edit in the row for the system policy you want to modify. Click Email Notification. Type the name of your mail server in the Mail Relay Host field and click Save. Click Apply in the row for the system policy you changed and apply it to the appliance.

The report is emailed from host_name@domain_name, where host_name is the host name of the appliance and domain_name is the name of the domain where you deployed the appliance.


Working with Event ReportsUsing a Report Profile Chapter 7

6. You have the following options:

• To save the report profile, click Save Report Profile.

When prompted, follow the instructions for your browser to save the report profile.

The report profile is saved with the name you specified in the Report Name field.

• To generate the report and save the report profile, click Generate Report.

When prompted, follow the instructions for your browser to generate the report and save the report profile.

• To see a PDF preview of your report, click Preview Report.

When prompted, follow the instructions for your browser to display a PDF version of the report in the browser window.

• On a Defense Center, to generate the report remotely, select the sensor where you want to run the report and click Run Remote Report.

When prompted, follow the instructions for your browser to generate the report and save the report profile.

IMPORTANT! The PDF, HTML, and CSV selections for Output Options apply to generated reports, not to report previews. When you click Preview Report, you see a PDF version of the report.

Using a Report ProfileRequires: IPS or DC/

MDCYou can use report profiles to generate reports that contain the information that is important to you and your evaluation of the events generated for your network.

You can use an predefined or existing report profile as a template for a new report profile. For information on editing a report profile, see Editing Report Profiles on page 263.

If you want to generate a report for a specific set of events or a specific time period, populate the event view with the events you want to see in your report before opening the report designer. For details on using the event view, see the following sections:

• Viewing RNA Network Discovery and Host Input Events in the Analyst Guide

• Viewing Hosts in the Analyst Guide

• Viewing Services in the Analyst Guide

• Viewing Client Applications in the Analyst Guide

• Working with Flow Data and Traffic Profiles in the Analyst Guide

• Working with Intrusion Events in the Analyst Guide




• Generating a Report using a Report Profile on page 261

• Editing Report Profiles on page 263

• Deleting Report Profiles on page 263

Generating a Report using a Report ProfileRequires: IPS or DC/

MDCYou can use report profiles to generate reports that contain the information that is important to you and your evaluation of the events generated for your network.


To generate a report using a report profile:





2. Click the name of the report profile you want to use.

The Report Designer page loads the parameters defined for that selected report.

3. If necessary, click the time range to change it to include the events you want in your report.

For more information, see Setting Event Time Constraints in the Analyst Guide.

4. Click Generate Report.

The system generates the report.

5. Click Reports in the toolbar to display the Reporting page.

The Reporting page appears, listing the report that you generated as well as any other previously generated reports. For information on managing generated reports, see Managing Generated Reports on page 237.



Editing Report ProfilesRequires: IPS or DC/

MDCYou can create a new report profile by using a predefined or existing report profile as a template for a new report profile, modifying the field settings as appropriate, and saving the report with the new values. You can also edit a report profile to make changes to the resulting report.

Use the following procedure to edit a report profile.


To edit a report profile:



2. Click Edit next to the profile that you want to delete.

The Report Designer page appears and contains the current settings for the report profile.

3. Make changes to the report areas as needed.

See the following sections for information:




IMPORTANT! If you are creating a new report profile from a predefined or existing report profile, remember to change the name of the report profile in the Report Name field.

4. Click Save Report Profile. When prompted, follow the instructions for your browser to save the report profile. The report profile is saved with the name you specified in the Report Name field.

Deleting Report ProfilesRequires: IPS or DC/

MDCUse the following procedure to delete a report profile.

To delete a report profile:




2. Click Delete next to the profile that you want to delete.

The report profile is deleted.


Administrator Guide

Chapter 8Managing Users

If your user account has Administrator access, you can manage the user accounts that can access the web interface on your Defense Center or 3D Sensor. On the Defense Center, you can also set up user authentication via an external authentication server, rather than through the internal database.


• Understanding Sourcefire User Authentication on page 264

• Managing Authentication Objects on page 269

• Managing User Accounts on page 299

Understanding Sourcefire User AuthenticationRequires: DC/MDC or

3D SensorWhen a user logs into the web interface, the appliance looks for a match for the user name and password in the local list of users. This process is called authentication. There are two kinds of authentication: internal and external. If the user’s account uses internal authentication, the authentication process checks the local database for this list. If the account uses external authentication, the process checks the local database to see if the user exists there and, if the user is not found locally, it queries an external server, such as a Lightweight Directory


Managing UsersUnderstanding Sourcefire User Authentication Chapter 8

Access Protocol (LDAP) directory server or a Remote Authentication Dial In User Service (RADIUS) authentication server, for a list of users.

For users with either internal or external authentication, you can control user permissions. Users with external authentication receive the permissions either for the group or access list they belong to, or based on the default user access role you set in the server authentication object or in a system policy on the managing Defense Center, unless you change the user permissions manually.




• Understanding Internal Authentication on page 266

• Understanding External Authentication on page 266

• Understanding User Privileges on page 267

Understanding Internal AuthenticationRequires: DC/MDC or

3D SensorBy default, the Sourcefire 3D System uses internal authentication to check user credentials when a user logs in. Internal authentication occurs when the username and password are verified against records in the internal Sourcefire 3D System database. If you do not enable external authentication when you create a user, the user credentials are managed in the internal database.

Because you manually create each internally authenticated user, you set the access settings when you create the user and you do not need to set default settings.

IMPORTANT! Note that an internally authenticated user is converted to external authentication if you enable external authentication, the same username exists for the user on the external server, and the user logs in using the password stored for that user on the external server. Once an internally authenticated user converts to an externally authenticated user, you cannot revert to internal authentication for that user.

Understanding External AuthenticationRequires: DC External authentication occurs when the Defense Center or managed sensor

retrieves user credentials from an external repository, such as an LDAP directory server or RADIUS authentication server. LDAP authentication and RADIUS authentication are types of external authentication.Note that you can only use one form of external authentication for an appliance.

If you want to use external authentication, you must configure an authentication object for each external authentication server where you want to request user information. The authentication object contains your settings for connecting to and retrieving user data from that server. You can then enable that object in a system policy on the managing Defense Center and apply the policy to an appliance to enable authentication. When any externally authenticated user logs in, the web interface checks each authentication server to see if that user is listed, in the order the servers are listed in the system policy.



When you create a user, you can specify whether that user is internally or externally authenticated.

TIP! You can use the Import/Export feature to export system policies. When you export a policy with external authentication enabled, the authentication objects are exported with the policy. You can then import the policy and object on another Defense Center. Do not import policies with authentication objects onto 3D Sensors.

You can push a system policy to a managed 3D Sensor to enable external authentication on that sensor, but you cannot control the authentication object from the sensor’s web interface. The only configuration of external authentication on the sensor occurs when you select the type of authentication for a new user. If you want to disable external authentication on a managed 3D Sensor, disable it in the system policy on the managing Defense Center and re-apply the policy to the sensor. If you apply a local system policy (created on the sensor) to the sensor itself, external authentication is also disabled.

IMPORTANT! Sourcefire does not support external authentication for RNA Software for Red Hat Linux, Intrusion Agents, 3Dx800 sensors, or Crossbeam-based software sensors.

For more information on specific types of external authentication, see the following sections:

• Understanding LDAP Authentication on page 269

• Understanding RADIUS Authentication on page 287

Understanding User PrivilegesThe Sourcefire 3D System lets you allocate user privileges based on the user’s role. For example, an analyst typically needs access to event data to analyze the security of monitored networks, but might never require access to administrative functions for the Sourcefire 3D System itself. You can grant Intrusion Event Analyst and RNA Event Analyst access privileges for analysts and reserve the Administrator role for the network administrator managing the Sourcefire 3D System.

In the system policy on the Defense Center, you set a default access role for all users who are externally authenticated. After an externally authenticated user logs in for the first time, you can add or remove access rights for that user on the User Management page. If you do not modify the user’s rights, the user has only the rights granted by default. Because you create internally authenticated users manually, you set the access rights when you create them.

If you configured management of access rights through LDAP groups, the access rights for users are based on their membership in LDAP groups. They receive the



default access rights for the group that they belong to that has the highest level of access. If they do not belong to any groups and you have configured group access, they receive the default user access rights configured in the authentication object for the LDAP server. If you configure group access, those settings override the default access setting in the system policy.

Similarly, if you assign a user to specific user role lists in a RADIUS authentication object, the user receives all assigned roles, unless one or more of those roles are mutually incompatible. If a user is on the lists for two mutually incompatible roles, the user receives the role that has the highest level of access. If the user does not belong to any lists and you have configured a default access role in the authentication object, the user receives that role. If you configure default access in the authentication object, those settings override the default access setting in the system policy.

The Sourcefire 3D System supports the following user roles, listed in order of precedence, depending on the features you have licensed:

• Administrators can set up the appliance’s network configuration, manage user accounts, configure system policies and system settings. Users with the Administrator role also have Intrusion Event Analyst, RNA Event Analyst, Policy & Response (P&R) Administrator, and Maintenance access rights.

• Intrusion Event Analysts can view, analyze, review, and delete intrusion events and compliance and RUA events. They can also create incidents, generate reports, and view (but not delete or modify) health events.

• Intrusion Event Analysts (Read Only) have all the same rights as Intrusion Event Analysts, except that they cannot delete events.

• RNA Event Analysts can view, analyze, and delete network change events, hosts, host attributes, services, vulnerabilities, client applications, compliance events, and RUA events. RNA analysts can also generate reports and view (but not delete or modify) health events.

• RNA Event Analysts (Read Only) have all the same rights as RNA Event Analysts, except that they cannot delete events.

• Restricted Event Analysts have the combined privileges of Intrusion Event Analysts and RNA Event Analysts, but users are limited to subsets of that data. Restricted analysts can also be assigned the Policy & Response Administrator or Maintenance User roles, but cannot be assigned the Intrusion Event Analyst or RNA Event Analyst roles.

Note that on the Defense Center you cannot select Restricted Event Analyst as the default user role in the system policy, but you can modify a user’s settings via the User Management page to grant this level of access.


Managing UsersManaging Authentication Objects Chapter 8

• Policy & Response Administrators can manage intrusion rules, policies, and responses, as well as compliance rules, policies, and responses.

• Maintenance Administrators can access monitoring functions (including health monitoring, host statistics, performance data, and system logs) and maintenance functions (including task scheduling and backing up the system).

Note that maintenance administrators do not have access to the functions in the Policy & Response menu and can only access the dashboard from the Analysis & Reporting menu.

Managing Authentication ObjectsRequires: DC Authentication objects are server profiles for external authentication servers,

containing connection settings and authentication filter settings for those servers. You can create, manage, and delete authentication objects on the Defense Center. See the following sections for details on these tasks:

• Understanding LDAP Authentication on page 269

• Creating LDAP Authentication Objects on page 269

• LDAP Authentication Object Examples on page 281

• Editing LDAP Authentication Objects on page 286

• Creating RADIUS Authentication Objects on page 287

• RADIUS Authentication Object Examples on page 295

• Editing RADIUS Authentication Objects on page 298

• Deleting Authentication Objects on page 298

Understanding LDAP AuthenticationLDAP, or the Lightweight Directory Access Protocol, allows you to set up a directory on your network that organizes objects, such as user credentials, in a centralized location. Multiple applications can then access those credentials and the information used to describe them. If you ever need to change a user's credentials, you can change them in one place, rather than having to change them on the local appliances as well as on any other application that uses them.

Creating LDAP Authentication ObjectsRequires: DC You can create LDAP authentication objects to provide user authentication

services for an appliance.

When you create an authentication object, you define settings that let you connect to an authentication server. You also select the directory context and search criteria you want to use to retrieve user data from the server. Optionally, you can configure shell access authentication.



Note that to create an authentication object, you need TCP/IP access from your local appliance to the authentication server where you want to connect.

To create an authentication object:

Access: Admin 1. Select Operations > Configuration > Login Authentication.

The Login Authentication page appears.

2. Click Create Authentication Object.

The Create Authentication Object page appears.

3. Identify the authentication server where you want to retrieve user data for external authentication. For more information, see Identifying the LDAP Authentication Server on page 270.

4. Configure authentication settings to build a search request that retrieves the users you want to authenticate. Specify a user name template to format the usernames that users enter on login. For more information, see Configuring LDAP Authentication Settings on page 271.

5. If you are using a Microsoft Active Directory server or if your LDAP server uses a UI access attribute or a shell access attribute other than uid, specify the appropriate attributes for your server. For more information, see Configuring Attribute Mapping on page 274.

6. Optionally, configure LDAP groups to use as the basis for default access role assignments. For more information, see Configuring Access Settings by Group on page 275.

7. Optionally, configure authentication settings for shell access. For more information, see Configuring Administrative Shell Access on page 278.

8. Test your configuration by entering the name and password for a user who can successfully authenticate. For more information, see Testing User Authentication on page 280.

Your changes are saved. Remember that you have to apply a system policy with the object enabled to an appliance before the authentication changes take place on that appliance. For more information, see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324.

Identifying the LDAP Authentication Server

Requires: DC When you create an authentication object, you first specify the primary and backup server and server port where you want the local appliance (3D Sensor or Defense Center) to connect for authentication. Note that if you change the encryption method after specifying the port, the port resets to the default value. For none or TLS, the port uses the default value of 389. If you select SSL encryption, the port uses the default of 636.



To identify an LDAP authentication server:

Access: Admin 1. Select LDAP from the Authentication Method drop-down list.

2. Type a name and description for the authentication server in the Name and Description fields.

3. Type the IP address or host name for the primary server where you want to obtain authentication data in the Primary Server Host Name/IP Address field.

IMPORTANT! If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used in this field. In addition, IPv6 addresses are not supported.

4. Optionally, modify the port used by the primary authentication server in the Primary Server Port field.

5. Optionally, type the IP address or host name for the backup server where you want to obtain authentication data in the Backup Server Host Name/IP Address field.

6. Optionally, modify the port used by the primary authentication server in the Backup Server Port field.

7. Continue with Configuring LDAP Authentication Settings.

Configuring LDAP Authentication Settings

Requires: DC If you specify a backup authentication server, you can set a timeout for the connection attempt to the primary server. If the number of seconds indicated in the Timeout field (or the timeout on the directory server) elapses without a response from the primary authentication server, the appliance then queries the backup server. If, for example, the primary server has LDAP disabled, the appliance would query the backup server. If LDAP is running on the port of the primary LDAP server and for some reason refuses to service the request (due to misconfiguration or other issues), however, the failover to the backup server does not occur.



To allow an appliance to connect to the LDAP server, you need to select the encryption method for the connection. You can choose no encryption, Transport Layer Security (TLS), or Secure Sockets Layer (SSL) encryption. Note that if you are using a certificate to authenticate when connecting via TLS or SSL, the name of the LDAP server in the certificate must match the name that you use to connect. For example, if you enter 10.10.10.250 as the server and computer1.example.com in the certificate, the connection fails. Changing the name of the server in the authentication profile to computer1.example.com causes the connection to succeed.

When the local appliance searches the LDAP directory server to retrieve user information on the authentication server, it needs a starting point for that search. You can specify the namespace, or directory tree, that the local appliance should search by providing a base distinguished name, or base DN. If your LDAP Server uses a Pluggable Authentication Module (PAM) login attribute of uid, the local appliance checks the uid attribute value for each object in the directory tree indicated by the base DN you set. If one of the objects has a matching username and password, the user login request is authenticated. Typically, the base DN will have a basic structure indicating the company domain and operational unit. For example, the Security organization of the Example company might have a base DN of ou=security,dc=example,dc=com.

You can also add a base filter that sets a specific value for a specific attribute. The base filter focuses your search by only retrieving objects in the base DN that have the attribute value set in the filter. Enclose the base filter in parentheses. For example, to filter for only users with a common name starting with F, use the filter (cn=F*). When you save the authentication object, the local appliance queries using the base filter to test it and indicates whether or not the filter appears to be correct. To test your base filter more specifically by entering a test username and password, see Testing User Authentication on page 280.

LDAP usernames can include underscores (_), periods (.), and hyphens (-) but otherwise only alphanumeric characters are supported.

To allow the local appliance to access the user objects, you must supply user credentials for a user with appropriate rights to the authentication objects you want to retrieve. Remember that the distinguished name for the user you specify must be unique to the directory information tree for the directory server.

For the authentication method specific parameters, you can use the LDAP naming standards and filter and attribute syntax defined in the RFCs listed in the Lightweight Directory Access Protocol (v3): Technical Specification, RFC 3377. Examples of syntax are provided throughout this procedure. Note that when you set up an authentication object to connect to a Microsoft Active Directory Server, you can use the address specification syntax documented in the Internet RFC 822 (Standard for the Format of ARPA Internet Text Messages) specification when referencing a user name that contains a domain. For example, to refer to a user object, you might type [email protected] rather than the equivalent user distinguished name of cn=JoeSmith,ou=security, dc=example,dc=com when using Microsoft Active Directory Server.



Selecting a user name template lets you indicate how user names entered on login should be formatted, by mapping the string conversion character (%s) to the value of the shell access attribute for the user. The user name template is the format for the distinguished name used for authentication. When a user enters a user name into the login page, the name is substituted for the string conversion character and the resulting distinguished name is used to search for the user credentials. For example, to set a user name template for the Security organization of the Example company, you would enter %[email protected].

To configure the authentication method for a server:

Access: Admin 1. Type the number of seconds that should elapse before rolling over to the backup connection in the Timeout field.

2. Select one of the following encryption modes:

• To connect using Secure Sockets Layer (SSL), select SSL.

• To connect using Transport Layer Security (TLS), select TLS.

• To connect without encryption, select None.

IMPORTANT! Note that if you change the encryption method after specifying a port, you reset the port to the default value for that method. For none or TLS, the port uses the default value of 389. If you select SSL encryption, the port uses the default of 636.

3. Optionally, if you selected TLS or SSL encryption and you want to use a certificate to authenticate, click Browse to browse to the location of a valid TLS or SSL certificate or type the path to the certificate in the SSL Certificate Upload Path field.

A message appears, indicating a successful certificate upload.

4. Type the base distinguished name for the LDAP directory you want to access in the Base DN field.

For example, to authenticate names in the Security organization at the Example company, type ou=security,dc=example,dc=com.



5. To set a filter that retrieves only specific objects within the namespace you specified as the Base DN, type the attribute type, a comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses, in the Base Filter field.

For example, if the user objects in a directory tree have a physicalDeliveryOfficeName attribute and users in the New York office have an attribute value of NewYork for that attribute, to retrieve only users in the New York office, type (physicalDeliveryOfficeName=NewYork).

6. Type the distinguished name and password for the user whose credentials should be used to validate access to the LDAP directory in the User Name and Password fields.

For example, if you are connecting to an OpenLDAP Server where user objects have a uid attribute and the object for the administrator in the Security division at our example company has a uid value of NetworkAdmin, you would type uid=NetworkAdmin,ou=security,dc=example,dc=com.

7. Re-type the password in the Confirm Password field.

8. Type the user distinguished name, with the string conversion character (%s) in place of the shell access attribute value, into the User Name Template field.

For example, to authenticate all users who work in the Security organization of our example company by connecting to an OpenLDAP server where the shell access attribute is uid, you would type uid=%s,ou=security,dc=example,dc=com in the User Name Template field. For a Microsoft Active Directory server, you could type %[email protected].

9. Continue with Configuring Attribute Mapping.

Configuring Attribute Mapping

Requires: DC If your LDAP Server uses a default UI access attribute of uid, when a user logs in, the local appliance (3D Sensor or Defense Center) checks the value of the uid attribute for each user record on the LDAP Server to see if it matches the user name. If you want to filter on uid, you do not need to specify a UI access attribute. However, you can map a different attribute for the local appliance to search. Setting a UI access attribute tells the local appliance to match the value of that attribute rather than the value of the uid attribute. You can use any attribute, if the value of the attribute is a valid user name for either the Sourcefire 3D System web interface or for shell access. Valid user names are unique, have no spaces and no periods in them, and do not begin with a numeral.

The Pluggable Authentication Module (PAM) login attribute of your LDAP Server acts as a shell access attribute. If your LDAP server uses uid, the local appliance checks the user name entered on login against the attribute value of uid. If the shell access attribute for a server is something other than uid, you must explicitly set the Shell Access Attribute to match the attribute value.



To configure attribute mapping for a server:

Access: Admin 1. To retrieve users based on an attribute instead of the Base DN and Base Filter, type the attribute type in the UI Access Attribute field.

For example, on a Microsoft Active Directory Server, you may want to use the UI Access Attribute to retrieve users, because there may not be a uid attribute on Active Directory Server user objects. Instead, you can search the userPrincipalName attribute by typing userPrincipalName in the UI Access Attribute field.

2. To retrieve users for shell access, type the attribute type you want to filter on in the Shell Access Attribute field.

For example, on a Microsoft Active Directory Server, use the sAMAccountName shell access attribute to retrieve shell access users by typing sAMAccountName in the Shell Access Attribute field.

3. For the next step, you have two choices:

• If you want to configure user default roles based on LDAP group membership, continue with Configuring Access Settings by Group.

• If you are not using LDAP groups for authentication, continue with Configuring Administrative Shell Access on page 278.

Configuring Access Settings by Group

Requires: DC If you prefer to base default access settings on a user’s membership in an LDAP group, you can specify distinguished names for existing groups on your LDAP server for each of the access roles used by your Sourcefire 3D System. When you do so, you can configure a default access setting for those users detected by LDAP that do not belong to any specified groups. When a user logs in, the Sourcefire 3D System dynamically checks the LDAP directory and assigns default access rights according to the user’s current group membership.

Any group you reference must exist on the LDAP server. You can reference static LDAP groups or dynamic LDAP groups. Static LDAP groups are groups where membership is determined by group object attributes that point to specific users, and dynamic LDAP groups are groups where membership is determined by creating an LDAP search that retrieves group users based on user object attributes. Group access settings for a role only affect users who are members of the group.



The access rights granted when a user logs into the Sourcefire 3D System depends on the LDAP configuration:

• If no group access settings are configured for your LDAP server, when a new user logs in, the Sourcefire 3D System authenticates the user against the LDAP server and then grants user rights based on the default minimum access role set in the system policy.

• If you configure any group settings, new users belonging to specified groups inherit the minimum access setting for the groups where they are members.

• If a new user does not belong to any specified groups, the user is assigned the default minimum access role specified in the Group Controlled Access Roles section of the authentication object.

• If a user belongs to more than one configured group, the user receives the access role for the group with the highest access as a minimum access role.

You cannot remove the minimum access rights for users assigned an access role because of LDAP group membership through the Sourcefire 3D System user management page. You can, however, assign additional rights. When you modify the access rights for an externally authenticated user, the Authentication Method column on the User Management page provides a status of External - Locally Modified.

IMPORTANT! If you use a dynamic group, the LDAP query is used exactly as it is configured on the LDAP server. For this reason, the Sourcefire 3D System limits the number of recursions of a search to four to prevent search syntax errors from causing infinite loops. If a user’s group membership is not established in those recursions, the default access role defined in the Group Controlled Access Roles section is granted to the user.



To base access defaults on LDAP group membership:

Access: Admin 1. Type the distinguished name for the LDAP group containing users who should at minimum have access to analysis and reporting features, rule and policy configuration, system management, and all maintenance features in the Administrator Group DN field.

For example, to authenticate names in the information technology organization at the Example company, type cn=itgroup,ou=groups, dc=example,dc=com.

2. Type the distinguished name for the LDAP group containing users who should at minimum have access to monitoring and maintenance features in the Maintenance Group DN field.

For example, to authenticate names in the information technology organization at the Example company, type cn=itgroup,ou=groups, dc=example,dc=com.

3. Type the distinguished name for the LDAP group containing users who should at minimum have access to rules and policy configuration in the Policy & Response Administrator Group DN field.

For example, to authenticate names in the Security organization at the Example company, type cn=securitygroup,ou=groups,dc=example, dc=com.

4. Type the distinguished name for the LDAP group containing users who should at minimum have access to IPS analysis features in the Intrusion Event Analyst Group DN field.

For example, to authenticate names in the Intrusion Event Analyst group at the Example company, type cn=ipsanalystgroup,ou=groups,dc=example, dc=com.



5. Type the distinguished name for the LDAP group containing users who should at minimum have access to IPS analysis features in the Intrusion Event Analyst Group DN (Read Only) field.

6. Type the distinguished name for the LDAP group containing users who should at minimum have access to RNA analysis features in the RNA Event Analyst Group DN field.

7. Type the distinguished name for the LDAP group containing users who should at minimum have access to RNA analysis features in the RNA Event Analyst Group DN (Read Only) field.

8. Select the default minimum access role for users that do not belong to any of the specified groups from the Default User Role list.

TIP! Press the Ctrl key while clicking role names to select multiple roles in the list.

For more information on user access roles, see Adding New User Accounts on page 300.

9. Type the LDAP attribute that designates membership in a static group in the Group Member Attribute field.

For example, if the member attribute is used to indicate membership in the static group you reference for default Policy & Response Administrator access, type member.

10. Optionally, type the LDAP attribute that contains the LDAP search string used to determine membership in a dynamic group in the Group Member URL Attribute field.

For example, if the memberURL attribute contains the LDAP search that retrieves members for the dynamic group you specified for default Admin access, type memberURL.

11. Continue with Configuring Administrative Shell Access on page 278.

Configuring Administrative Shell Access

Requires: DC You can also use the LDAP directory server to authenticate accounts for shell access on your local appliance (3D Sensor or Defense Center). Specify a search filter that will retrieve entries for users you want to grant shell access. Note that you can only configure shell access for the first authentication object in your system policy. For more information on managing authentication object order, see Configuring Authentication Profiles on page 329.

IMPORTANT! Sourcefire does not support external authentication for RNA Software for Red Hat Linux, Intrusion Agents, 3Dx800 sensors, or Crossbeam-based software sensors.



With the exception of the root account, shell access is controlled entirely though the shell access attribute you set. Shell users are not configured as local users on the appliance, even after they log in. Addition and deletion of shell access users occurs only on the LDAP server, and the filter you set here determines which set of users on the LDAP server can log into the shell.

Note that a home directory for each shell user is created on login, and when an LDAP shell access user account is disabled (by disabling the LDAP connection), the directory remains, but the user shell is set to /bin/false in /etc/password to disable the shell. If the user then is re-enabled, the shell is reset, using the same home directory.

The Same as Base Filter check box allows you to search more efficiently if all users qualified in the base DN are also qualified for shell access privileges. Normally, the LDAP query to retrieve users combines the base filter with the shell access filter. If the shell access filter was the same as the base filter, the same query would be run twice, which is unnecessarily time-consuming. You can use the Same as Base Filter option to run the query only once for both purposes.

Shell users should log in using usernames with all lowercase letters.

WARNING! All shell users have sudoers privileges. Make sure that you restrict the list of users with shell access appropriately.

To configure shell account authentication:

Access: Admin 1. To set a filter to retrieve administrative user entries based on attribute value, type the attribute type, a comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses, in the Shell Access Filter field, or select Same as Base Filter to use the same filter you specified when configuring authentication settings.

For example, if all network administrators have a manager attribute which has an attribute value of shell, you can set a base filter of (manager=shell).

IMPORTANT! If you choose not to specify a shell access filter, a warning displays when you save the authentication object to confirm that you meant to leave the filter blank.

2. Continue with Testing User Authentication.



Testing User Authentication

Requires: DC After you configure LDAP server and authentication settings, you can specify user credentials for a user who should be able to authenticate to test those settings.

For the user name, you can enter the value for the uid attribute for the user you want to test with. If you are connecting to a Microsoft Active Directory Server and supplied a shell access attribute in place of uid in Configuring Attribute Mapping on page 274, use the value for that attribute as the user name. You can also specify a fully-qualified distinguished name for the user.

Note that testing the connection to servers with more than 1000 users only returns 1000 users because of UI page size limitations.

TIP! If you mistype the name or password of the test user, the test fails even if the server configuration is correct. Test the server configuration without the additional test parameters first. If that succeeds supply a user name and password to test with the specific user.

To test user authentication:

Access: Admin 1. In the User Name and Password fields, type the uid value or shell access attribute value and password for the user whose credentials should be used to validate access to the LDAP directory.

For example, to test to see you can retrieve the JSmith user credentials at our example company, type JSmith.

2. Click Test.

A message appears, either indicating success of the test or detailing what settings are missing or need to be corrected.

3. To view details of test output, select Show Details.

4. If the test succeeds, click Save.

The Login Authentication page appears, with the new object listed.

To enable LDAP authentication using the object on an appliance, you must apply a system policy with that object enabled to the appliance. For more information, see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324.



LDAP Authentication Object ExamplesRequires: DC For sample configurations showing how different configuration options might be

used for connections to specific directory server types, see the following sections:

• OpenLDAP Example on page 281

• Microsoft Active Directory Server Example on page 282

• Sun Directory Server Example on page 284

OpenLDAP Example

Requires: DC The following figures illustrate parts of a sample LDAP login authentication object for an OpenLDAP directory server with an IP address of 10.10.3.4, with a backup server that has an IP address of 10.10.3.5. Note that the connection uses port 389 for access and that connections to the server time out after 30 seconds of disuse.

This example illustrates important aspects of LDAP configuration.

• This example shows a connection using a base distinguished name of OU=security,DC=it,DC=example,DC=com for the security organization in the information technology domain of the Example company.



• Because this is an OpenLDAP server that uses CN as a part of each user’s name, the user name template for the connection uses CN=%s, followed by the base distinguished name for the server directory, to indicate the template used to format user names retrieved from the server.

• Because the user names to be retrieved are contained in the default uid attribute, no UI access attribute is specified. The Sourcefire 3D System checks the uid attribute of each object in the directory indicated by the distinguished name against the username for each user who logs into the system. Note that all objects in the directory are checked because no base filter is set.

• To support shell access, the CN attribute is set as the shell access attribute.

• A shell access filter has been applied to this configuration, allowing only those users who have a common name attribute value of jsmith to log into the appliance using a shell account.

Microsoft Active Directory Server Example

Requires: DC The following figure illustrates a sample LDAP login authentication object for a Microsoft Active Directory Server with an IP address of 10.11.3.4, with a backup server that has an IP address of 10.11.3.5. Like the OpenLDAP server, the connection uses port 389 for access and connections to the server time out after 30 seconds of disuse (or the timeout period set on the LDAP server).

Aspects of this example illustrate important differences in this LDAP configuration from the configuration discussed in the OpenLDAP Example on page 281.



• Like the OpenLDAP server, this example shows a connection using a base distinguished name of OU=security,DC=it,DC=example,DC=com for the security organization in the information technology domain of the Example company. Again, because no base filter is applied to this server, the Sourcefire 3D System checks attributes for all objects in the directory indicated by the base distinguished name.

• Because this is a Microsoft Active Directory Server, the user name template for the connection uses address specification syntax documented in RFC 822 rather than the typical LDAP naming syntax.

• However, because this server is a Microsoft Active Directory server, it uses the userPrincipalName attribute to store user names rather than the uid attribute. Note that the configuration includes a UI Access Attribute of userPrincipalName. As a result, the Sourcefire 3D System checks the userPrincipalName attribute for each object for matching user names when a user attempts to log into the Sourcefire 3D System.

• In addition, a Shell Access Attribute of sAMAccountName causes each sAMAccountName attribute to be checked for all objects in the directory for matches when a user logs into a shell account on the appliance.



• This example also has group settings in place. The maintenance role is automatically assigned to all members of the group with a member group attribute and the base domain name of CN=maintenance,DC=it,DC=example,DC=com.

• As in the OpenLDAP server, a shell access filter has been specified for this server, allowing only those users who have a common name attribute value of jsmith to log into the appliance using a shell account. However, as noted above, a shell access attribute value of sAMAccountName must be set for shell access to work on a Microsoft Active Directory server.

Sun Directory Server Example

Requires: DC The following figure illustrates a sample LDAP login authentication object for a Sun Directory Server with an IP address of 10.12.3.4, with a backup server that has an IP address of 10.12.3.5.



Settings in the example illustrate important differences in this LDAP configuration from the configuration discussed in Microsoft Active Directory Server Example on page 282:

• Because the Encryption for the connection is set to SSL, the Server Port is set to 636.

A certificate has been uploaded to allow the SSL connection.

• This example shows a connection using a base distinguished name of OU=security,DC=it,DC=example,DC=com for the security organization in the information technology domain of the Example company.

However, note that this server does have a base filter of (cn=*smith). The filter restricts the users retrieved from the server to those with a common name ending in smith.

• The user name template shown uses the uid attribute value as the user name.

• Because user names can be retrieved from the uid attribute on this server, no UI access attribute is specified. The Sourcefire 3D System checks the uid attribute of each object in the directory indicated by the distinguished name against the user name for each user who logs into the system. Note that all objects in the directory are checked because no base filter is set.

• To allow shell access on the server, the uid attribute is named as the Shell Access Attribute and the Same as Base Filter option for the shell access filter is set, allowing all users with a common name ending in smith to log in using a shell account as well. Using Same as Base Filter allows a more efficient search query if and only if all users qualified in the base DN are also qualified for shell access privileges.



Editing LDAP Authentication Objects

Requires: DC You can edit an existing authentication object. If the object is in use in a system policy, the settings in place at the time the policy was applied stay in effect until you re-apply the policy.

To edit an authentication object:



2. Click Edit next to the object you want to edit.


3. Modify the object settings as needed.

For more information, see the following topics:

• Creating LDAP Authentication Objects on page 269

• Configuring LDAP Authentication Settings on page 271

• Configuring Attribute Mapping on page 274

• Configuring Administrative Shell Access on page 278

• Testing User Authentication on page 280

IMPORTANT! If you previously uploaded a certificate and want to replace it, upload the new certificate and re-apply the system policy to your appliances to copy over the new certificate.



4. Click Save.

Your changes are saved and the Login Authentication page re-appears. Remember that you have to apply a system policy with the object enabled to an appliance before the authentication changes take place on that appliance. For more information, see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324.

Understanding RADIUS AuthenticationRequires: DC The Remote Authentication Dial In User Service (RADIUS) is an authentication

protocol used to authenticate, authorize, and account for user access to network resources. You can create an authentication object for any RADIUS server that conforms to RFC 2865.

When a user authenticated on a RADIUS server logs in for the first time, the user receives the roles specified for that user in the authentication object, or if the user is not listed for any of the user roles, the default access role you selected in the authentication object, or failing that, the system policy. You can modify a user’s roles, if needed, unless the settings are granted through the user lists in the authentication object.

The Sourcefire 3D System implementation of RADIUS supports the use of SecurID® tokens. When you configure authentication by a server using SecurID, users authenticated against that server append the SecurID token to the end of their SecurID pin and use that as their password when they log into a Sourcefire appliance. As long as SecurID is configured correctly to authenticate users outside the Sourcefire 3D System, those users can log into a Sourcefire 3D System appliance using their pin plus the SecurID token without any additional configuration on the appliance.

Creating RADIUS Authentication ObjectsRequires: DC When you create a RADIUS authentication object, you define settings that let you

connect to an authentication server. You also grant user roles to specific and default users. If your RADIUS server returns custom attributes for any users you plan to authenticate, you need to define those custom attributes. Optionally, you can also configure shell access authentication.

Note that to create an authentication object, you need TCP/IP access from your local appliance to the authentication server where you want to connect.

To create an authentication object:



2. Click Create Authentication Object.




3. Identify the primary and backup authentication servers where you want to retrieve user data for external authentication and set timeout and retry values. For more information, see Configuring RADIUS Connection Settings on page 288.

4. Set the default user role. Optionally, specify the users or user attribute values for users that you want to receive specific Sourcefire 3D System access roles. For more information, see Configuring RADIUS User Roles on page 290.

5. Optionally, configure administrative shell access. For more information, see Configuring Administrative Shell Access on page 292.

6. If the profiles for any of the users to authenticate return custom RADIUS attributes, define those attributes. For more information, see Defining Custom RADIUS Attributes on page 293.

7. Test your configuration by entering the name and password for a user who should successfully authenticate. For more information, see Testing User Authentication on page 294.

Your changes are saved. Remember that you have to apply a system policy with the object enabled to an appliance before the authentication changes take place on that appliance. For more information, see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324.

Configuring RADIUS Connection Settings

Requires: DC When you create a RADIUS authentication object, you first specify the primary and backup server and server port where you want the local appliance (3D Sensor or Defense Center) to connect for authentication.

IMPORTANT! For FreeRADIUS to function correctly, you need to open both ports 1812 and 1813 on your firewall and on the FreeRADIUS server.

If you specify a backup authentication server, you can set a timeout for the connection attempt to the primary server. If the number of seconds indicated in the Timeout field (or the timeout on the directory server) elapses without a response from the primary authentication server, the appliance then re-queries the primary server.

After the appliance re-queries the primary authentication server the number of times indicated by the Retries field and the number of seconds indicated in the Timeout field again elapses without a response from the primary authentication server, the appliance then rolls over to the backup server.

If, for example, the primary server has RADIUS disabled, the appliance would query the backup server. If RADIUS is running on the port of the primary RADIUS server and for some reason refuses to service the request (due to



misconfiguration or other issues), however, the failover to the backup server does not occur.

To identify a RADIUS authentication server:

Access: Admin 1. Select RADIUS from the Authentication Method drop-down list.

2. Type a name and description for the authentication server in the Name and Description fields.

3. Type the IP address or host name for the primary RADIUS server where you want to obtain authentication data in the Primary Server Host Name/IP Address field.

IMPORTANT! IPv6 addresses are not supported.

4. Optionally, modify the port used by the primary RADIUS authentication server in the Primary Server Port field.

5. Type the secret key for the primary RADIUS authentication server in the RADIUS Secret Key field.

6. Type the IP address or host name for the backup RADIUS authentication server where you want to obtain authentication data in the Backup Server Host Name/IP Address field.

7. Optionally, modify the port used by the backup RADIUS authentication server in the Backup Server Port field.

8. Type the secret key for the backup RADIUS authentication server in the RADIUS Secret Key field.

9. Type the number of seconds that should elapse before retrying the connection in the Timeout field.



10. Type the number of times the primary server connection should be tried before rolling over to the backup connection in the Retries field.

11. Continue with Configuring RADIUS User Roles.

Configuring RADIUS User Roles

Requires: DC You can specify the access roles for existing users on your RADIUS server by listing the user names for each of the access roles used by your Sourcefire 3D System. When you do so, you can also configure a default access setting for those users detected by RADIUS that are not specified for a particular role.

When a user logs in, the Sourcefire 3D System checks the RADIUS server and grants access rights depending on the RADIUS configuration:

• If specific access settings are not configured for a user and a default access role is not selected, when a new user logs in, the Sourcefire 3D System authenticates the user against the RADIUS server and then grants user rights based on the default access role (or roles) set in the system policy.

• If a new user is not specified on any lists and default access roles are selected in the Default User Role list of the authentication object, the user is assigned those access roles.

• If you add a user to the list for one or more specific role, that user receives all assigned access roles.

You can also use attribute-value pairs, rather than usernames, to identify users who should receive a particular user role. For example, if you know all users who should be RNA Analysts have the value Analyst for their User-Category attribute, you can type User-Category=Analyst in the RNA Analyst List field to grant that role to those users. Note that you need to define any custom attributes before you use them to set user role membership. For more information, see Defining Custom RADIUS Attributes on page 293.

You can assign a default user role (or roles) to be assigned to any users that are authenticated externally but not listed for a specific role. You can select multiple roles on the Default User Role list.

For more information on the user roles supported by the Sourcefire 3D System, see Configuring User Roles on page 304.

You cannot remove the minimum access rights for users assigned an access role because of RADIUS user list membership through the Sourcefire 3D System user management page. You can, however, assign additional rights.

WARNING! If you want to change the minimum access setting for a user, you must not only move the user from one list to another in the RADIUS Specific Parameters section or change the user’s attribute on the RADIUS server, you must reapply the system policy, and you must remove the assigned user right on the user management page.



To base access on user lists:

Access: Admin 1. Type the name of each user or each identifying attribute-value pair, separated by commas, who should at minimum receive access to analysis and reporting features, rule and policy configuration, system management, and all maintenance features in the Administrator List field.

For example, to grant the Administrator role to the users jsmith and jdoe, type jsmith, jdoe in the Administrator List field.

2. Type the name of each user or each identifying attribute-value pair, separated by commas, who should at minimum receive access to monitoring and maintenance features in the Maintenance List field.

For example, to grant the Maintenance role to all users with a User-Category value of Maintenance, type User-Category=Maintenance in the Maintenance List field.

3. Type the name of each user or each identifying attribute-value pair, separated by commas,who should at minimum receive access to rules and policy configuration in the Policy & Response Administrator List field.

4. Type the name of each user or each identifying attribute-value pair, separated by commas, who should at minimum receive access to IPS analysis features in the Intrusion Event Analyst List field.

5. Type the name of each user or each identifying attribute-value pair, separated by commas, who should at minimum receive access to IPS analysis features in the Intrusion Event Analyst (Read Only) List field.



6. Type the name of each user or each identifying attribute-value pair, separated by commas, who should at minimum receive access to RNA analysis features in the RNA Event Analyst List field.

7. Type the name of each user or each identifying attribute-value pair, separated by commas, who should at minimum receive access to RNA analysis features in the RNA Event Analyst (Read Only) List field.

8. Select the default minimum access role for users that do not belong to any of the specified groups from the Default User Role list.

TIP! Press the Ctrl key while clicking role names to select multiple roles in the list.

For more information on user access roles, see Configuring User Roles on page 304.

9. Continue with Configuring Administrative Shell Access.

Configuring Administrative Shell Access

Requires: DC You can also use the RADIUS server to authenticate accounts for shell access on your local appliance (3D Sensor or Defense Center). Specify user names for users you want to grant shell access. Note that you can only configure shell access for the first authentication object in your system policy. For more information on managing authentication object order, see Configuring Authentication Profiles on page 329.

With the exception of the root account, the shell access list you set on the RADIUS authentication object entirely controls shell access on the appliance. Shell users are configured as local users on the appliance when the system policy is applied.

Note that a home directory for each shell user is created on login, and when an RADIUS shell access user account is disabled (by disabling the RADIUS connection), the directory remains, but the user shell is set to /bin/false in /etc/password to disable the shell. If the user then is re-enabled, the shell is reset, using the same home directory.

Shell users should log in using usernames with all lowercase letters.

WARNING! All shell users have sudoers privileges. Make sure that you restrict the list of users with shell access appropriately.



To configure shell account authentication:

Access: Admin 1. Type the usernames, separated by commas, in the Administrator Shell Access User List field.

IMPORTANT! If you choose not to specify a shell access filter, a warning displays when you save the authentication object to confirm that you meant to leave the filter blank.

2. Continue with Defining Custom RADIUS Attributes on page 293.

Defining Custom RADIUS Attributes

Requires: DC If your RADIUS server returns values for attributes not included in the dictionary file in /etc/radiusclient/ and you plan to use those attributes to set user roles for users with those attributes, you need to define those attributes in the login authentication object.

You can locate the attributes returned for a user by looking at the user’s profile on your RADIUS server.

When you define an attribute, you provide the name of the attribute, which consists of alphanumeric characters. Note that words in an attribute name should be separated by dashes rather than spaces. You also provide the attribute ID, which should be an integer and should not conflict with any existing attribute IDs in the etc/radiusclient/dictionary file. You also specify the type of attribute: string, IP address, integer, or date.

As an example, if a RADIUS server is used on a network with a Cisco router, you might want to use the Ascend-Assign-IP-Pool attribute to grant a specific role to all users logging in from a specific IP address pool. Ascend-Assign-IP-Pool is an integer attribute that defines the address pool where the user is allowed to log in, with the integer indicating the number of the assigned IP address pool. To declare that custom attribute, you create a custom attribute with an attribute name of Ascend-IP-Pool-Definition, an attribute ID of 218, and an attribute type of integer. You could then type Ascend-Assign-IP-Pool=2 in the Intrusion Event Analyst (Read Only) field to grant read-only intrusion event analyst rights to all users with an Ascend-IP-Pool-Definition attribute value of 2.

When you create a RADIUS authentication object, a new dictionary file for that object is created on the Sourcefire 3D System appliance in the /var/sf/userauth directory. Any custom attributes you add to the authentication object are added to the dictionary file.



To define a custom attribute:

Access: Admin 1. Click the arrow to expand the Define Custom RADIUS Attributes section.

The attribute fields appear.

2. Type an attribute name consisting of alphanumeric characters and dashes, with no spaces, in the Attribute Name field.

3. Type the attribute ID, in integer form, in the Attribute ID field.

4. Select the type of attribute from the Attribute Type drop-down list.

5. Click Add to add the custom attribute to the authentication object.

TIP! You can remove a custom attribute from an authentication object by clicking Delete next to the attribute.

6. Continue with Testing User Authentication on page 294.

Testing User Authentication

Requires: DC After you configure RADIUS connection, user role, and custom attribute settings, you can specify user credentials for a user who should be able to authenticate to test those settings.

For the user name, you can enter the user name for the user you want to test with.

Note that testing the connection to servers with more than 1000 users only returns 1000 users because of UI page size limitations.

TIP! If you mistype the name or password of the test user, the test fails even if the server configuration is correct. To verify that the server configuration is correct, click Test without entering user information in the Additional Test Parameters first. If that succeeds supply a user name and password to test with the specific user.



To test user authentication:

Access: Admin 1. In the User Name and Password fields, type the user name and password for the user whose credentials should be used to validate access to the RADIUS server.

For example, to test to see you can retrieve the jsmith user credentials at our example company, type jsmith.

2. Select Show Details and click Test.

A message appears, either indicating success of the test or detailing what settings are missing or need to be corrected.

3. If the test succeeds, click Save.

The Login Authentication page appears, with the new object listed.

To enable RADIUS authentication using the object on an appliance, you must apply a system policy with that object enabled to the appliance. For more information, see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324.

RADIUS Authentication Object ExamplesRequires: DC This section provides examples of RADIUS server authentication objects to show

how Sourcefire 3D System RADIUS authentication features can be used. See the following sections for more information:

• Authenticating a User using RADIUS on page 295

• Authenticating a User with Custom Attributes on page 296

Authenticating a User using RADIUS

Requires: DC The following figure illustrates a sample RADIUS login authentication object for a server running freeRadius with an IP address of 10.10.10.98. Note that the connection uses port 1812 for access and that connections to the server time out after 30 seconds of disuse and will retry three times before attempting to connect to a backup authentication server.



This example illustrates important aspects of RADIUS user role configuration:

• Users ewharton and gsands are granted administrative access to Sourcefire 3D System appliances where this authentication object is enabled.

• The user jaustin is granted Intrusion Event Analyst access to Sourcefire 3D System appliances where this authentication object is enabled.

• The user cbronte is granted RNA Event Analyst access to Sourcefire 3D System appliances where this authentication object is enabled.

• The user ewharton can log into the appliance using a shell account.

The following graphic depicts the role configuration for the example:

Authenticating a User with Custom Attributes

Requires: DC You can use an attribute-value pair to identify users who should receive a particular user role. If the attribute you use is a custom attribute, you must define the custom attribute.



The following figure illustrates the role configuration and custom attribute definition in a sample RADIUS login authentication object for the same freeRadius server as in the previous example.

In this example, however, the MS-RAS-Version custom attribute is returned for one or more of the users because a Microsoft remote access server is in use. Note the MS-RAS-Version custom attribute is a string. In this example, all users logging in to RADIUS through a Microsoft v. 5.00 remote access server should receive the Intrusion Event Analyst (Read Only role), so you type the attribute-value pair of MS-RAS-Version=MSRASV5.00 in the Intrusion Event Analyst (Read Only) field.



Editing RADIUS Authentication ObjectsRequires: DC You can edit an existing authentication object. If the object is in use in a system

policy, the settings in place at the time the policy was applied stay in effect until you re-apply the policy.

To edit an authentication object:



2. Click Edit next to the object you want to edit.


3. Modify the object settings as needed.


• Creating RADIUS Authentication Objects on page 287

• Configuring RADIUS Connection Settings on page 288

• Configuring RADIUS User Roles on page 290

• Configuring Administrative Shell Access on page 292

• Testing User Authentication on page 294

4. Click Save.

Your changes are saved and the Login Authentication page re-appears. Remember that you have to apply a system policy with the object enabled to an appliance before the authentication changes take place on that appliance. For more information, see Configuring Authentication Profiles on page 329 and Applying a System Policy on page 324.

Deleting Authentication ObjectsRequires: DC You can delete an authentication object if it is not currently enabled in a system

policy.

To delete an authentication object:



2. Click Delete next to the object you want to delete.

The object is deleted and the Login Authentication page appears.


Managing UsersManaging User Accounts Chapter 8

Managing User Accounts If you have Admin access, you can use the web interface to view and manage user accounts on a Defense Center or a 3D Sensor, including adding, modifying, and deleting accounts. User accounts without Admin access are restricted from accessing management features. The navigation menu differs in appearance for each type of user.

See the following sections for more information about managing user accounts:

• Viewing User Accounts on page 299 explains how to access the User Management page, where you can add, activate, deactivate, edit, and delete user accounts.

• Adding New User Accounts on page 300 describes the different options you can use when you add a new user account.

• Managing Externally Authenticated User Accounts on page 302 explains how externally authenticated users are added and what aspects of the user configuration you can manage within the Sourcefire 3D System.

• Modifying User Privileges and Options on page 306 explains how to access and modify an existing user account.

• Modifying Restricted Event Analyst Access Properties on page 307 explains how to restrict the data available to a user account with restricted data access.

• Deleting User Accounts on page 312 explains how to delete user accounts.

• User Account Privileges on page 312 contains tables that list the menus and options each type of user account can access.

Viewing User AccountsRequires: DC/MDC or

3D SensorFrom the User Management page, you can view, edit, and delete existing accounts. You can determine the type of authentication for a user from the Authentication Method column. The Password Lifetime column indicates the days remaining on each user’s password. The Action column allows you to set users active or inactive. Note that for externally authenticated users, if the authentication object for the server is disabled, the Authentication Method column displays External (Disabled).

To access the User Management page:

Access: Admin Select Operations > User Management.

The User Management page appears, showing each user, with options to activate, deactivate, edit, or delete the user account.



See the following sections for information about the actions you can perform on the User Management page:

• Adding New User Accounts on page 300

• Modifying User Privileges and Options on page 306

• Modifying Restricted Event Analyst Access Properties on page 307

• Modifying User Passwords on page 311

• Deleting User Accounts on page 312

Adding New User AccountsRequires: DC/MDC or

3D SensorWhen you set up a new user account, you can control which parts of the system the account can access.

To add a new user:

Access: Admin 1. Select Operations > User Management.

The User Management page appears.



2. Click Create User.

The Create User page appears.

3. In the User Name field, type a name for the new user.

New user names must contain alphanumeric or hyphen characters with no spaces, and must be no more than 32 characters.

4. Requires: DC/MDC If you want this user to authenticate to an external directory server on login, select Use External Authentication Method.

IMPORTANT! If you select this option, the password management options below disappear. Configure access settings and click Add User to complete configuration of the externally authenticated user. You must also create an authentication object for the external authentication server you want to use for authentication on your Defense Center, and apply a system policy with authentication enabled to your appliance before users can log in using credentials from an external server. For more information, see Managing Authentication Objects on page 269 and Configuring Authentication Profiles on page 329.



5. In the Password field, type a password (up to 32 alphanumeric characters).

If you enable password strength checking, the password must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. It cannot be a word that appears in a dictionary or include consecutive repeating characters.

6. In the Confirm Password field, type the password again.

7. Configure the remaining password user account options.

For more information, see the User Account Password Options table on page 304.

8. Select user roles to grant to the user.

For more information, see the User Roles table on page 305.

9. Optionally, for users with event analyst roles, click Restrict Deletion Rights - User Cannot Delete Bookmarks, Searches, Reports, Report Profiles, Custom Workflows or Custom Tables Created by Other Users to restrict the user to deletion of reports, report profiles, searches, bookmarks, custom tables, and custom workflows created by the user.

10. Click Add User.

A message appears, indicating that the user was added. The username appears on the User Management page.

IMPORTANT! Click Deactivate next to the name of an internally authenticated user on the User Management page to disable that user login without deleting it. To reactivate a user, click Activate next to the username.

Managing Externally Authenticated User AccountsRequires: DC/MDC or

3D SensorWhen an externally authenticated user logs into an appliance that has external authentication enabled, the appliance grants the user the default access role you set by specifying group membership in the authentication object. If you did not configure access group settings, the appliance grants the default user role you set in the system policy. However, if you add users locally before they log into the appliance, the user privileges you configure on the User Management page override the default settings.

An internally authenticated user is converted to external authentication when all of the following conditions exist:

• You enable LDAP or RADIUS authentication.

• The same username exists for the user on the LDAP or RADIUS server.

• The user logs in using the password stored for that user on the LDAP or RADIUS server.



Once an internally authenticated user converts to an externally authenticated user, you cannot revert to internal authentication for that user.

For more information on selecting a default user role, see Configuring Authentication Profiles on page 329 and Understanding User Privileges on page 267.

Note that you can only enable external authentication in a system policy on a Defense Center. You must use the Defense Center to apply the policy to managed sensors if you want to use external authentication on them.

For more information on associating an external user with a set of permissions on your appliance, see Logging into the Appliance to Set Up an Account on page 23. For more information on modifying user access, see Modifying User Privileges and Options on page 306. Note that you cannot manage passwords for externally authenticated users or deactivate externally authenticated users through the Sourcefire 3D System interface. For externally authenticated users, you cannot remove the minimum access rights through the Sourcefire 3D System user management page for users assigned an access role because of LDAP group or RADIUS list membership or attribute values. On the Edit User page for an externally authenticated user, rights granted because of settings on an external authentication server are marked with a status of Externally Modified.

You can, however, assign additional rights. When you modify the access rights for an externally authenticated user, the Authentication Method column on the User Management page provides a status of External - Locally Modified.

Managing User Password SettingsYou can also control how and when the password for each user account is changed, as well as when user accounts are disabled. The User Account



Password Options table describes some of the options you can use to regulate passwords and account access.

IMPORTANT! After you enable Use External Authentication Method, password options no longer appear. Use the external authentication server to manage password settings.

Configuring User RolesThe User Roles table contains a synopsis of each access type. For a full list of the menus available to each access type, see User Account Privileges on page 312.

User Account Password Options

Option Description

Use External Authentication Method

Select this option if you want this user's credentials to be externally authenticated.

IMPORTANT! If you select this option for the user and the external authentication server is unavailable, that user can log into the web interface but cannot access any functionality.

Maximum Number of Failed Logins

Enter an integer, without spaces, that determines the maximum number of times each user can try to log in after a failed login attempt before the account is locked. The default setting is five tries; use 0 to allow an unlimited number of failed logins.

Days Until Password Expiration

Enter the number of days after which the user’s password will expire. The default setting is 0, which indicates that the password never expires.

Days Until Expiration Warning

Enter the number of warning days users have to change their password before their password actually expires. The default setting is 0 days.

WARNING! The number of warning days must be less than the number of days before the password expires

Force Password Reset on Login

Select this option to force the user to change his password the first time the user logs in.

Check Password Strength

Select this option to require strong passwords. A strong password must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. It cannot be a word that appears in a dictionary or include consecutive repeating characters.



Note that you cannot change the authentication type for a user after you create the user account. In addition, externally authenticated users cannot authenticate unless the external authentication server is available.

Note that you can restrict an event analyst user’s deletion rights to only allow deletion of report profiles, searches, bookmarks, custom tables, and custom workflows created by that user. Select Restrict Deletion Rights - User Cannot Delete Items Created by Other Users to restrict the user’s deletion rights.

You cannot remove minimum access rights through the Sourcefire 3D System user management page for users assigned an access role because of LDAP group or RADIUS list membership or attribute values . You can, however, assign additional rights.

WARNING! If you want to change the minimum access setting for a user, you must not only move the user from one list to another in the authentication object or change the user's attribute value or group membership on the external authentication server, you must reapply the system policy, and you must remove the assigned user right on the user management page.

User Roles

User Role Privileges

Administrator Access

Provides access to analysis and reporting features, rule and policy configuration, system management, and all maintenance features. Administrator users see the main toolbar as well as all the menu options.

Note that you should limit use of the Administrator role for security reasons.

Maintenance User Access

Provides access to monitoring and maintenance features. Maintenance users see the main toolbar and maintenance-related options on the Operations top-level menu.

RNA Event Analyst Access

Provides access to RNA analysis features, including event views, network maps, host profiles, services, vulnerabilities, client applications, and reports. RNA Event Analysts see the main toolbar and RNA analysis-related options on the Analysis & Reporting and Operations menus.

RNA Event Analyst (Read Only) Access

Provides read-only access to analysis features, including event views, network maps, host profiles, services, vulnerabilities, client applications, incidents, and reports. RNA Event Analysts see the main toolbar and analysis-related options on the Analysis & Reporting and Operations menus.



Modifying User Privileges and Options


After adding user accounts to the system, you can modify access privileges, account options, or passwords at any time. Note that password management options do not apply to users who authenticate to an external directory server. You manage those settings on the external server. However, you must configure access rights for all accounts, including those that are externally authenticated.

For externally authenticated users, you cannot remove the minimum access rights through the Sourcefire 3D System user management page for users assigned an access role because of LDAP group or RADIUS list membership or attribute values. You can, however, assign additional rights. When you modify the access rights for an externally authenticated user, the Authentication Method column on the User Management page provides a status of External - Locally Modified.

Note that if you change the authentication for a user from externally authenticated to internally authenticated, you must supply a new password for the user.

Intrusion Event Analyst Access

Provides access to IPS analysis features, including intrusion event views, incidents, and reports. Intrusion Event Analysts see the main toolbar and IPS analysis-related options on the Analysis & Reporting and Operations menus.

Intrusion Event Analyst (Read Only) Access

Provides read-only access to IPS analysis features, including intrusion event views, incidents, and reports. Intrusion Event Analysts see the main toolbar and IPS analysis-related options on the Analysis & Reporting and Operations menus.

Restricted Event Analyst Access

Provides access to the same features as Intrusion Event Analyst or RNA Event Analyst access. You can restrict access by allowing access to only for those events that match specified search criteria or you can turn off access for an entire category of events. See Modifying Restricted Event Analyst Access Properties on page 307 for more information. Restricted event analyst users see only the main toolbar and analysis-related options on the Analysis & Reporting and Operations menus.

Policy & Response Administrator Access

Provides access to rules and policy configuration. Policy & Response Administrators have access to the main toolbar and rule and policy-related options on the Policy & Response and Operations menus.

User Roles (Continued)

User Role Privileges



To modify user account privileges:



2. Click Edit next to the user you want to modify.

The Edit User page appears.

3. Modify the account or accounts as needed:

• See Managing Externally Authenticated User Accounts on page 302 for a description of how users can be authenticated through external servers.

• See Managing User Password Settings on page 303 for information on changing password settings for internally authenticated users.

• See Configuring User Roles on page 304 for more information on configuring roles to grant access for Sourcefire 3D System functions.

• Optionally, for users with event analyst roles, select or clear the Only delete items created by user option to manage the user’s ability to delete of items not created by that user.

Modifying Restricted Event Analyst Access PropertiesRequires: DC/MDC or

3D SensorUser accounts with Restricted Event Analyst access use saved searches to specify which events a user can view. You can specify this information only after the user is added. See Adding New User Accounts on page 300 for information about adding new user accounts.



Restricted event analyst users have access to only a few sections of the web interface. The Restricted Event Analyst Settings table shows the correlation between platform and access requirements for the restricted event analyst.

Restricted Event Analyst Settings

To allow the restricted event analyst to...

When these platforms are present...

Set this data set or data sets to Show All or to a specific search

view the network map DC + RNA One or more of the following: • Host Attributes Data • RNA Client Applications

Data• RNA Hosts Data • RNA Services Data• Vulnerabilities Data

view network discovery events

DC + RNA RNA Events Data

view hosts DC + RNA RNA Hosts Data

view host attributes DC + RNA Host Attributes Data

view services DC + RNA RNA Services Data

view vulnerabilities DC + RNA Vulnerabilities Data

view client applications DC + RNA RNA Client Applications Data

view flow data DC + RNA Flow Data

view compliance events DC + RNA Compliance Events Data

view white list events DC + RNA White List Events Data

view white list violations DC + RNA White List Violations Data

view users or user events

DC + RUA Users Data

view intrusion events IPS Intrusion Events Data

use the clipboard IPS N/A - included in the base set of rights for the restricted analyst role



If you want to ensure that a user only sees data for a specific subnet, create multiple private saved searches, one for each of the event types, and then apply each saved search to the account as described in the following procedure.

IMPORTANT! You must have saved private searches available before you can add restricted event analyst values to a user account. Searches must be private. If they are saved as public, restricted event analyst users could delete the searches and enhance their access privileges. See Searching for Events in the Analyst Guide for more information.

To restrict event analyst access to events:



2. Click Edit next to the user to whom you want to grant restricted event analyst rights.

generate (but not view) reports

IPS All data sets for which the user will generate reports

create (but not modify) incident reports

IPS All data sets for which the user will create incident reports

change user-specific preferences such as the account password, time zone, and event view settings

DC/MDC or 3D Sensor

N/A - included in the base set of rights for the restricted analyst role

create custom workflows and, on the Defense Center, custom tables

DC/MDC or 3D Sensor

All data sets for which the user will create custom workflows

create and manage bookmarks

DC/MDC or 3D Sensor

All data sets for which the user will need to create or access bookmarks

view events from a custom table

Platforms required to view custom table

All data sets for the applicable custom tables

Restricted Event Analyst Settings (Continued)

To allow the restricted event analyst to...

When these platforms are present...

Set this data set or data sets to Show All or to a specific search



3. If the user you want to modify does not already have the Restricted Event Analyst option enabled, select Restricted Event Analyst.

IMPORTANT! You cannot select Restricted Event Analyst if Administrator, Intrusion Event Analyst, Intrusion Event Analyst (Read Only), RNA Event Analyst, or RNA Event Analyst (Read Only) access is enabled.

The Restrictions section of the page appears. The Defense Center version of the page is shown below.

IMPORTANT! If you created any custom tables on the Defense Center, they appear on this page.

4. For each row, you have three choices:

• To grant access to all events for a category, select Show All Data.

• To grant access to events that match a specific saved search, select the search that you want to use to restrict the user account.

• To deny access to all events in a category, select Hide Data.

5. Click Save to save your changes and return to the User Management page.



Modifying User PasswordsRequires: DC/MDC or

3D SensorYou can modify user passwords from the User Management page for internally authenticated users. Note that you must manage externally authenticated user passwords on the LDAP or RADIUS server.

TIP! If you want to force a user to change the password on the next log-in, click Reset Password next to the user account on the User Management page.

To change a user’s password:



2. Next to the user name, click Edit.

The Edit User page appears.

3. In the Password field, type the new password (up to 32 alphanumeric characters).



4. In the Confirm Password field, re-type the new password.

IMPORTANT! If password strength checking is enabled for the user account, the password must have at least eight alphanumeric characters of mixed case, with at least one number. It cannot be a word that appears in a dictionary or contain consecutive repeating characters.

5. Make any other changes you want to make to the user configuration:

• For more information on password options, see Managing User Password Settings on page 303.

• For more information on user roles, see Configuring User Roles on page 304.

6. Click Save.

The password is changed and any other changes saved.

Deleting User AccountsRequires: DC/MDC or

3D SensorYou can delete user accounts from the system at any time, with the exception of the admin account, which cannot be deleted.

To delete a user account:



2. Next to the user whose account you want delete, click Delete.

The account is deleted.

User Account PrivilegesRequires: DC/MDC or

3D SensorThe following sections provide a list of the menus and toolbar options in Sourcefire 3D System and the user account privileges required to access them.

For more information on the access notations used in the tables that follow and throughout this documentation, see Access Requirements Conventions on page 39.

• Analysis & Reporting Menu on page 313

• Policy & Response Menu on page 316

• Operations Menu on page 317

• Toolbar Options on page 319



Analysis & Reporting Menu

Requires: IPS or DC/MDC

The Analysis & Reporting Menu table lists the user account privileges required to access each option on the Analysis & Reporting menu. An X indicates that the user can access the option. Users with only Rules or Maintenance access cannot see the Analysis & Reporting menu at all.

Analysis & Reporting Menu

Menu Admin Maint RNA/ RNA-ROEvent Analyst

IPS/ IPS-ROEventAnalyst

Restricted Event Analyst

P&R Admin

Event Summary X X X X

Intrusion Event Statistics X X

Event Graphs X X

Dashboards X X X X

RNA Statistics X X X

Flow Summary X X X

IPS X X X X

Events X X X X

Reviewed Events X X X X

Clipboard X X X X

Incidents X X

RNA X X X

Network Map | Hosts X X X

Network Map | Network Devices X X X

Network Map | Services X X X

Network Map | Vulnerabilities X X X

Network Map | Host Attributes X X X



RNA Events X X X

Hosts X X X

Host Attributes X X X

Services X X X

Client Applications X X X

Flow Data X X X

Vulnerabilities X X X

RUA X X X X

Users X X X X

RUA Events X X X X

Compliance X X X X

Compliance Events X X X X

White List Events X X X X

White List Violations X X X X

Custom Tables X X X

Searches X X X X X

Audit Log X

Client Applications X X X

Compliance Events X X X X

Flow Data X X X

Health Events X X X

Analysis & Reporting Menu (Continued)




P&R Admin



Host Attributes X X X

Hosts X X X

Intrusion Events X X X X

Remediation Status X

RNA Events X X X X

RUA Events X X X X

Scan Results X

Services X X X

SEU Import Log X X

Users X X X X

Vulnerabilities X X X

White List Events X X X X

White List Violations X X X X

Custom Workflows X X X X

Bookmarks X X X X

Report Profiles X X X

Analysis & Reporting Menu (Continued)




P&R Admin



Policy & Response Menu

Requires: IPS or DC/MDC

The Policy & Response Menu table lists the user account privileges required to access each option on the Policy & Response menu. An X indicates that the user can access the option. Users with Intrusion Event Analyst, RNA Event Analyst, or Maintenance access can not see the Policy & Response menu at all.

Policy & Response Menu

Menu Admin Maint RNA/ RNA-RO Event Analyst

IPS/ IPS-RO Event Analyst

Res. Event Analyst

P&R Admin

IPS X X

Intrusion Policy X X

SEU X X

Rule Editor X X

Email X X

OPSEC X X

RNA X X

Detection Policy X X

Host Attributes X X

RNA Detectors X X

Custom Fingerprinting X X

Custom Product Mappings X

User 3rd Party Mappings X

Network Map | Custom Topology X

Compliance X X

Policy Management X X

Rule Management X X



Operations Menu


The Operations Menu table lists the user account privileges required to access each option on the Operations menu. An X indicates that the user can access the option. All users can access at least some options on the Operations menu.

White List X X

Traffic Profiles X X

Responses X X

Alerts X X

Impact Flag Alerts X X

RNA Event Alerts X X

Remediations X X

Groups X X

Policy & Response Menu (Continued)



Res. Event Analyst

P&R Admin

Operations Menu



Res. Event Analyst

P&R Admin

Configuration X

RNA/RUA Event Purge X X

Detection Engines X

High Availability X

eStreamer X

Login Authentication X



RUA X

Sensors X

User Management X

System Settings X

System Policy X

Update X

Monitoring X X X

Statistics X X

Performance | IPS X X

Performance | RNA X X

Audit X

Task Status X X X

Syslog X X

Health X X X

Tools X X X X X X

Scheduling X X

Backup/Restore X

Import/Export X

Whois X X X X X X

Scan Results X X X

Scanners X X

Operations Menu (Continued)



Res. Event Analyst

P&R Admin



Toolbar Options


The Toolbar Options table lists the user account privileges required to access each option on the toolbar and its sub-menus. An X indicates that the user can access the option. All users can access at least some of the options on the toolbar.

Help X X X X X X

About X X X X X X

Online X X X X X X

Email Support X X X X X X

Support Site X X X X X X

Operations Menu (Continued)



Res. Event Analyst

P&R Admin

Toolbar Options



Res. Event Analyst

P&R Admin

Health X X X X

Preferences X X X X X X

Preferences | Home Page X X X X X X

Preferences | Event View Settings X X X X

Preferences | Change Password X X X X X X

Preferences | Time Zone Settings X X X X X X

Help X X X X X X

Logout X X X X X X


Administrator Guide

Chapter 9Managing System Policies

A system policy allows you to manage the following on your Defense Center or 3D Sensor:

• access control lists

• audit log settings

• authentication profiles

• dashboard settings

• database event limits

• detection policy preferences

• DNS cache properties

• the mail relay host and notification address

• tracking intrusion policy changes

• specifying a different language

• custom login banners

• RNA settings, including multiple fingerprint and subnet detection settings

• RUA settings

• synchronizing time

• serving time from the Defense Center

• mapping vulnerabilities for services

You can use a system policy to control the aspects of your Defense Center that are likely to be similar for other Sourcefire 3D System appliances in your deployment. For example, your organization’s security policies may require that


Managing System PoliciesCreating a System Policy Chapter 9

your appliances have a “No Unauthorized Use” message when a user logs in. With system policies, you can set the login banner once in a system policy on a Defense Center and then apply the policy to all the sensors that it manages.

You can also benefit from having multiple policies on a 3D Sensor. For example, if you have different mail relay hosts that you use under different circumstances, or if you want to test different database limits, you can create several system policies and switch between them rather than editing a single policy.

Contrast a system policy, which controls aspects of an appliance that are likely to be similar across a deployment, with system settings, which are likely to be specific to a single appliance. See Configuring System Settings on page 360 for more information.

IMPORTANT! You cannot apply system policies to Crossbeam-based software sensors or Intrusion Agents.


• Creating a System Policy on page 321

• Editing a System Policy on page 323

• Applying a System Policy on page 324

• Deleting System Policies on page 325

Creating a System PolicyRequires: Any When you create a system policy, you assign it a name and a description. Next,

you configure the various aspects of the policy, each of which is described in its own section.

Instead of creating a new policy, you can export a system policy from another appliance and then import it onto your appliance. You can then edit the imported policy to suit your needs before you apply it. For more information, see Importing and Exporting Objects on page 583.


Managing System PoliciesCreating a System Policy Chapter 9

To create a system policy:

Access: Admin 1. Select Operations > System Policy.

The System Policy page appears.

The Policy Name column includes its description. The Applied To column indicates the number of appliances where the policy is applied and a count of out-of-date appliances where the previously applied policy has changed and should be reapplied.

2. Click Create Policy.

The Create page appears.

3. From the drop-down list, select an existing policy to use as a template for your new system policy.

4. Type a name and description (up to 40 alphanumeric characters and spaces each) for your new policy.

5. Click Save.

Your system policy is saved and the Access List page appears. For information about configuring each aspect of the system policy, see one of the following sections:

• Configuring the Access List for Your Appliance on page 325

• Configuring Audit Log Settings on page 327

• Configuring Authentication Profiles on page 329

• Configuring Dashboard Settings on page 331

• Configuring Database Event Limits on page 332

• Configuring Detection Policy Preferences on page 336

• Configuring DNS Cache Properties on page 337

• Configuring a Mail Relay Host and Notification Address on page 338

• Configuring Intrusion Policy Preferences on page 339

• Specifying a Different Language on page 340

• Adding a Custom Login Banner on page 341

• Configuring RNA Settings on page 342


Managing System PoliciesEditing a System Policy Chapter 9

• Configuring RNA Subnet Detection Settings on page 349

• Configuring RUA Settings on page 352

• Synchronizing Time on page 354

• Serving Time from the Defense Center on page 357

• Mapping Vulnerabilities for Services on page 358

Editing a System PolicyRequires: Any You can edit a system policy that is currently in use, but remember to re-apply the

policy as explained in Applying a System Policy on page 324.

To edit an existing system policy:


The System Policy page appears, including a list of the existing system policies.

2. Click Edit next to the system policy that you want to edit.

With the Policy Name and Policy Description fields at the top, Access List, the first section of the system policy, appears. You can change the policy name and description. For information about configuring each aspect of the system policy, see one of the following sections:

















Managing System PoliciesApplying a System Policy Chapter 9



IMPORTANT! If you are editing the current system policy, make sure you apply the updated policy when you are finished. See Applying a System Policy on page 324.

Applying a System PolicyRequires: Any After you create or edit a system policy, your settings do not take effect until you

apply it.


To apply a system policy:



2. Click Apply next to the system policy that you want to apply.

On the 3D Sensor, the system policy is applied.

On the Defense Center, the Apply page appears. If a policy has been updated since it was applied, the name of the policy appears in italics.

3. On the Defense Center, select the sensors, and, if required, the Defense Center itself, where you want to apply the system policy.

TIP! You can sort the sensors by sensor group, model, type of sensor, or previously applied policy. You can also select an entire group.

4. Click Apply.

A message appears indicating that the task is added to the task queue.


Managing System PoliciesDeleting System Policies Chapter 9

Deleting System PoliciesRequires: Any You can delete a system policy even if it is in use. If the policy is still in use, it is

used until a new policy is applied. Default system policies cannot be deleted.

To delete a system policy:



2. Click Delete next to the system policy that you want to delete.

The policy is deleted.

Configuring the Parts of Your System PolicyRequires: Any You can change various parts of your system policy. For information about

configuring each aspect of the system policy, see one of the following sections:


















Configuring the Access List for Your ApplianceRequires: Any The Access List page allows you to control which computers can access your

appliance on specific ports. By default, port 443 (Hypertext Transfer Protocol


Managing System PoliciesConfiguring the Parts of Your System Policy Chapter 9

Secure, or HTTPS), which is used to access the web interface and port 22 (Secure Shell, or SSH), which is used to access the command line, are enabled for any IP address.

WARNING! By default, access to the appliance is not restricted. To operate the appliance in a more secure environment, consider adding access to the appliance for specific IP addresses and then deleting the default any option.

The access list is part of the system policy. You can specify the access list either by creating a new system policy or by editing an existing policy. In either case, the access list does not take effect until you apply the system policy.

To configure the access list:




• To modify the access list in an existing system policy, click Edit next to the system policy.

• To configure the access list as part of a new system policy, click Create Policy.

Provide a name and description for the system policy as described in Creating a System Policy on page 321, and click Save.

In either case, the Access List page appears.

3. To delete one of the current settings, click Delete.

WARNING! If you delete access for the IP address that you are currently using to connect to the appliance interface (and if there is no entry for “IP=any port=443”), you will lose access to the system when you apply the policy.

The setting is removed.



4. To add access for one or more IP addresses, click Add.

The Add IP Address page appears.

5. In the IP Address field, use the following syntax depending on the IP addresses you want to add:

• an exact IP address (for example, 192.168.1.101)

• an IP address range using CIDR notation (for example, 192.168.1.1/24)

For information on using CIDR in the Sourcefire 3D System, see IP Address Conventions on page 41.

• any, to designate any IP address

6. Select SSH, HTTPS, or both to specify which ports you want to enable for these IP addresses, then click Add.

The Access List page appears again, reflecting the changes you made.

TIP! You can click Add to add access for additional IP addresses or click Delete to remove access from other IP addresses.

7. Click Save Policy and Exit.

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy on page 324 for more information.

Configuring Audit Log SettingsRequires: Any You can configure the system policy so that the appliance streams an audit log to

an external host.

IMPORTANT! You must ensure that the external host is functional and accessible from the appliance sending the audit log.

The name of the sending host is part of the sent information and you can further identify the audit log stream with a facility, a severity, and an optional tag. The appliance does not send the audit log until you apply the system policy.



To configure the audit log settings:


The System Policy Page appears.


• To modify the audit log settings in an existing system policy, click Edit next to the system policy.

• To configure the audit log settings as part of a new system policy, click Create Policy.



3. Click Audit Log Settings.

4. Select Enabled next to Send Audit Log to Syslog.

The default setting is Disabled.

5. Designate the destination host for the audit information by using the IP address or the fully qualified name of the host in the Host field. The default port (514) is used.

WARNING! The computer you configure to receive an audit log must be set up to accept remote messages. Otherwise, the appliance may the send audit log to the host, but it will not be accepted.

6. Label the audit data that you are sending with a facility and severity.

The default for Facility is USER. The default for Severity is INFO. However, you can select any of the standard syslog facility and severity settings.

7. Optionally, insert a reference tag in the TAG field.


The system policy is updated. Your changes do not take effect until you apply the system policy to the Defense Center and its managed sensors. See Applying a System Policy on page 324 for more information.

After you apply a policy with this feature enabled and your destination host is configured to accept the audit log, the syslog messages are sent. The following is an example of the output structure:

Date Time Host [Tag] Sender: [User_Name]@[User_IP], [Subsystem], [Action]

where the local date, time, and hostname precede the bracketed optional tag, and the sending device name precedes the audit log message.

For example:

Mar 01 14:45:24 localhost [TAG] Dev-DC3000: [email protected], Operations > Monitoring, Page View



Configuring Authentication ProfilesRequires: DC/MDC Normally, when a user logs into a Sourcefire 3D System Defense Center or

managed sensor, the appliance verifies the user credentials by comparing them to a user account stored in the Defense Center or managed sensor’s local database. However, if you create an authentication object referencing an external authentication server, you can apply the system policy to let users logging into the Defense Center or managed sensor authenticate to that server rather than using the local database.

When you apply a policy with authentication enabled to an appliance, the appliance verifies the user credentials against users on an LDAP or RADIUS server. In addition, if a user has internal authentication enabled and the user credentials are not found in the internal database, the appliance then checks the external server for a set of matching credentials. If a user has the same username on multiple systems, all passwords across all servers work. Note, however, that if authentication fails on the available external authentication servers, the appliance does not revert to checking the local database.

When you enable authentication, you can set the default user role for any user whose account is externally authenticated. You can select multiple roles, as long as those roles can be combined. For example, if you set up an authentication profile that retrieves only users in the Network Security group in your company, you may set the default user role to include both the Intrusion Event Analyst role and the RNA Event Analyst so users can access collected event data without any additional user configuration on your part. However, if your authentication profile retrieves records for other personnel in addition to the security group, you would probably want to leave the default role unselected. For more information on available user roles, see Understanding User Privileges on page 267.

Note that when you create an LDAP authentication object on your Defense Center, you can set a filter search attribute to specify the set of users who can successfully authenticate against the LDAP server. See Configuring Attribute Mapping on page 274 for more information.

If no access role is selected, users can log in but cannot access any functionality. After a user attempts to log in, their account is listed on the User Management page, where you can edit the account settings to grant additional permissions. For more information on modifying a user account, see Modifying User Privileges and Options on page 306. For a complete procedure for logging in initially as an externally authenticated user, see Logging into the Appliance to Set Up an Account on page 23.

If you configure the system policy to use one user role and apply the policy, then later modify the policy to use different default user roles and re-apply, any user accounts created before the modification retain the first user role until you modify or delete and recreate them.

The Authentication Profiles page only displays in the system policy on a Defense Center. You can enable authentication in a system policy on your Defense Center and then push that policy to managed sensors. Once you apply the policy to a



sensor, eligible externally authenticated users can log into the sensor. However, the system policy on the sensor does not display authentication profile settings, so you cannot manage them on the sensor itself. To make changes to the authentication profile settings, you have to modify the policy on the Defense Center and then push it to the sensor again. To disable authentication on a managed sensor, you can either disable it in a system policy on the Defense Center and push that to the sensor or apply a local system policy (which cannot contain authentication profile settings) on the sensor.

Note that you can only enable external authentication on Defense Centers and 3D Sensors. Enabling external authentication by applying a system policy is not supported on the following sensor types:

• 3Dx800 sensors

• Crossbeam-based software sensors

• Intrusion Agents

• RNA Software for Red Hat Linux

If a user with internal authentication attempts to log in, the appliance first checks if that user is in the local user database. If the user exists, the appliance then checks the username and password against the local database. If a match is found, the user logs in successfully. If the login fails, however, and external authentication is enabled, the appliance checks the user against each external authentication server in the authentication order shown in the system policy. If the username and password match results from an external server, the appliance changes the user to an external user with the default privileges for that authentication object.

If an external user attempts to log in, the appliance checks the username and password against the external database. If a match is found, the user logs in successfully. If the login fails, the user login attempt is rejected. External users cannot authenticate against the user list in the local database. If the user is a new external user, an external user account is created in the local database with the default privileges for the external authentication object.

To enable authentication of users on external servers:

Access: Admin 1. On the Defense Center, select Operations > System Policy.



• To modify the authentication profile settings in an existing system policy, click Edit next to the system policy.

• To configure the authentication profile settings as part of a new system policy, click Create Policy.





3. Click Authentication Profiles.

The Authentication Profiles page appears.

4. From the Status drop-down list, select Enabled.

5. From the Default User Role drop-down list, select a user role to define the default permissions you want to grant to users authenticated externally.

TIP! Press Ctrl before selecting roles to select multiple default user roles. Note that although you can select both an event analyst role and the corresponding read-only event analyst role, only the analyst role is applied.

6. If you want to use the external server to authenticate shell access accounts as well, select Enabled from the Shell Authentication drop-down list.

7. To enable use of an authentication object, click Enable next to the object.

IMPORTANT! You must enable at least one authentication object to enable external authentication.

8. Optionally, use the up and down arrows to change the order in which authentication servers are accessed when an authentication request occurs. Remember that shell access users can only authenticate against the server whose authentication object is highest in the profile order.



Configuring Dashboard SettingsRequires: Any You can configure the system policy so that Custom Analysis widgets are enabled

on the dashboard. Dashboards provide you with at-a-glance views of current



system status through the use of widgets: small, self-contained components that provide insight into different aspects of the Sourcefire 3D System.

The Custom Analysis widget allows you to create a visual representation of events based on a flexible, user-configurable query of the events in your appliance's database. See Understanding the Custom Analysis Widget on page 69 for more information on how to use custom widgets.

To enable Custom Analysis widgets:




• To modify the dashboard settings in an existing system policy, click Edit next to the system policy.

• To configure the dashboard settings as part of a new system policy, click Create Policy. Provide a name and description for the system policy as described in Creating a System Policy on page 321, and click Save.


3. Click Dashboard.

The Dashboard Settings page appears.

4. Select the Enable Custom Analysis Widgets check box to allow users to add Custom Analysis widgets to dashboards; clear the check box to prohibit users from using those widgets.

By default, Custom Analysis widget use is enabled


The system policy is updated. Your changes do not take effect until you apply the system policy. See Deleting System Policies on page 325for more information.

Configuring Database Event LimitsRequires: Any You can use the Database page to specify the maximum number of events you

want to store on an appliance. To improve performance, you should try to tailor the database event limit to the number of events you regularly work with.

In most cases, the minimum number of records you can store in any database is one record (or, in the case of the compliance violation history database, one day’s history). However, for some databases, you can choose not to store any events.



These databases include those that store RNA and RUA events, as well as flow events, flow summaries, and health events.

The Database Event Limits on page 333 below describes the maximum number of records you can store in the databases on your appliance. Note that if you apply a system policy to an appliance that does not support the maximum limit you specify (for example, if you specify 100 million intrusion events and apply that policy to a 3D Sensor), the maximum limit for the appliance is silently enforced.

In addition, database limits that do not apply to a particular appliance are silently ignored. For example, if you use the Defense Center to apply the same system policy to itself and the 3D Sensors it manages, any health alert limits you set in the policy have no effect on the sensors.


Database Event Limits

The... Is the database that stores... And can store up to...

Intrusion Event Database (Defense Center or Master Defense Center)

intrusion events on a Defense Center or on a Master Defense Center (which is always a DC3000)

2.5 million events on the DC50010 million events on the Virtual Defense Center or the DC1000100 million events on the DC3000

Intrusion Event Database (3D Sensor)

intrusion events on a 3D Sensor 2 million events

RNA Event Database RNA network discovery events on a Defense Center

10 million events

RNA Flow Database RNA flows on a Defense Center 10 million events on the DC500, Virtual Defense Center, or DC1000100 million events on the DC3000

RNA Flow Summary Database

RNA flow summaries (aggregated RNA flows) on a Defense Center

10 million events on the DC500, Virtual Defense Center, or DC1000100 million events on the DC3000

Compliance & White List Event Database

compliance events and white list events on a Defense Center or Master Defense Center

1 million events

Health Event Database

health events on a Defense Center or Master Defense Center

1 million events



Note that if the number of events in the intrusion event database exceeds the maximum, the oldest events and packet files are pruned until the database is back within limits. In addition, if the /volume disk partition reaches 85% of its capacity, unified files are deleted from the system, beginning with the oldest files. See Configuring a Mail Relay Host and Notification Address on page 338 for information about generating automated email notifications when events are automatically pruned.

For information on manually pruning the RNA and RUA databases, see Purging the RNA and RUA Databases on page 598.

To configure the maximum number of records in the database:




• To modify the database settings in an existing system policy, click Edit next to the system policy.

• To configure the database settings as part of a new system policy, click Create Policy.



Audit Event Database

audit records 100,000 records

Remediation Status Event Database

remediation status events on a Defense Center

10 million events

White List Violation History Database

the white list violation history of the hosts on your network, on a Defense Center

a 30-day history of violations

RUA Event Database RUA events on a Defense Center 10 million events

RUA History Database

RUA storage of user logins on a Defense Center

10 million user login records

SEU Import Log Database

SEU import log records 1 million records

Database Event Limits (Continued)

The... Is the database that stores... And can store up to...



3. Click Database.

The Database page appears. The following graphic shows the Database page on a DC1000 Defense Center.

4. For each of the databases, enter the number of records you want to store.

For information on how many records each database can maintain, see Database Event Limits on page 333.





Configuring Detection Policy PreferencesRequires: Any The Detection Policy Preferences page allows you to configure whether you must

confirm your action when you apply RNA detection policies and intrusion policies.

If you enable this setting, whenever you apply an RNA detection policy or an intrusion policy to one or more detection engines, the appliance prompts you to confirm that you want to apply the policy. The appliance also warns you if the detection engine has a different policy applied to it than the one you are attempting to apply.

To configure detection policy preferences:




• To modify the detection policy preferences in an existing system policy, click Edit next to the system policy.

• To configure the detection policy preferences as part of a new system policy, click Create Policy. Provide a name and description for the system policy as described in Creating a System Policy on page 321, and click Save.


3. Click Detection Policy Preferences.

The Detection Policy Preferences page appears.

4. Do you want to confirm your action when you apply RNA detection policies and intrusion policies?

• If yes, select Yes from the drop-down list.

• If no, select No from the drop-down list.





Configuring DNS Cache PropertiesRequires: Any If you have a DNS server configured on the Network page, you can configure the

appliance to resolve IP addresses automatically on the event view pages. As an administrator, you can also configure basic properties for DNS caching performed by the appliance. Configuring DNS caching allows you to identify IP addresses you previously resolved without performing additional lookups. This can reduce the amount of traffic on your network and speed the display of event pages when IP address resolution is enabled.

To configure the DNS cache properties:




• To modify the DNS cache settings in an existing system policy, click Edit next to the system policy.

• To configure the DNS cache settings as part of a new system policy, click Create Policy.



3. Click DNS Cache.

The DNS Cache page appears.

4. Next to DNS Resolution Caching, select Enabled to enable caching or Disabled to disable it.

IMPORTANT! DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups. To configure IP address resolution on a per-user-account basis, users must also select Event View Settings from the User Preferences menu, enable Resolve IP Addresses, and then click Save. For information about configuring DNS servers, see Configuring Network Settings on page 377. For information about configuring event preferences, see Configuring Event View Settings on page 27.

5. In the DNS Cache Timeout field, enter the number of minutes a DNS entry remains cached in memory before it is removed for inactivity.

The default setting is 300 minutes (five hours).





WARNING! Although DNS caching is enabled for the appliance, IP address resolution is not enabled on a per-user basis unless it is configured on the Events page accessed from the User Preferences menu.

Configuring a Mail Relay Host and Notification AddressRequires: Any If you plan to:

• email event-based reports

• email status reports for scheduled tasks

• use email for RNA event, impact flag, and compliance event alerting (Defense Center only - requires RNA)

• use email for intrusion event alerting (Defense Center only - requires IPS)

• use email for health event alerting (Defense Center only)

you must configure a mail host. In addition, you can configure an email address that will receive notifications when intrusion events and audit logs are pruned from the database.

To configure a mail relay host:




• To modify the email settings in an existing system policy, click Edit next to the system policy.

• To configure the email settings as part of a new system policy, click Create Policy.





3. Click Email Notification.

The Configure Email Notification page appears.

4. In the Mail Relay Host field, type the hostname or IP address of the mail server you want to use.

IMPORTANT! The mail host you enter must allow access from the appliance.

5. Optionally, in the Data Pruning Notification Address field, enter the email address you want to receive notifications when intrusion events and audit logs are pruned from the appliance’s database.



Configuring Intrusion Policy PreferencesRequires: Any You can allow or require comments to be added to the audit log when an intrusion

policy changes. You can also track all changes to intrusion policies in the audit log.

To configure intrusion policy change tracking:




• To modify the intrusion policy preferences in an existing system policy, click Edit next to the system policy.

• To configure the intrusion policy preferences as part of a new system policy, click Create Policy.



3. Click Intrusion Policy Preferences.

The Intrusion Policy Preferences page appears.



4. Select Disabled, Optional, or Required from the Comments on policy change drop-down list.

If you select Optional or Required, a Description of Changes text box appears when you commit your intrusion policy changes.

5. Optionally, if you want to track changes to intrusion policies, select Write changes in Intrusion Policy to audit log.



Specifying a Different LanguageRequires: Any You can use the Language page to specify a different language for the web

interface.

WARNING! The language you select here is used for the web interface for every user who logs into the appliance.

To select a different language for the user interface:




• To modify the language settings in an existing system policy, click Edit next to the system policy.

• To configure the language settings as part of a new system policy, click Create Policy.



3. Click Language.

The Language page appears.

4. Select the language you want to use.





Adding a Custom Login BannerRequires: Any You can create a custom login banner that appears when users log into the

appliance using SSH and on the login page of the web interface. Banners can contain any printable characters except the less-than symbol (<) and the greater-than symbol (>).

Custom login banners are part of the system policy. You can specify the login banner either by creating a new system policy or by editing an existing policy. In either case, the login banner is not used until you apply the system policy.

To add a custom banner:




• To modify the login banner in an existing system policy, click Edit next to the system policy.

• To configure the login banner as part of a new system policy, click Create Policy.



3. Click Login Banner.

The Login Banner page appears.

4. In the Custom Login Banner field, enter the login banner that you want to use with this system policy.





Configuring RNA SettingsRequires: DC/ MDC +

RNAYou can configure several aspects of RNA behavior through the system policy, including how RNA stores data, what RNA and host input events are logged, which vulnerability types to use for impact assessment, whether identity conflict events are logged, whether operating system and service identity conflicts are automatically resolved, and the priority of active sources of identity data.


• Understanding RNA Data Storage Settings on page 342

• Understanding Vulnerability Impact Assessment Settings on page 345

• Understanding Multiple Fingerprint Settings on page 345

• Configuring Settings for RNA on page 347

Understanding RNA Data Storage Settings

Requires: DC/ MDC +RNA

RNA data storage settings, as described in the following table, control the kinds of RNA data stored in the database, and therefore determine the data that other parts of the Sourcefire 3D System can use. These settings also control how long data is retained in the network map.

RNA Data Storage Settings

Field Description

Host Timeout The amount of time that passes, in minutes, before RNA drops a host from the network map due to inactivity. The default setting is 10080 minutes (7 days).

IMPORTANT! To avoid premature timeout of hosts, make sure that the host timeout value is longer than the update interval in the RNA detection policy. For more information, see Creating RNA Detection Policies in the Analyst Guide.

Service Timeout The amount of time that passes, in minutes, before RNA drops a service from the network map due to inactivity. The default setting is 10080 minutes (7 days).

IMPORTANT! To avoid premature timeout of services, make sure that the service timeout value is longer than the update interval in the RNA detection policy. For more information, see Creating RNA Detection Policies in the Analyst Guide.



Client Application Timeout

The amount of time that passes, in minutes, before RNA drops a client application from the network map due to inactivity. The default setting is 10080 minutes(7 days).

IMPORTANT! Make sure that the client application timeout value is longer than the update interval in the RNA detection policy. For more information, see Creating RNA Detection Policies in the Analyst Guide.

Drop New Hosts When Host Limit Reached

Select this check box if you want new hosts rather than old hosts dropped when the Defense Center reaches its host limit and the network map is full. This option is especially valuable if you want to prevent spoofed hosts from taking the place of valid hosts in the network map.

Combine Flows for Out-Of-Network Responders

Select this check box if you want you want to combine flow summaries involving external hosts.

Enabling this option treats flow summary data from IP addresses that are not in your list of monitored networks (as defined by your RNA detection policy) as coming from a single host. Event views, graphs, and reports use external to indicate the hosts outside your monitored network, instead of an individual IP address.

The Defense Center will combine flow summaries involving a host on your monitored network and one or more external hosts if the flows use the same port, protocol, service, and if they were detected by the same detection engine (for flows detected by 3D Sensor) or were exported by the same NetFlow-enabled device and were processed by the same detection engine.

This can reduce the space required to store flow data and can also speed up the rendering of flow data graphs. However, if you enable this option and you attempt to drill down to the table view of flow data (that is, access data on individual flows) for a flow summary that involves an external responder, the table view contains no information.

Note that you can also use the RNA detection policy to force your 3D Sensors to combine flow summaries involving external hosts before they transmit the data to the Defense Center, which can reduce the number of events sent to the Defense Center. However, keep in mind that setting this option in the RNA detection policy requires that you set your flow data mode to Summary, which prevents your 3D Sensors from transmitting individual flows to the Defense Center and therefore prevents you from taking advantage of any feature that requires data from individual flows. For more information, see Combining Flow Summaries from External Responders in the Analyst Guide as well as Configuring RNA Detection Policy Settings in the Analyst Guide.

RNA Data Storage Settings (Continued)

Field Description



Drop Duplicate RNA Flow Events

Select this check box if you want the Defense Center to drop duplicate flow events generated by 3D Sensors with RNA.

Duplicate flow events can be created if you use two RNA detection policies, each of which is monitoring a separate network segment using separate detection engines. In that scenario, each detection engine generates a flow event when RNA detects that a connection is terminated between a monitored host on one of the networks and a monitored host on the other network. On the other hand, if you use one policy to monitor both networks, only the reporting detection engine for the flow initiator generates a flow event.

Duplicate flow events can also be created if you overlap network segment coverage with your RNA detection engines in your RNA detection policy.

Note that best practices are to use only one detection policy and to not overlap network segment coverage; not following best practices can degrade performance as the Defense Center attempts to resolve the conflicts, and can also use excessive bandwidth.

Drop Duplicate NetFlow Events

Select this check box if you want the Defense Center to drop duplicate flow events that are based on NetFlow data. Duplicate NetFlow events can be created, for example, if two NetFlow-enabled devices export information about the same session.

Just as with RNA flow events, best practices are to avoid creating duplicate NetFlow events, For more information, see Drop Duplicate RNA Flow Events.

RNA Data Storage Settings (Continued)

Field Description



Understanding Vulnerability Impact Assessment Settings

Requires: DC/ MDC +RNA

The RNA vulnerability impact assessment settings, as described in the following table, control which vulnerability types to use for impact assessment.

Understanding Multiple Fingerprint Settings

Requires: DC + RNA RNA matches fingerprints for operating systems and services against patterns in traffic to determine what operating system and which services are running on a particular host. To provide the most reliable operating system and service identity information, RNA collates fingerprint information from several sources.

Vulnerability Impact Assessment Settings

Field Description

Vulnerabilities to use for Impact Assessment Requires: IPS

Select the check boxes in this section to configure how the Sourcefire 3D System performs impact flag correlation with intrusion events.

• Select the Use RNA Vulnerability Mappings check box if you want to use RNA vulnerability information to perform impact flag correlation.

• Select the Use Third Party Scanner Vulnerability Mappings check box if you are using an integrated scan capability or the AddScanResult host input API function and you want to use vulnerability lookups from the scanner to perform impact flag correlation. For example, if you scan using Nessus, select this option to use the Nessus vulnerability mappings. For more information, see Understanding Nessus Scans in the Analyst Guide or the Sourcefire 3D System Host Input API Guide.

• Select the Third Party Vulnerability Mappings check box if you want to use third-party vulnerability references to perform impact flag correlation. For more information, see Mapping Third-Party Vulnerabilities in the Analyst Guide.

You can select any or all of the check boxes in this section; if IPS generates an intrusion event and the Sourcefire 3D System is able to use any of the methods you specified to determine that the host involved in the event is vulnerable to the attack or exploit, the intrusion event will be marked with the red (Vulnerable) impact flag. Note that if you clear all the check boxes, intrusion events will never be marked with the red impact flag. For more information, see Using Impact Flags to Evaluate Events in the Analyst Guide.

RNA Event Logging Expand this section and use the check boxes to specify the types of RNA network discovery events that you want to log in the database. See Understanding RNA Network Discovery Event Types in the Analyst Guide for information about each event type

Host Input Event Logging

Expand this section and use the check boxes to specify the types of RNA host input events that you want to log in the database. See Understanding RNA Host Input Event Types in the Analyst Guide for information about each event type.



RNA uses all passive data to derive operating system identities and assign a confidence value. For more information on current identities and how RNA selects the current identity, see Enhancing Your Network Map in the Analyst Guide.

By default, unless there is an identity conflict, identity data added by a scanner or application overrides identity data detected by RNA. You can use the Multiple Fingerprinting page to rank scanner and application fingerprint sources by priority. RNA retains one identity for each source, but only data from the highest priority application or scanner source is used as the current identity. Note, however, that user input data overrides scanner and application data regardless of priority.

An identity conflict occurs when RNA detects an identity that conflicts with an existing identity that came from the active scanner or application sources listed on the Multiple Fingerprinting page or from a user. By default, identity conflicts are not automatically resolved and you must resolve them through the host profile or by rescanning the host or re-adding new identity data to override the RNA identity. However, you can set your system to always automatically resolve the conflict by keeping the passive identity or to always resolve it by keeping the active identity, as indicated in the Multiple Fingerprint Settings table.

You can add new active sources through this page, or change the priority or timeout settings for existing sources. Note that adding a scanner to this page does not add the full integration capabilities that exist for the Nmap and Nessus scanners, but does allow integration of imported application or scan results. If you import data from a third-party application or scanner, remember to make sure that you map vulnerabilities from the source to the RNA vulnerabilities in the network



map. For more information, see Mapping Third-Party Vulnerabilities in the Analyst Guide.

Configuring Settings for RNA

Requires: DC + RNA Use the following procedure to configure RNA settings in the system policy.

To specify RNA settings:



Multiple Fingerprint Settings

Option Description

Generate Identity Conflict Event Enable this option to generate an event when an identity conflict occurs on a host in the network map.

Automatically Resolve Conflicts You have the following options:• To force manual conflict resolution of identity conflicts, select

Disabled from the Automatically Resolve Conflicts drop-down list.• To use the RNA fingerprint when an identity conflict occurs,

select Passive from the Automatically Resolve Conflicts drop-down list.

• To use the current identity from the highest priority active source when an identity conflict occurs, select Active from the Automatically Resolve Conflicts drop-down list.

Scanner/ Application List You have several options: • To add a new source, click Add in the Multiple Fingerprints page

of the system policy. Type a name for the source. • To change the type of source, select Scanner or Application,

from the Type drop-down list. • To indicate the duration of time that should elapse between the

addition of an identity to the network map by this source and the deletion of that identity, select Hours, Days, or Weeks from the Timeout drop-down list and type the appropriate duration.

• To promote a source and cause the operating system and service identities to be used in favor of sources below it in the list, click the up arrow next to the source name.

• To demote a source and cause the operating system and service identities to be used only if there are no identities provided by sources above it in the list, click the down arrow next to the source name.




• To modify the RNA settings in an existing system policy, click Edit next to the system policy.

• To configure the RNA settings as part of a new system policy, click Create Policy.



3. Click RNA Settings.

The RNA Settings page appears.

4. Specify the RNA data storage settings that you want for your Defense Center.

See the RNA Data Storage Settings table on page 342 for more information.



5. Optionally, specify the RNA network discovery events that you want to log by clicking the arrow next to RNA Event Logging. All the event types are enabled by default.

See the RNA Network Discovery Event Types table in the Analyst Guide for more information.

6. Optionally, specify the RNA host input events that you want to log by clicking the arrow next to Host Input Event Logging. All the event types are enabled by default.

See the RNA Host Input Event Types table in the Analyst Guide for more information.

7. Optionally, configure multiple fingerprint settings to manage operating system and service source priorities and identity conflict resolution settings.

See the Multiple Fingerprint Settings table on page 347 for more information.



Configuring RNA Subnet Detection SettingsRequires: DC + RNA Optimally, your RNA detection policy specifies that each RNA detection engine is

configured as the reporting detection engine for the hosts that are closest to it from a network hop standpoint.

Unfortunately, you may not always be kept abreast of network configuration changes. A network administrator may modify a network configuration through routing or host changes without informing you, which can make it challenging to stay on top of proper RNA policy configurations. Subnet detection allows RNA to make recommendations about which are the best detection engines to analyze the traffic on the various network segments in your organization.

As RNA continuously monitors your network traffic, it may be able to refine any subnet recommendations it has made for your RNA detection policies, especially if your network configuration has been altered through routing or host changes. Choosing which subnets to monitor with which detection engines is an iterative process that you should revisit from time to time.

Alternately, as a time-saving and performance-maximizing measure, you can use the system policy to configure RNA to automatically generate subnet recommendations for your currently applied RNA detection policies on a daily basis. Optionally, you can configure the Defense Center to automatically update those policies and apply the updated policies to your RNA detection engines.

If you do not configure the Defense Center to automatically apply subnet recommendations, you must revisit the detection policy after you apply it for the first time so that you can manually evaluate and apply any subnet recommendations. This is because RNA only gathers secondary information



(hops and MAC address data) about hosts in subnets that are set to autodetect. To get detailed information about the hosts in a subnet, including operating system and service identity data, flow data, and so on, you must explicitly assign an RNA detection engine to monitor that subnet.

The following diagram illustrates the automated subnet detection process. Note that you can configure the Defense Center to notify you of subnet recommendations via email so that you can make the changes manually, or, if you configured the Defense Center to automatically apply recommendations, to notify you of any changes made.



For more information on subnet detection, see Introduction to Sourcefire RNA in the Analyst Guide.

IMPORTANT! For performance reasons, RNA only automatically generates recommendations for RNA deployments running on Version 4.9 and later 3D Sensors. If your RNA deployment includes even one legacy (pre-Version 4.9) 3D Sensor, you must manually generate and apply recommendations for your RNA detection policies. For more information, see Manually Generating Subnet Recommendations in the Analyst Guide.

To configure RNA subnet detection settings:




• To modify the RNA subnet detection settings in an existing system policy, click Edit next to the system policy.

• To configure the RNA subnet detection settings as part of a new system policy, click Create Policy.



3. Click RNA Subnet Detection Settings.

The RNA Subnet Detection Settings page appears.

4. Optionally, in the Mail Notifications To field, enter the email address where you want to receive notifications of new subnet recommendations.

TIP! To receive email notifications, you must configure a valid mail relay host; see Configuring a Mail Relay Host and Notification Address on page 338.

5. From the Generate Recommendations Daily At drop-down list, select the time when you want RNA to automatically generate daily subnet recommendations for all applied RNA detection policies.

To disable daily generation of subnet recommendations, select Disabled.



6. Enable the Automatically Apply Daily Recommendations check box to automatically update and apply your RNA detection policies after RNA generates subnet recommendations.

Note that this option has no effect unless you enable daily recommendations.



Configuring RUA SettingsRequires: DC + RUA You can use the RUA settings in the system policy to filter which types of

network activity cause RUA to add users to the database.

Sourcefire RUA (see Using Sourcefire RUA in the Analyst Guide) is an optional component of the Sourcefire 3D System that allows you to correlate network activity with user identity information. When RUA detects a user login for a user who is not already in the database, an RUA user is added to the Defense Center user database. RUA can add users to the database using the following types of detected protocols:

• LDAP

• AIM

• POP3

• IMAP

• Oracle

• SIP (VoIP)

Note that although RUA detects SMTP logins, the Defense Center does not record them unless there is already a user with a matching email address in the database; RUA users are not added to the database based on SMTP logins.

The RUA feature license on the Defense Center (see Licensing RUA in the Analyst Guide) specifies the number of users you can monitor with RUA. After you reach your licensed limit, RUA stops adding new users to the Defense Center database.

Restricting RUA helps minimize username clutter and preserve RUA licenses. For example, obtaining usernames through protocols such as AIM, POP3, and IMAP can introduce usernames not relevant to your organization due to network access from contractors, visitors, and other guests. In addition, AIM, Oracle, and SIP logins always create duplicate user records. This is because these logins are not associated with any of the user metadata that RUA obtains from an LDAP server,



nor are they associated with any of the information contained in the other types of login that your 3D Sensors detect.

IMPORTANT! Sourcefire RUA Agents installed on Microsoft Active Directory LDAP servers collect only LDAP user login information. Therefore, unless your RUA implementation includes 3D Sensors with RUA, filtering non-LDAP logins has no effect. For more information on RUA Agents and 3D Sensors with RUA, see How Do I Choose an RUA Implementation? in the Analyst Guide.

To filter RUA users based on network activity type:




• To modify the RUA settings in an existing system policy, click Edit next to the system policy.

• To configure the RUA settings as part of a new system policy, click Create Policy.



3. Click RUA Settings.

The RUA Detection Settings page appears.

4. Select the check boxes that correspond to the types of logins that will create RUA users.

By default, all login types cause RUA to add users to the database.





Synchronizing TimeRequires: Any You can manage time synchronization on the appliance using the Time

Synchronization page. You can choose to synchronize the time:

• manually

• using one or more NTP servers (one of which can be a Defense Center)

Time settings are part of the system policy. You can specify the time settings either by creating a new system policy or by editing an existing policy. In either case, the time setting is not used until you apply the system policy.

Note that time settings are displayed on most pages on the appliance in local time using the time zone you set on the Time Zone page (America/New York by default), but are stored on the appliance itself using UTC time. In addition, the current time appears in UTC at the top of the Time Synchronization page (local time is displayed in the Manual clock setting option, if enabled).

You must use native applications, such as command line interfaces or the operating system interface, to manage time settings for software sensors:

• For more information on configuring settings for Crossbeam Systems Switches, see the Sourcefire 3D Sensor Software for X-Series Installation Guide.

• For more information on configuring settings for RNA Software for Red Hat Linux, see the Sourcefire RNA Software for Red Hat Linux Configuration Guide.

• You manage time settings on an Intrusion Agent through the operating system.

You can synchronize the appliance’s time with an external time server. If you specify a remote NTP server, your appliance must have network access to it. Connections to NTP servers do not use configured proxy settings. To use the Defense Center as an NTP server, see Serving Time from the Defense Center on page 357.

Sourcefire recommends that you synchronize your virtual appliances to a physical NTP server. Do not synchronize your 3D Sensors (virtual or physical) to a Virtual Defense Center.

The procedure for synchronizing time differs slightly depending on whether you are using the web interface on a Defense Center or a 3D Sensor. Each procedure is explained separately below.

To synchronize time on the Defense Center:






• To modify the time settings in an existing system policy, click Edit next to the system policy.

• To configure the time settings as part of a new system policy, click Create Policy.



3. Click Time Synchronization.

The Time Synchronization page appears.

4. If you want to serve time from the Defense Center to your managed sensors, in the Serve time via NTP drop-down list, select Enabled.

Note that if you set this option to Enabled and then apply the system policy to a sensor rather than a Defense Center, this value is ignored. Only Defense Centers can act as NTP servers.

5. You have two options for specifying how the time is synchronized on the appliance:

• To set the time manually, select Manually in the System Settings. See Setting the Time Manually on page 389 for information about setting the time after you apply the system policy.

• To receive time through NTP from a different server, select Via NTP Server from and, in the text box, type a comma-separated list of IP addresses for the NTP servers you want to use or, if DNS is enabled, type the fully qualified host and domain names.

WARNING! If the appliance is rebooted and your DHCP server sets an NTP server record different than the one you specify here, the DHCP-provided NTP server will be used instead. To avoid this situation, you should configure your DHCP server to set the same NTP server.





IMPORTANT! It may take a few minutes for the appliance to synchronize with the configured NTP servers.

To synchronize time on a 3D Sensor:




• To modify the time settings in an existing system policy, click Edit next to the system policy.

• To configure the time settings as part of a new system policy, click Create Policy.





4. You have two options for specifying how time is synchronized on the 3D Sensor:



• To set the time manually, select Manually in the System Settings. See Setting the Time Manually on page 389 for information about setting the time after you apply the system policy.

• To receive time through NTP from different servers, select Via NTP Server from and, in the text box, type a comma-separated list of IP addresses of the NTP servers or, if DNS is enabled, type the fully qualified host and domain names.



IMPORTANT! It may take a few minutes for the 3D Sensor to synchronize with the configured NTP servers. In addition, if you are synchronizing the 3D Sensor to a Defense Center that is configured as an NTP server, and the Defense Center itself is configured to use an NTP server, it may take some time for the time to synchronize. This is because the Defense Center must first synchronize with its configured NTP server before it can serve time to the 3D Sensor.

Serving Time from the Defense Center

Requires: DC/MDC You can configure the Defense Center as a time server using NTP and then use it to synchronize time between the Defense Center and managed 3D Sensors.

TIP! You cannot set the time manually after configuring the Defense Center to serve time using NTP. If you need to manually change the time, you should do so before configuring the Defense Center to serve time using NTP. If you need to change the time manually after configuring the Defense Center as an NTP server, disable the Via NTP option and click Save, change the time manually and click Save, and then enable Via NTP and click Save.

IMPORTANT! If you configure the Defense Center to serve time using NTP, and then later disable it, the NTP service on managed sensors will still attempt to synchronize time with the Defense Center. You must disable NTP from the managed sensors’ web interfaces to stop the synchronization attempts.

To configure the Defense Center as an NTP server:

Access: Admin 1. On the Defense Center, select Operations > System Policy.





• To modify the NTP server settings in an existing system policy, click Edit next to the system policy.

• To configure the NTP server settings as part of a new system policy, click Create Policy.





4. From the Serve Time via NTP drop-down list, select Enabled.

5. In the Set My Clock option for the sensors, select Via NTP from Defense Center.



IMPORTANT! It may take a few minutes for the Defense Center to synchronize with its managed sensors.

Mapping Vulnerabilities for ServicesRequires: DC/MDC RNA automatically maps vulnerabilities to a host for any service traffic received or

sent by the host, when the service has a service ID in the RNA database and the packet header for the traffic includes a vendor and version.

However, many services do not include vendor and version information. For the services listed in the system policy, you can configure whether RNA associates vulnerabilities with service traffic for vendor and versionless services.

For example, a host receives SMTP traffic that does not have a vendor or version in the header. If you enable the SMTP service on the Vulnerability Mapping page of a system policy, then apply that policy to the Defense Center managing the sensor that detects the traffic, all vulnerabilities associated with SMTP applications are added to the host profile for the host.

Note that although RNA detectors collect service information and add it to host profiles, the service information will not be used for vulnerability mapping because you cannot specify a vendor or version for a custom service and cannot select the service for vulnerability mapping in the system policy.



To configure vulnerability mapping for services:




• To modify active fingerprint source settings in an existing system policy, click Edit next to the system policy.

• To configure active fingerprint source settings as part of a new system policy, click Create Policy.



3. Click Vulnerability Mapping.

The Vulnerability Mapping page appears.


• To prevent vulnerabilities for a service from being mapped to hosts that receive service traffic without vendor or version information, clear the check box for that service.

• To cause vulnerabilities for a service to be mapped to hosts that receive service traffic without vendor or version information, select the check box for that service.

TIP! You can select or clear all check boxes at once using the check box next to Enable.




Administrator Guide

Chapter 10Configuring System Settings

The system settings include a series of linked pages that you can use to view and modify settings on your appliance. Contrast the system settings, which are likely to be specific to a single appliance, with a system policy, which controls aspects of an appliance that are likely to be similar across a deployment. See Managing System Policies on page 320 for more information.


Configuring System SettingsChapter 10

The System Settings Options table describes the options you can configure in the system settings.

System Settings Options

Option Description

Information Allows you to view current information about the appliance. You can also change the appliance name. See Viewing and Modifying the Appliance Information on page 362 for more information.

License Provides you with options for managing your current licenses and for adding additional feature licenses on the platforms that support them. See Understanding Licenses on page 364 for more information.

Network Enables you to change options such as the IP address, hostname, and proxy settings of the appliance that were initially set up as part of the installation. See Configuring Network Settings on page 377 for more information.

Network Interface

Allows you to view and modify the settings for the network interfaces on your appliance. See Editing Network Interface Configurations on page 380 for more information.

Process Provides options that you can use to:• shut down the appliance• reboot the appliance• restart the Sourcefire 3D System-related processes

See Shutting Down and Restarting the System on page 382 for more information.

Remote Management

On the 3D Sensor, enables you to establish communications with a Defense Center from the sensor. See Configuring Remote Access to the Defense Center on page 386 for more information.

On the Defense Center, enables you to specify values for the internal network and management port that the Defense Center uses to communicate with its managed sensors and high availability peer. See Configuring the Communication Channel on page 383 for more information.

Time Displays the current time. If the time synchronization settings in the current system policy for the appliance is set to Manual, then you can use this page to change the time. See Setting the Time Manually on page 389 for more information.


Configuring System SettingsViewing and Modifying the Appliance Information Chapter 10

To configure the system settings:

Access: Admin Select Operations > System Settings.

The Information page appears, with a list on the left side of the page that you can use to access other system settings. The Series 2 DC1000 or DC3000 Defense Center version of this the page is shown below.

Viewing and Modifying the Appliance InformationRequires: Any The Information page provides you with information about the Defense Center or

3D Sensor. The information includes view-only information such as the product name and model number, the operating system and version, and the current appliance-level policies. The page also provides you with an option to change the name of the appliance.

IMPORTANT! You cannot view sensor information for Intrusion Agents.

Health Blacklist

On the Defense Center, allows you to temporarily disable health monitoring for a 3D Sensor to prevent the Defense Center from generating unnecessary health events. See Blacklisting Health Modules on page 391 for more information.

NetFlow Devices

On the Defense Center, allows you to specify the NetFlow-enabled devices you want to use to collect flow data. See Specifying NetFlow-Enabled Devices on page 392 for more information.

Remote Storage

On Series 2 DC1000 and DC3000 Defense Centers, allows you to configure remote storage for backups and reports. See Managing Remote Storage on page 393 for more information.

System Settings Options (Continued)

Option Description


Configuring System SettingsViewing and Modifying the Appliance Information Chapter 10

The Appliance Information table describes each field.

Appliance Information

Field Description

Name A name you assign to the appliance. Note that this name is only used within the context of the Sourcefire 3D System. Although you can use the hostname as the name of the appliance, entering a different name in this field does not change the hostname.

Product Model The model name for the appliance.

Software Version The version of the software currently installed.

Store Events Only on Defense Center

Enable this check box to store event data on the Defense Center, but not the managed sensor. Clear this check box to store event data on both appliances.

Prohibit Packet Transfer to the Defense Center

Enable this check box to prevent the managed sensor from sending packet data with the events. Clear this check box to allow packet data to be stored on the DC with events.

Operating System

The operating system currently running on the appliance.


The version of the operating system currently running on the appliance.

IP Address The IP address of the appliance.

Current Policies The appliance-level policies currently applied to the appliance. If a policy has been updated since it was last applied, the name of the policy appears in italics.

Model Number The model number for the appliance. This number can be important for troubleshooting.


Configuring System SettingsUnderstanding Licenses Chapter 10

To modify the appliance information:


The Information page appears. The Defense Center version of the page is shown below.

For comparison, the 3D Sensor version of the page is shown below.

2. To change the appliance name, type a new name in the Name field.

WARNING! The name must be alphanumeric characters and should not be composed of numeric characters only.

3. To save your changes, click Save.

The page refreshes and your changes are saved.

Understanding LicensesRequires: Any You can license a variety of products and features to create your optimal

deployment. For Defense Centers, the Sourcefire 3D System requires that you enable IPS by applying a product license file to each appliance as part of the installation process. You can also add feature licenses such as RNA host licenses and Intrusion Agent licenses.



See the following for more information:

• Understanding Feature Licenses on page 366

• Verifying Your Product License on page 368

• Managing Your Feature Licenses on page 370

You can use a variety of appliances and optional features in your deployment. To understand why and when to use these licenses, see the Sourcefire Licenses table on page 365.

TIP! You can view your licenses by using the Product Licensing widget in the dashboard. See Understanding the Product Licensing Widget on page 84 for more information.

Sourcefire Licenses

You apply a.. to... so that you can...

Product License a 3D Sensor or a Defense Center during installation

use IPS on that appliance.

For information on adding a product license, see Sourcefire 3D Sensor Installation Guide, and Sourcefire Defense Center Installation Guide.

For information on IPS, see Introduction to Sourcefire IPS in Sourcefire 3D System Analyst Guide

Feature License a Defense Center at any time

use additional features such as RNA, RUA, and so on.

For information on how the various features function, see Understanding Feature Licenses on page 366.

For information on how to add a feature license, see Adding Feature Licenses on page 370.

Virtual License a Defense Center at any time

use virtual machines.

For information on how to use virtual appliances, see Sourcefire Virtual Defense Center and 3D Sensor Installation Guide.



Understanding Feature LicensesThe Feature Licenses table describes how to determine which features to license for your deployment.

NetFlowNetFlow is an embedded instrumentation within Cisco IOS Software that characterizes network operation. Standardized through the RFC process, NetFlow is available not only on Cisco networking devices, but can also be embedded in Juniper, FreeBSD, and OpenBSD devices.

NetFlow-enabled devices are widely used to capture and export data about the traffic that passes through those devices. The NetFlow cache stores a record of every flow (a sequence of packets that represents a connection between a source and destination host) that passes through the devices. You can deploy NetFlow-enabled devices on networks that your sensors cannot monitor, and use NetFlow data to monitor those networks.

You must use a Defense Center to configure NetFlow data collection and to view the collected data, and your deployment must include at least one 3D Sensor with RNA that can communicate with your NetFlow-enabled devices. Although you can use NetFlow-enabled devices exclusively to monitor your network, the Sourcefire 3D System uses RNA detection engines on 3D Sensors to analyze NetFlow data. For more information, see Introduction to NetFlow in the Sourcefire 3D System Analyst Guide.

Feature Licenses

If you want to... you need a license for...

capture and export data about the traffic that passes through NetFlow-enabled devices

NetFlows.

monitor hosts on your network (including hosts discovered by NetFlow-enabled devices) to observe your network traffic to analyze a complete, up-to-the-minute profile of your network

RNA Hosts.

correlate threat, endpoint, and network intelligence with user identity information

RUA Users.

identify the source of policy breaches, attacks, or network vulnerabilities

RUA Users and either RNA Hosts or the product license (or both).

transmit events generated by open source Snort installations to the Defense Center

Intrusion Agents.

IPS for use with Crossbeam Systems X-Series IPS Software Sensors.



RNA HostSourcefire RNA allows your organization to confidently monitor and protect your network using a combination of forensic analysis, behavioral profiling, and built-in alerting and remediation. 3D Sensors with RNA passively observe your organization’s network traffic and analyze it to provide you with a complete, up-to-the-minute profile of your network.

By default, RNA is installed on most 3D Sensors. (The 3D9800 does not support RNA.) Sourcefire also makes key components of RNA available in installation packages for Red Hat Linux servers and Crossbeam Systems security switches. However, to control how network intelligence is gathered and to view the resulting information, you must manage 3D Sensors with RNA with a Defense Center. In addition, to enable RNA functionality, that Defense Center must have an RNA host license installed and the 3D Sensor must have a product license installed. For more information, see Introduction to Sourcefire RNA in the Sourcefire 3D System Analyst Guide.

RUA HostSourcefire Real-time User Awareness, also called RUA, allows your organization to correlate threat, endpoint, and network intelligence with user identity information. By linking network behavior, traffic, and events directly to individual users, RUA can help you to identify the source of policy breaches, attacks, or network vulnerabilities, as well as mitigate risk, block users or user activity, and take action to protect others from disruption. These capabilities also significantly improve audit controls and enhance regulatory compliance.

All RUA deployments require a Defense Center that has an RUA feature license installed. If your organization uses LDAP, you can use the user information on your LDAP server to augment the Defense Center’s database of user identity information with available metadata. For more information, see Using Sourcefire RUA in the Sourcefire 3D System Analyst Guide.

Intrusion AgentIf you have an existing installation of Snort®, you can install an Intrusion Agent to forward intrusion events to a Defense Center. You can then analyze the events detected by Snort alongside your other data.

Although you cannot manage policies or rules for an Intrusion Agent from the Defense Center, you can do analysis and reporting on those events. If the network map on the Defense Center has entries for the target host in a given event, the Defense Center assigns impact flags to the events. You can continue to manually tune Snort rules and preprocessors with the Intrusion Agent in place. For more information, see Sourcefire 3D System Intrusion Agent Configuration Guide.



IPS Software SensorAn IPS Software Sensor allows you to use 3D Sensor Software for X-Series on a Crossbeam® Next Generation Security Platform to gather network intelligence and intrusion information. For more information, see Sourcefire Crossbeam Installation Guide XOS.

For information on adding, viewing, and deleting feature licenses, see Managing Your Feature Licenses on page 370.

Verifying Your Product LicenseRequires: Any During installation, the user who sets up the appliance adds the software license

as part of the process. In most cases, you do not need to re-install the license.

To verify the product license file:



2. Click License.




3. Under Product Licenses, click Edit.

The Manage License page appears.

4. Click Verify License.

• If the license file is valid, a message appears under the License field. Do not proceed to step 5.

• If the license file is invalid, you will receive an error message. Continue with step 5 to obtain a license and install it.

5. Click Get License.

The Licensing Center web site appears.

IMPORTANT! If your web browser cannot access the Internet, you must switch to a host that can access it. Copy the license key at the bottom of the page and browse to https://keyserver.sourcefire.com/.

6. Follow the on-screen instructions for an appliance license to obtain your license file, which will be sent to you in an email.

7. Copy the license file from the email, paste it into the License field (as shown in Step 3), and click Submit License.

If the license file is correct, the license is added to the appliance, and the features for the appliance are available in the web interface.

IMPORTANT! If you purchased a feature license, click Add New License and add it using the Add Feature License page. For more information about feature licenses, see Managing Your Feature Licenses on page 370.

https://keyserver.sourcefire.com



Managing Your Feature LicensesRequires: DC The Defense Center uses feature licenses to allow for additional features. Feature

licenses include:

• NetFlow licenses, which specify the number of NetFlow-enabled devices you can use to gather flow data

• RNA host licenses, which specify the number of hosts that you can monitor with RNA

• RUA licenses, which allow you to use the RUA feature

• Intrusion Agent licenses, which allow you to use intrusion agents

• 3D Virtual Sensors, which allow you use virtual sensors in your deployment

• IPS licenses for Crossbeam, which allow you to use 3D Sensor Software with IPS on Crossbeam Systems security switches

When you purchase license packs for any licensable feature, you must add them to the Defense Center from the web interface.


• Adding Feature Licenses on page 370

• Viewing Feature Licenses on page 372

• Configuring Network Settings on page 377

Adding Feature Licenses

Requires: DC If you need to obtain a feature license for a feature you purchased, you can request it from the web interface. Before beginning, you should have the 12-digit feature license serial number provided by Sourcefire when you purchased the licensable feature. If you do not have the serial number, you can find it by logging into the Sourcefire Support Site (https://support.sourcefire.com/), clicking Account, then clicking Products & Contracts. The serial number appears in the Sourcefire Software & Licenses section.

IMPORTANT! Both Defense Centers in a high-availability pair must have NetFlow licenses for at least the number of NetFlow-enabled devices you are using. If one Defense Center does not have a NetFlow license, it will not receive data from your NetFlow-enabled devices.

https://support.sourcefire.com



To add a license:



2. Click License.


3. Click Add New License.

The Add Feature License page appears.



4. Click Get License.

The Licensing Center web site appears.

IMPORTANT! If your web browser cannot access the Internet, you must switch to a host that can access it. Copy the license key at the bottom of the page and browse to https://keyserver.sourcefire.com/.

5. Follow the on-screen instructions for a feature license to obtain your license file, which will be sent to you in an email.

6. After you receive an email with the feature license file, copy the license file from the email, paste it into the License field, and click Submit License.

If the license file is correct, the license is added to the appliance, and the licensed feature is available. You can repeat this process for each feature license you need to add.

TIP! Your Defense Center can have multiple feature licenses (for example, one or more licenses for RNA Hosts in addition to one or more licenses for Intrusion Agents, RUA, and so on). Note that there is only one product license.

Viewing Feature Licenses

Requires: DC The licenses page displays the product and feature licenses that you have added to the Defense Center.

The first license that appears shows the Defense Center’s product license which shows the license status, model code, node (MAC address), and expiration date, and provides a link that allows you to view or edit the license. For more information about viewing and modifying product licenses, see Verifying Your Product License on page 368.

If you have feature or host licenses installed, they appear itemized below the product license. A summary of your licenses appears below the itemized list, and shows the total number of hosts, connections, exporters, virtual appliances, or users allowed by the sum of your feature or host licenses.

TIP! You can also view licenses by using the Product Licensing widget on the dashboard. See Understanding the Product Licensing Widget on page 84 for more information.

https://keyserver.sourcefire.com



The NetFlow License Columns table describes each column that appears in a NetFlow license.

The RNA Host License Columns table describes each column that appears in an RNA host license.

NetFlow License Columns

Column Description

Feature ID Displays the ID number that corresponds with the feature being licensed.

Serial Number Displays the feature serial number.

Status Indicates if the license is valid, invalid, or if a temporary license has expired.

Model Displays the appliance model number.

Allowed NetFlow Exporters

Lists the number of NetFlow-enabled devices that the license allows you to use.

Node Displays the appliance’s MAC address.

Expires Displays the date and time that the feature license expires.

Action Allows you to delete the feature license by clicking Delete.

RNA Host License Columns

Column Description




Number of Hosts

Lists the number of monitored hosts added by the license.





The RUA License Columns table describes each column that appears in an RUA host license.

The Intrusion Agent License Columns table describes each column that appears in an intrusion agent license.


Action Allows you to delete the host license by clicking Delete.

RNA Host License Columns (Continued)

Column Description

RUA License Columns

Column Description





Number of Users

Lists the number of monitored users added by the license.




Intrusion Agent License Columns

Column Description





The Virtual 3D Sensor License Columns table describes each column that appears in an intrusion agent license.



Swagent Max Connections

Lists the maximum number of software agent connections allowed by the license.




Intrusion Agent License Columns (Continued)

Column Description

Virtual 3D Sensor License Columns

Column Description





Allowed Virtual Sensors

Lists the maximum number of Virtual 3D Sensors allowed by the license.


Throughput Limit Displays the maximum capacity licensed for processing by the Virtual 3D Sensor (20, 45, 100, or 250MB).

IMPORTANT! These speeds are not a guaranteed throughput for the Virtual 3D Sensor you license. Maximum throughput is limited by other factors such as number of Virtual Machines on your VMware server, its connections, and other physical hardware constraints.



The IPS Software License Columns table describes each column that appears in an IPS Software license.

To view or delete your feature licenses:





Virtual 3D Sensor License Columns (Continued)

Column Description

IPS Software License Columns

Column Description









Configuring System SettingsConfiguring Network Settings Chapter 10

2. Click License.

The License page appears, showing the product license and any feature licenses you have added.

3. For the feature that you want to delete, click Delete in the Action column.

Configuring Network SettingsRequires: Any With some exceptions, your Sourcefire 3D System provides a dual stack

implementation so that you can choose IPv4, IPv6, or both IPv4 and IPv6 network settings in System Settings. The exceptions include software sensors or 3Dx800 sensors. You must use native applications, such as command line interfaces, third-party user interfaces, or the operating system interface, to manage network settings for software sensors or 3Dx800 sensors:

• For more information on configuring settings for Crossbeam-based software sensors, see the Sourcefire 3D Sensor Software for X-Series Installation Guide.

• For more information on configuring settings for Virtual 3D Sensors, see the Virtual Defense Center and 3D Sensor Installation Guide.

• For more information on configuring settings for 3Dx800 appliances, see the 3D Sensor Installation Guide.

• For more information on configuring settings for RNA Software for Red Hat Linux, see the Sourcefire RNA Software for Red Hat Linux Configuration Guide.

• For more information on configuring settings for Intrusion Agents, see the Intrusion Agent Configuration Guide.

You have the following configuration options:

• Disabled (IPv4 or IPv6)

• Manual (IPv4 and IPv6)

• DHCP (IPv4 and IPv6)

• Router assigned (IPv6 only)

If you specify manual, you must manually configure all network properties. If you specify DHCP, the appliance automatically retrieves its network settings from a



local DHCP server. If, in the case of IPv6, you specify Router assigned, the appliance retrieves its network settings from a local router.

If the appliance is not directly connected to the Internet, you can configure a proxy server to be used when downloading updates and SEUs. By default, the appliance is configured to directly connect to the Internet.

To configure network settings:



Manual Network Configuration Settings

Setting Description

Management Interface Address and either IPv4 Netmask or IPv6 Prefix Length

The IP address for the management interface.• For IPv4, you must set the address and

netmask in dotted decimal form (for example: a netmask of 255.255.0.0).

• For IPv6, you must set the address in colon-separated hexadecimal form and the number of bits in the prefix (for example: a prefix length of 112).

In most installations, the management interface is connected to an internal, protected network. This is the network through which Defense Centers and sensors communicate.

Default Network Gateway

The IP address of the gateway device for your network

Hostname The DNS-resolvable name for the appliance

IMPORTANT! If you change the hostname, the new name is not reflected in the syslog until after you reboot the appliance.

Domain The fully-qualified domain name where the appliance resides

Primary DNS Server The IP address of the DNS server for the network where the appliance resides

Secondary DNS Server A secondary DNS server’s IP address

Tertiary DNS Server A tertiary DNS server’s IP address



2. Click Network.

The Network page appears.

3. Specify which IP version (v4, v6, or both) you want to use by selecting the Configuration from the IPv4 and IPv6 settings:

• Select Disabled to use only the alternative IP version (for example, if your network uses only IPv6, in the IPv4 section select Disabled).

• Select DHCP to allow DHCP server network setting resolution.

• Select Router assigned (an IPv6-only configuration) to allow router assigned network setting resolution.

• Select Manual to manually specify network settings.

4. If you selected Manual, specify the network settings.

See the Manual Network Configuration Settings table on page 378 for a full description of each field you can configure. You can change the Shared Settings (hostname, domain, and domain servers) if you use manual or router assigned configurations.


Configuring System SettingsEditing Network Interface Configurations Chapter 10

5. If your appliance is not directly connected to the Internet, you can identify a proxy server to be used when downloading updates and rules. By default, appliances are configured to connect directly to the Internet. To configure a proxy server, you have two options:

• If you have a direct connection from the appliance to the Internet, select Direct connection.

• If your network uses a proxy, select Manual proxy configuration and enter the IP address or fully qualified domain name of your proxy server in the HTTP Proxy field and the port in the Port field.

6. Click Save.

The network settings are changed.

Editing Network Interface ConfigurationsRequires: DC or

3D SensorYou can use the Network Interface page to modify the default settings for each network interface on your appliance. Any changes you make to the Auto Negotiate value are ignored for Gigabit interfaces. You must configure 3Dx800 interfaces on the 3Dx800 CLI.

WARNING! Do not modify the settings for the management interface unless you have physical access to the appliance. It is possible to select a setting that makes it difficult to access the web interface.

If you change the link mode for a sensing interface, the sensor drops traffic while the network interface card renegotiates its network connection.

To edit a network interface:

Access: Admin 1. You have two choices:

• To configure network interfaces from a 3D Sensor, select Operations > System Settings.

• To configure network interfaces from a Defense Center, select Operations > Sensor, then click Edit next to the 3D Sensor.

The System Settings page appears.


Configuring System SettingsEditing Network Interface Configurations Chapter 10

2. Click Network Interface.

The Network Interface page appears, listing the current settings for each interface on your appliance.

3. Click Edit next to the interface that you want to modify.

The current settings for the interface appear:

These setting include:

• interface name

• sensor name

• interface type, either Sensing or Management

• interface description

• whether the interface is configured to auto-negotiate speed and duplex settings


Configuring System SettingsShutting Down and Restarting the System Chapter 10

• whether the interface is configured for MDI (medium dependent interface), MDIX (medium dependent interface crossover), or Auto mode (Series 2 3D Sensors only); N/A in this column indicates that the interface does not support MDI/MDIX

• the current link mode, including the bandwidth and duplex setting (Full or Half); N/A indicates that there is no link for the interface

You can modify the interface name and description, MDI/MDIX settings, and the link mode as needed. However, keep the following in mind:

• In the Auto Negotiate field, select Off only if you require a specific link mode setting. You cannot change the Auto Negotiate setting for 10Gb interfaces.

If you need to specify a link mode, select it in the Link Mode field.

Any changes you make to the Auto Negotiate value are ignored for Gigabit interfaces. You must configure 3Dx800 interfaces on the 3Dx800 CLI.

• Series 2 3D Sensors only If you disable auto negotiation and specify a link mode, you must also set the MDI/MDIX field to the required MDI or MDIX mode.

Normally, MDI/MDIX is set to Auto, which automatically handles switching between MDI and MDIX to attain link. However, when you set a specific link mode, automatic MDI/MDIX handling is disabled, making it impossible for the endpoints to attain link unless you manually set the required MDI/MDIX mode.

4. Click Save.

The Network Interface page appears again.

Shutting Down and Restarting the SystemRequires: Any You have several options for controlling the processes on your appliance. You can:

• shut down the appliance

• reboot the appliance

• restart communications, database, and http server processes on the appliance (this is typically used during troubleshooting)

• restart the RNA and Snort processes (Snort runs on the 3D Sensor only if you are licensed to use IPS)

IMPORTANT! If you shut down the appliance, the process shuts down the operating system on the appliance, but does not physically shut off power. To shut off power to the appliance, you must press the power button on the appliance, or, for an appliance without a power button, unplug it.


Configuring System SettingsConfiguring the Communication Channel Chapter 10

To shut down or restart your appliance:



2. Click Process.

The Appliance Process page appears. The Defense Center version of the page is shown below.

3. Specify the command you want to perform:

For DC/MDC

• To shut down the Defense Center, click Run Command next to Shutdown Defense Center.

• To reboot the system, click Run Command next to Reboot Defense Center. Note that this logs you out of the Defense Center.

• To restart the Defense Center, click Run Command next to Restart Defense Center Console. Note that restarting the Defense Center may cause deleted hosts to reappear in the network map.

For 3D Sensor

• To shut down the 3D Sensor, click Run Command next to Shutdown Appliance.

• To reboot the system, click Run Command next to Reboot Appliance. Note that this logs you out of the 3D Sensor.

• To restart the 3D Sensor, click Run Command next to Restart Appliance Console.

• To restart the Snort and RNA processes, click Run Command next to Restart Detection Engines.

Configuring the Communication ChannelRequires: DC +

3D SensorVersion 4.8 and earlier Defense Centers and sensors use a range of internal network IP addresses called the management virtual network to transmit third-party communications such as NTP to managed sensors and, in high availability deployments, to its Defense Center peer. The default address range is 172.16.0.0/16. The default port for communications between the Defense Center, its managed sensors, and if high availability is enabled, its high availability peer is 8305/tcp. The communication on port 8305 is bi-directional.

Enhancements in the current software eliminate the need for the management virtual network provided both the Defense Center and the sensors it manages are



both using the current software. However, if your Defense Center is running the current version of the software and the sensors it manages are running an older version of the software, you will need to use a management virtual network and ensure that it does not conflict with other communications on your network.

IMPORTANT! The management virtual network is required only when the Defense Center must communicate with sensors running an older version. If both the Defense Center and all sensors have been upgraded to the current version, the management virtual network is unnecessary.

For more information, refer to:

• Setting Up the Management Virtual Network on page 384

• Editing the Management Virtual Network on page 385

Setting Up the Management Virtual NetworkRequires: DC +

3D SensorIf the IP address range or the port conflicts with other communications on your network, you can specify different values. This is usually configured as part of the installation process, but you can change it later.

WARNING! The IP address range you specify for the Management Virtual Network must not conflict with any other local network, including your management network. The user interface prevents you from entering the address range for the management network, but make sure you do not to enter a range that overlaps other local networks. Doing so may break communications between hosts on the local network.

You must use native applications, such as command line interfaces, third-party user interfaces, or the operating system interface, to manage the communication channel sensor settings for Crossbeam-based software sensors, 3Dx800 sensors, and Intrusion Agents. For more information on configuring settings for Crossbeam-based software sensor, see the Sourcefire 3D Sensor Software for X-Series Installation Guide. For more information on configuring settings for 3Dx800 sensors, see the Sourcefire 3D Sensor Installation Guide. For more information on configuring settings for RNA Software for Red Hat Linux, see the Sourcefire RNA Software for Red Hat Linux Configuration Guide. For more information on configuring settings for Intrusion Agents, see the Intrusion Agent Configuration Guide.

IMPORTANT! Master Defense Centers do not currently use a Management Virtual Network. You can not edit the Management Virtual Network field of a Master Defense Center. The field is filled with 0.0.0.0/24 to indicate that the Management Virtual Network is disabled on a Master Defense Center.



To configure the communications channel:





3. In the Management Port field, enter the port number that you want to use.

WARNING! Changing the management port on the Defense Center requires that you also manually change the management port on every managed sensor.

4. In the Management Virtual Network field, enter the IP address range that you want to use.

TIP! The subnet mask is fixed at /16 (sixteen bits).

5. Click Save to save your changes for both the IP address range and the port number.

The new values are saved.

Editing the Management Virtual NetworkRequires: DC +

3D SensorYou can change the host IP or host name of the connected appliance. You can also regenerate the Virtual IP address, a feature that is especially useful after network reconfigurations or appliance updates.

WARNING! If the Management Virtual Network is functioning properly, it should not be edited. Typically, this function is used only under the direction of Sourcefire Support.

Master Defense Centers do not currently use a Management Virtual Network. You can not edit the Management Virtual Network field of a Master Defense Center. The field is filled with 0.0.0.0/24 to indicate that the Management Virtual Network is disabled on a Master Defense Center.

Past versions of Sourcefire 3D Systems used a default /24 (twenty-four bit) CIDR address space, which provided enough addresses for 127 appliances. The current


Configuring System SettingsConfiguring Remote Access to the Defense Center Chapter 10

version uses a default /16 (sixteen bit) CIDR address space, which provides for a much greater number of appliances.

To edit the remote management virtual network:





3. Click Edit next to the host whose Management Virtual Network you want to change.

The Edit Remote Management page appears.

4. Edit the name or host ID in the Name or Host fields as required.

5. Optionally, click Regenerate VIP to regenerate the IP address used by the virtual network.

TIP! The regenerate VIP option is useful after you reconfigure your network or change the Sourcefire 3D System to take advantage of a larger address space.

6. After appropriate management virtual network edits are made, click Save.

Configuring Remote Access to the Defense CenterRequires: DC +

3D SensorYou must begin the procedure for setting up the management relationship between a Defense Center and a sensor on the sensor.


• Management Host - the hostname of IP address.

• Registration Key - registration key

• Unique NAT ID - a unique alphanumeric ID for use when registering sensors in NAT environments. See Working in NAT Environments on page 112 for more information.




• Management Host and Registration Key used on both appliances

• Registration Key and Unique NAT ID used on the 3D Sensor with Host, Registration Key, and Unique NAT ID used on the Defense Center.

• Management Host, Registration Key, and Unique NAT ID used on the 3D Sensor with Registration Key and Unique NAT ID used on the Defense Center.

The Management Host or Host field (hostname or IP address) must be used on at least one of the appliances.

TIP! If you register a sensor to a Defense Center using a Registration Key and Unique NAT ID, but without a hostname or IP address, the Remote Management page displays the Unique NAT ID in the Host field.

Sourcefire strongly recommends that you read Using the Defense Center on page 99 before you add sensors to the Defense Center.

To set up sensor management from the sensor:

Access: Admin 1. On the sensor’s web interface, select Operations > System Settings.




WARNING! Leave the Management Port field at the top of the Remote Management page in the default setting in nearly all cases. If you must change the Management Port, see Setting Up the Management Virtual Network on page 384.



4. In the Management Host field, type the IP address or the hostname of the Defense Center that you want to use to manage the sensor.




Note that you can leave the Management Host field empty if the management host does not have a routable address. In that case, use both the Registration Key and the Unique NAT ID fields.


6. Optionally, in the Unique NAT ID field, type a unique alphanumeric NAT ID that you want to use to identify the sensor.

7. Click Save.


8. Access the Defense Center web interface and select Operations > Sensors.







12. If you used a unique ID in step 6, type the same value in the Unique NAT ID field.


Configuring System SettingsSetting the Time Manually Chapter 10

13. You can store IPS data on both the Defense Center and the sensor by clearing the Store Events and Packets Only on the Defense Center check box.

By default, IPS data is stored only on the Defense Center and not on the sensor. Note that RNA data is never stored on the sensor.

IMPORTANT! 3Dx800 sensors and Crossbeam-based software sensors cannot store IPS data locally. You must store events on the Defense Center.


IMPORTANT! If you elect to prohibit sending packets and you do not store events on the 3D Sensor, packet data is not retained. Packet data is often important for forensic analysis.



16. Click Add.

The sensor is added to the Defense Center. It can take up to two minutes for the Defense Center to verify the sensor’s heartbeat and establish communication.

IMPORTANT! In some high availability deployments where network address translation is used, you may need to use the Add Manager feature to add the secondary Defense Center. Contact Sourcefire Support for more information.

Setting the Time ManuallyRequires: Any If the Time Synchronization setting in the currently applied system policy is set to

Manual, then you can manually set the time for the appliance using the Time page in the system settings.


Configuring System SettingsSetting the Time Manually Chapter 10

If the appliance is synchronizing its time based on NTP, you cannot change the time manually. Instead, the NTP Status section on the Time page provides the following information:

See Synchronizing Time on page 354 for more information about the time settings in the system policy.

To manually configure the time:



NTP Status

Column Description

NTP Server

The IP address and name of the configured NTP server.

Status The status of the NTP server time synchronization. The following states may appear:

• Being Used indicates that the appliance is synchronized with the NTP server.

• Available indicates that the NTP server is available for use but time is not yet synchronized.

• Not Available indicates that the NTP server is in your configuration but the NTP daemon is unable to use it.

• Pending indicates that the NTP server is new or the NTP daemon was recently restarted. Over time, its value should change to Being Used, Available, or Not Available.

• Unknown indicates that the status of the NTP server is unknown.

Offset The number of milliseconds of difference between the time on the appliance and the configured NTP server. Negative values indicate that the appliance is behind the NTP server, and positive values indicate that it is ahead.

Last Update

The number of seconds that have elapsed since the time was last synchronized with the NTP server. The NTP daemon automatically adjusts the synchronization times based on a number of conditions. For example, if you see larger update times such as 300 seconds, that indicates that the time is relatively stable and the NTP daemon has determined that it does not need to use a lower update increment.


Configuring System SettingsBlacklisting Health Modules Chapter 10

2. Click Time.

The Time page appears.

3. From list boxes that appear, select the following:

• year

• month

• day

• hour

• minute

4. Click Apply.

The time is updated.

5. If you want to change the time zone, click the time zone link located next to the date and time.

A pop-up window appears.

6. Select your time zone and click Save and, after the time zone setting is saved, click Close to close the pop-up window.

For more information about using the time zone page, see Setting Your Default Time Zone on page 34.

Blacklisting Health ModulesRequires: DC/MDC If you want to disable health events for all appliances with a particular health

policy, you can blacklist the policy. If you need to disable the results of a group of appliances’ health monitoring, you can blacklist the group of appliances. Once the blacklist settings take effect, the appliances report a disabled status in the Health Monitor Summary. For information on blacklisting individual or groups of appliances see Blacklisting Health Policies or Appliances on page 535.

You can also blacklist individual health policy modules on appliances. You may want to do this to prevent events from the module from changing the status for the appliance to warning or critical. For example, if an appliance is temporarily disconnected from the management network, you can blacklist the Appliance Heartbeat module during that maintenance window. For information on blacklisting an individual policy modules, see Blacklisting a Health Policy Module on page 537


Configuring System SettingsSpecifying NetFlow-Enabled Devices Chapter 10

Specifying NetFlow-Enabled DevicesRequires: DC + RNA If you have enabled the NetFlow feature on your NetFlow-enabled devices), you

can use the flow data that these devices collect to supplement the flow data collected by 3D Sensors with RNA by specifying the devices and the networks they monitor in your RNA detection policy.

One of the prerequisites for using NetFlow data is to use the system settings to specify the NetFlow-enabled devices you are going to use to collect the data. You must configure these NetFlow-enabled devices to export NetFlow version 5 data.

For more information on using NetFlow data with the Sourcefire 3D System, including information on additional prerequisites, see Introduction to NetFlow in the Analyst Guide.

To add NetFlow-enabled devices for flow data collection:



2. Click NetFlow Devices.

The NetFlow Devices page appears.

3. Click Add Device to add a NetFlow-enabled device.

4. In the IP Address field, enter the IP address of the NetFlow-enabled device you want to use to collect flow data.

5. To add additional NetFlow-enabled devices, repeat steps 3 and 4.

TIP! To remove a NetFlow-enabled device, click Delete next to the device you want to remove. Keep in mind that if you remove a NetFlow-enabled device from the system policy, you should also remove it from your RNA detection policy. For more information, see Editing an RNA Detection Policy in the Analyst Guide.

6. Click Save.

The list of NetFlow-enabled devices is saved.


Configuring System SettingsManaging Remote Storage Chapter 10

Managing Remote StorageRequires: Series 2 DC On Series 2 Defense Centers you can use local or remote storage for backups

and reports. You can use Network File System (NFS), Secure Shell (SSH), or Server Message Block (SMB)/Common Internet File System (CIFS) for backup and report remote storage. You cannot send backups to one remote system and reports to a another, but you can choose to send either to a remote system and store the other on the local Defense Center. For information on backup and restore, see Using Backup and Restore on page 413.Keep in mind that only Series 2 Defense Centers and not Master Defense Centers provide backup and report remote storage.

TIP! After configuring and selecting remote storage, you can switch back to local storage only if you have not increased the RNA flow database limit.

You must ensure that your external remote storage system is functional and accessible from the Defense Center.

Select one of the backup and report storage options:

• To disable external remote storage and use the local Defense Center for backup and report storage, see Using Local Storage on page 393.

• To use NFS for backup and report storage, see Using NFS for Remote Storage on page 394.

• To use SSH for backup and report storage, see Using SSH for Remote Storage on page 395.

• To use SMB for backup and report storage, see Using SMB for Remote Storage on page 396.

IMPORTANT! You cannot use remote backup and restore to manage data on Crossbeam-based software sensors, RNA Software for Red Hat Linux, 3Dx800 sensors, or Intrusion Agents.

Using Local StorageRequires: Series 2 DC You can store backups and reports on the local Defense Center.

To store backups and reports locally:





2. Click Remote Storage Device.

The Remote Storage Device page appears.

3. At Storage Type, select Local (No Remote Storage).

4. Click Save.

Your storage location choice is saved.

TIP! You do not use the Test button with local storage.

Using NFS for Remote StorageRequires: Series 2 DC You can select Network File System (NFS) protocol to store your reports and

backups.

To store backups and reports using NFS:





3. At Storage Type, select NFS.

The page refreshes to display the NFS storage configuration options.

4. Add the connection information:

• Enter the IP or hostname of the storage system in the Host field.

• Enter the path to your storage area in the Directory field.



5. If there are any required command line options, select Use Advanced Options.

A Command Line Options field appears where you can enter the commands.

6. Under System Usage, select either or both of the following:

• Select Enable Remote Storage for Backups to store backups on the designated host.

• Select Enable Remote Storage for Reports to store reports on the designated host.

7. Optionally, click Test.

The test ensures that the Defense Center can access the designated host and directory.

8. Click Save.

Your remote storage configuration is saved.

Using SSH for Remote StorageRequires: Series 2 DC You can select Secure Shell (SSH) protocol to store your reports and backups.

To store backups and reports using SSH:





3. At Storage Type, select SSH.

The page refreshes to display the SSH storage configuration options.





• Enter the path to your storage area in the Directory field.

• Enter the storage system’s user name in the Username field and the password for that user in the Password field.

• To use SSH keys, copy the content of the SSH Public Key field and place it in your authorized_keys file.








8. Click Save.


Using SMB for Remote StorageRequires: Series 2 DC You can select Server Message Block (SMB) protocol to store your reports and

backups.

To store backups and reports using SMB:







3. At Storage Type, select SMB.

The page refreshes to display the SMB storage configuration options.



• Enter the share of your storage area in the Share field.

• Optionally, enter the domain name for the remote storage system in the Domain field.

• Enter the user name for the storage system in the Username field and the password for that user in the Password field.








8. Click Save.



Administrator Guide

Chapter 11Updating System Software

Use the Update feature to update the Sourcefire 3D System. Sourcefire electronically distributes several different types of updates:

• Patches include a limited range of fixes (and usually change the fourth digit in the version number; for example, 4.9.0.1).

• Feature updates are more comprehensive than patches and generally include new features (and usually change the third digit in the version number; for example, 4.9.1).

• Major and minor version releases include new features and functionality and may entail large-scale changes to the product (and usually change the first or second digit in version number; for example, 4.9 or 5.0).

• Vulnerability database (VDB) updates affect the vulnerabilities reported by RNA as well as the operating systems, client applications, and services that RNA detects.

IMPORTANT! You cannot use the Update feature to update the SEU or Intrusion Agents. For information on updating your SEU, see Importing SEUs and Rule Files in the Analyst Guide. For information on Intrusion Agents, see the Intrusion Agent Configuration Guide.


Updating System SoftwareChapter 11

You can obtain updates from the Sourcefire Support and then manually install them using the Patch Update Management page.The following graphic shows the Defense Center version of the page.

When you upload updates to your appliance, they appear on the page. Uploaded VDB updates also appear on the page, as do uninstaller updates, which are created when you install a patch to a Sourcefire appliance. The list of updates shows the type of each update, the version number, and the date and time it was generated. It also indicates whether a reboot is required as part of the update.

TIP! For patches, feature updates, and VDB updates, you can take advantage of the automated update feature; see Scheduling Tasks on page 425.

If your deployment includes a Defense Center, you can use it to install updates on its managed 3D Sensors, including software sensors. However, for major updates to software sensors, you may need to uninstall the previous version and install the new version.

You can uninstall patches to the Sourcefire software using an appliance’s local web interface. Uninstalling from the web interface is not supported for major version upgrades, nor is it supported for appliances that do not have local web interfaces.

WARNING! This chapter contains general information on updating the Sourcefire 3D System. Before you update Sourcefire software, you must read the release notes that accompany the update. The release notes describe supported platforms, new features and functionality, known and resolved issues, and product compatibility. They also contain information on any prerequisites, warnings, and specific installation and uninstallation instructions.


• Installing Software Updates on page 400

• Uninstalling Software Updates on page 409

• Updating the Vulnerability Database on page 410


Updating System SoftwareInstalling Software Updates Chapter 11

Installing Software UpdatesRequires: Any Sourcefire periodically issues updates to the Sourcefire 3D System software.

Updating an appliance does not modify its configuration; the policies and network settings on the appliance remain intact.

Note that for major updates to software sensors (Crossbeam-based software sensors and RNA for Red Hat Linux), you may need to uninstall the previous version and install the new version; see the release notes for more information.

TIP! This section explains how to plan for and perform manual software updates on your Sourcefire appliances. For patches and feature updates, you can take advantage of the automated update feature; see Automating Software Updates on page 430.

To update your Sourcefire 3D System appliances:

Access: Admin 1. Read the release notes for the update.

Available on the Sourcefire Support Site, the release notes describe supported platforms, new features and functionality, known and resolved issues, and product compatibility; they also contain information on any prerequisites, warnings, and specific installation and uninstallation instructions.

2. Make sure your appliances (including software sensors) are running the correct version of the Sourcefire 3D System.

The release notes for the update indicate the required version. If you are running an earlier version, you can obtain updates from the Sourcefire Support Site.

3. Install the latest SEU on your appliances.

You must install the latest SEU (see Importing SEUs and Rule Files in the Analyst Guide) on your appliances before you begin the update. You can obtain the SEU from the Sourcefire Support Site.

4. Make sure the computers or appliances where you installed software sensors are running the correct versions of their operating systems.

Make sure that any Crossbeam Systems or Red Hat Linux platforms you are using to host Sourcefire software sensors are running the correct version of the operating system, as described in the release notes.







5. Delete any backups that reside on the appliance, then back up current event and configuration data to an external location.

Sourcefire strongly recommends that you delete or move any backup files that reside on your appliance, then back up current event and configuration data to an external location. Event data is not backed up as part of the update process.

For more information on the backup and restore feature, including the types of backups that are supported for your appliance, see Using Backup and Restore on page 413.

6. Make sure you have enough free disk space and allow enough time for the update.

When you update a managed sensor, the update requires additional disk space on the Defense Center. The release notes for the update indicate space and time requirements.

7. Update your Master Defense Centers.

Always update Master Defense Centers first; see Updating a Defense Center or Master Defense Center on page 402.

8. Update your Defense Centers.

After you update any Master Defense Centers in your deployment, you can update the Defense Centers they manage; see Updating a Defense Center or Master Defense Center on page 402.

Note that when you begin to update one Defense Center in a high availability pair, the other Defense Center in the pair becomes the primary, if it is not already. In addition, the paired Defense Centers stop sharing configuration information; paired Defense Centers do not receive software updates as part of the regular synchronization process. To ensure continuity of operations, do not update paired Defense Center at the same time. First, complete the update procedure for one of the Defense Centers, then update the second Defense Center.

9. Update your managed 3D Sensors.

After you update the Master Defense Centers and Defense Centers in your deployment, you can update your managed sensors (including software sensors). Sourcefire strongly recommends that you use your Defense Centers to update the sensors they manage; see Updating Managed Sensors on page 404.

Note that you must use the Defense Center to update sensors that do not have a web interface, including Crossbeam-based software sensors, RNA for Red Hat Linux, and 3Dx800 sensors. However, for major updates to software sensors, you may need to uninstall the previous version and install the new version; see the release notes for more information.

10. Update your unmanaged 3D Sensors.

See Updating Unmanaged 3D Sensors on page 406.



Updating a Defense Center or Master Defense CenterRequires: DC/MDC Use the procedure in this section to update your Defense Centers and Master

Defense Centers. If your deployment includes Master Defense Centers, you must update them before you update the Defense Centers that they manage.

You update the Defense Center in one of two ways, depending on the type of update and whether your Defense Center has access to the internet:

• You can use the Defense Center to obtain the update directly from the Support Site. Choose this option if your Defense Center has access to the internet and you are not performing a major update. This option is not supported for major updates.

• You can manually download the update from the Sourcefire Support Site and then upload it to the Defense Center. Choose this option if your Defense Center does not have access to the internet or if you are performing a major update.

Note that when you begin to update one Defense Center in a high availability pair, the other Defense Center in the pair becomes the primary, if it is not already. In addition, the paired Defense Centers stop sharing configuration information; paired Defense Centers do not receive software updates as part of the regular synchronization process. To ensure continuity of operations, do not update paired Defense Center at the same time. First, complete the update procedure for one of the Defense Centers, then update the second Defense Center.

IMPORTANT! For major updates, updating the Defense Center removes any existing updates and patches, as well as their uninstall scripts, from the appliance.

To update the Defense Center or Master Defense Center:

Access: Admin 1. Read the release notes for the update and complete any required pre-update tasks.

Pre-update tasks can include making sure that the Defense Center is running the correct version of the Sourcefire software, making sure you have enough free disk space to perform the update, making sure you have set aside adequate time to perform the update, backing up event and configuration data, and so on.




2. Upload the update to the Defense Center. You have two options, depending on the type of update and whether your Defense Center has access to the internet.

• For all except major releases, and if your Defense Center has access to the Internet, select Operations > Update to display the Patch Update Management page, then click Download Updates to check for the latest updates on the Support Site.

• For major releases, or if your Defense Center does not have access to the Internet, first manually download the update from the Sourcefire Support Site. Select Operations > Update to display the Patch Update Management page, then click Upload Update. Browse to the update and click Upload.

IMPORTANT! Download the update directly from the Support Site, either manually or by clicking Update on the Patch Update Management page. If you transfer an update file by email, it may become corrupted.

The update is uploaded to the Defense Center. The Patch Update Management page shows the type of update you just uploaded, its version number, and the date and time it was generated. The page also indicates whether a reboot is required as part of the update.

3. Make sure that the appliances in your deployment are successfully communicating and that there are no issues being reported by the health monitor.

4. Select Operations > Monitoring > Task Status to view the task queue and make sure that there are no jobs in process.

Tasks that are running when the update begins are stopped and cannot be resumed; you must manually delete them from the task queue after the update completes. The task queue automatically refreshes every 10 seconds. You must wait until any long-running tasks are complete before you begin the update.

5. Select Operations > Update.

The Patch Update Management page appears.

6. Click Install next to the update you uploaded.

The Install Update page appears.





7. Under Selected Update, select the Defense Center and click Install. If prompted, confirm that you want to install the update and reboot the Defense Center.

The update process begins. You can monitor the update's progress in the task queue (Operations > Monitoring > Task Status).

WARNING! Do not use the web interface to perform any other tasks until the update has completed and (if necessary) the Defense Center reboots. Before the update completes, the web interface may become unavailable, or the Defense Center may log you out. This is expected behavior. If this occurs, log in again to view the task queue. If the update is still running, continue to refrain from using the web interface until the update has completed. If you encounter issues with the update (for example, if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress), do not restart the update. Instead, contact Support.

8. After the update finishes, if necessary, log into the Defense Center.

9. Clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.

10. Select Operations > Help > About and confirm that the software version is listed correctly.

11. Verify that all managed sensors are successfully communicating with the Defense Center.

12. Re-apply intrusion policies to the IPS detection engines on your managed 3D Sensors.

Unless you enabled the Inspect Traffic During Policy Apply option when you created your IPS detection engines (this option is supported on many sensor models; see Creating a Detection Engine on page 193), applying an intrusion policy causes IPS detection engines to restart. This can cause a short pause in processing and, for most detection engines with inline interface sets, may cause a few packets to pass through the sensor uninspected.

13. Update the VDB on your Defense Centers and the 3D Sensors with RNA that they manage; see Updating the Vulnerability Database on page 410.

14. Continue with the next section, Updating Managed Sensors, to update the Sourcefire software on the sensors that the Defense Center manages.

Updating Managed SensorsRequires: DC +

3D SensorAfter you update your Defense Centers, Sourcefire strongly recommends that you use them to update the sensors they manage. Updating managed sensors is a multi-step process. First, download the update from the Support Site and upload it to the managing Defense Center. Next, push the update to the sensors from the Defense Center. Finally, install the software. Note that you can update



multiple 3D Sensors at once, but only if they use the same update. For information on updating the 3D Sensors in your deployment, see the release notes.

IMPORTANT! You must use the Defense Center to update sensors that do not have a web interface, including Crossbeam-based software sensors, RNA for Red Hat Linux, and 3Dx800 sensors. However, for major updates to software sensors, you may need to uninstall the previous version and install the new version; see the release notes for more information.

To update managed 3D Sensors:


Pre-update tasks can include updating your managing Defense Center, making sure that the 3D Sensors are running the correct version of the Sourcefire software, making sure software sensors are running the correct version of their operating systems, making sure you have enough free disk space to perform the update, you have set aside adequate time to perform the update, backing up event and configuration data, and so on.

2. Update the Sourcefire software on the sensors’ managing Defense Center; see Updating a Defense Center or Master Defense Center on page 402.

3. Download the update from the Sourcefire Support Site.

Different 3D Sensor models use different updates. For information on the updates you can download, see the release notes.

IMPORTANT! Download the update directly from the Support Site. If you transfer an update file by email, it may become corrupted.

4. Make sure that the appliances in your deployment are successfully communicating and that there are no issues being reported by the health monitor.

5. On the managing Defense Center, select Operations > Update.


6. Click Upload Update to browse to the update you downloaded, then click Upload.

The update is uploaded to the Defense Center. The Patch Update Management page shows the type of update you just uploaded, its version number, and date and time it was generated. The page also indicates whether a reboot is required as part of the update.

7. Click Push next to the update.

The Push Update page appears.




8. Under Selected Update, select the sensors you want to update, then click Push.

Depending on the size of the file, it may take some time to push the update to all sensors. You can monitor the progress of the push in the task queue (Operations > Monitoring > Task Status). When the push is complete, continue with the next step.

9. Click Install next to the update you are installing.


10. Select the sensors where you pushed the update and click Install. If prompted, confirm that you want to install the update and reboot the 3D Sensors.

The update process begins. You can monitor the update's progress in the Defense Center’s task queue (Operations > Monitoring > Task Status).

If the update requires a reboot, your 3D Sensors use IPS detection engines with inline interface sets, and the sensors do not have fail-open network cards, traffic is interrupted while the sensors reboot. If your sensors have fail-open network cards, some traffic may pass through the sensors uninspected while they reboot.

WARNING! If you encounter issues with the update (for example, if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress), do not restart the update. Instead, contact Support.

11. Select Operations > Sensors and confirm that the sensors you updated have the correct version listed.

12. Verify that the sensors you updated are successfully communicating with the Defense Center.

13. Re-apply intrusion policies to the IPS detection engines on your managed 3D Sensors.


Updating Unmanaged 3D SensorsRequires: 3D Sensor Use the procedure in this section to update unmanaged 3D Sensors only;

Sourcefire strongly recommends that you update managed 3D Sensors using their managing Defense Centers. For more information, see Updating Managed Sensors on page 404.



You update the 3D Sensor in one of two ways, depending on the type of update and whether your 3D Sensor has access to the internet:

• You can use the 3D Sensor to obtain the update directly from the Support Site. Choose this option if your 3D Sensor has access to the internet and you are not performing a major update. This option is not supported for major updates.

• You can manually download the update from the Sourcefire Support Site and then upload it to the 3D Sensor. Choose this option if your 3D Sensor does not have access to the internet or if you are performing a major update.

IMPORTANT! For major updates, updating the 3D Sensor removes any existing updates and patches, as well as their uninstall scripts, from the sensor.

To update an unmanaged 3D Sensor:


Pre-update tasks can include making sure that the 3D Sensor is running the correct version of the Sourcefire software, making sure you have enough free disk space to perform the update, making sure you have set aside adequate time to perform the update, backing up event and configuration data, and so on.

2. Upload the update to the 3D Sensor. You have two options, depending on the type of update and whether your 3D Sensor has access to the internet.

• For all except major releases, and if your 3D Sensor has access to the Internet, select Operations > Update to display the Patch Update Management page, then click Download Updates to check for the latest updates on the Support Site.

• For major releases, or if your 3D Sensor does not have access to the Internet, first manually download the update from the Sourcefire Support Site. Select Operations > Update to display the Patch Update Management page, then click Upload Update. Browse to the update and click Upload.

IMPORTANT! Download the update directly from the Support Site, either manually or by clicking Update on the Patch Update Management page. If you transfer an update file by email, it may become corrupted.

The update is uploaded to the 3D Sensor. The Patch Update Management page shows the type of update you just uploaded, its version number, and the date and time it was generated. The page also indicates whether a reboot is required as part of the update.






3. Select Operations > Monitoring > Task Status to view the task queue and make sure that there are no jobs in process.

Tasks that are running when the update begins are stopped and cannot be resumed; you must manually delete them from the task queue after the update completes. The task queue automatically refreshes every 10 seconds. You must wait until any long-running tasks are complete before you begin the update.



5. Click Install next to the update you just uploaded. If prompted, confirm that you want to install the update and reboot the 3D Sensor.

The update process begins. You can monitor the update's progress in the task queue (Operations > Monitoring > Task Status).

If the update requires a reboot, your 3D Sensor uses IPS detection engines with inline interface sets, and the sensor does not have a fail-open network card, traffic is interrupted while the sensor reboots. If the sensor has a fail-open network card, some traffic may pass through the sensor uninspected while it reboots.

WARNING! Do not use the web interface to perform any other tasks until the update has completed and (if necessary) the 3D Sensor reboots. Before the update completes, the web interface may become unavailable, or the 3D Sensor may log you out. This is expected behavior. If this occurs, log in again to view the task queue. If the update is still running, continue to refrain from using the web interface until the update has completed. If you encounter issues with the update (for example, if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress), do not restart the update. Instead, contact Support.

6. After the update finishes, if necessary, log into the 3D Sensor.



9. Re-apply intrusion policies to your IPS detection engines.



Updating System SoftwareUninstalling Software Updates Chapter 11

Uninstalling Software UpdatesRequires: Any When you install a patch to a Sourcefire appliance, the update process creates an

uninstaller update that allows you to uninstall the patch from that appliances’s web interface.

IMPORTANT! Uninstalling from the web interface is not supported for major version upgrades. If you upgraded to a new version of the appliance and need to revert to an older version, contact Support.

You must use the local web interface to uninstall patches, as described by the procedure in this section; you cannot use the Defense Center to uninstall patches from managed sensors. For information on uninstalling patches from appliances that do not have local web interfaces (Crossbeam-based software sensors, RNA for Red Hat Linux, and 3Dx800 sensors), see the release notes.

In addition, you must uninstall a patch from the appliances in your deployment in the reverse order of how you installed it. That is, first uninstall the patch from your managed 3D Sensors, then your Defense Centers, and finally your Master Defense Centers.

When you uninstall a patch, the resulting Sourcefire software version depends on the update path for your appliance. For example, consider a scenario where you updated an appliance directly from Version 4.9.0 to Version 4.9.0.2. Uninstalling the Version 4.9.0.2 patch might result in an appliance running Version 4.9.0.1, even though you never installed the Version 4.9.0.1 update. For information on the resulting Sourcefire software version when you uninstall an update, see the release notes.

To uninstall a patch using the local web interface:

Access: Admin 1. Select Operations > Update.



Updating System SoftwareUpdating the Vulnerability Database Chapter 11

2. Click Install next to the uninstaller for the update you want to remove.

• On the Defense Center, the Install Update page appears. Under Selected Update, select the Defense Center and click Install.

• On the 3D Sensor, there is no intervening page.

In either case, if prompted, confirm that you want to uninstall the update and reboot the appliance.

The uninstall process begins. You can monitor its progress in the task queue (Operations > Monitoring > Task Status).

If the uninstall for a 3D Sensor requires a reboot, the sensor uses IPS detection engines with inline interface sets, and the sensor does not have a fail-open network card, traffic is interrupted while the sensor reboots. If the sensor has a fail-open network card, some traffic may pass through the sensor uninspected while it reboots.

WARNING! Do not use the web interface to perform any other tasks until the uninstall has completed and (if necessary) the appliance reboots. Before the uninstall completes, the web interface may become unavailable, or the appliance may log you out. This is expected behavior. If this occurs, log in again and view the task queue. If the uninstall is still running, continue to refrain from using the web interface until the uninstall has completed. If you encounter issues with the uninstall, for example, if the task queue indicates that the uninstall has failed or if a manual refresh of the task queue shows no progress, do not restart the uninstall. Instead, contact Support.

3. After the uninstall finishes, if necessary, log into the appliance.



6. Verify that the appliance where you uninstalled the patch is successfully communicating with its managed sensors (for the Defense Center) or its managing Defense Center (for 3D Sensors).

Updating the Vulnerability DatabaseRequires: DC + RNA The Sourcefire Vulnerability Database (VDB) is a database of known vulnerabilities

to which hosts may be susceptible, as well as fingerprints for RNA-detection operating systems, client applications, and services. RNA correlates the operating system and services detected on each host with the vulnerability database to help you determine whether a particular host increases your risk of network compromise. The Sourcefire Vulnerability Research Team (VRT) issues periodic updates to the VDB.



You should install the same version of the VDB on all the appliances in your deployment. To ensure you install the same VDB version, use your Defense Centers to push and install the VDB on all managed 3D Sensors with RNA, including software sensors. Because you cannot view RNA data on Master Defense Centers or on unmanaged 3D Sensors, you do not need to update the VDB on these appliances.

The time it takes to update vulnerability mappings depends on the number of hosts in your network map. You may want to schedule the update during low system usage times to minimize the impact of any system downtime. As a rule of thumb, divide the number of hosts on your network by 1000 to determine the approximate number of minutes to perform the update.

TIP! This section explains how to plan for and perform manual VDB updates on your Sourcefire 3D System appliances. You can take advantage of the automated update feature to schedule VDB updates; see Automating Vulnerability Database Updates on page 437.

To update the vulnerability database:

Access: Admin 1. Read the VDB Update Advisory Text for the update.

The VDB Update Advisory Text includes information about the changes to the VDB made in the update, as well as product compatibility information.



3. Upload the update to the Defense Center.

• If your Defense Center has access to the Internet, click Download Updates to check for the latest updates on the Support site.

• If your Defense Center does not have access to the Internet, manually download the update from the Sourcefire Support Site, then click Upload Update. Browse to the update and click Upload.

IMPORTANT! Download the update directly from the Support Site, either manually or by clicking Update. If you transfer an update file by email, it may become corrupted.

The VDB update is saved on the Defense Center and appears in the Updates section.

4. Click Push next to the VDB update.

The Push Update page appears.




5. Under Selected Update, select the managed 3D Sensors you want to update, then click Push.

Depending on the size of the file, it may take some time to push the VDB update to all sensors. You can monitor the progress of the push in the Defense Center’s task queue (Operations > Monitoring > Task Status). When the push is complete, continue with the next step.

6. Click Install next to the VDB update.


7. Select the Defense Center, as well as the sensors where you pushed the VDB update, then click Install.

The update process begins. Depending on the number of hosts in your network map, the update may take some time. You can monitor the update's progress in the task queue (Operations > Monitoring > Task Status).

WARNING! Do not use the web interface to perform tasks related to mapped vulnerabilities until the update has completed. If you encounter issues with the update, for example, if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress, do not restart the update. Instead, contact Support.

8. After the update finishes, confirm that the VDB build number matches the update you installed.

• To check the VDB build number on the Defense Center, select Operations > Help > About.

• To check the VDB build number on your managed sensors, select Operations > Sensors on the Defense Center, then click Edit next to each sensor you updated.


Administrator Guide

Chapter 12Using Backup and Restore

Backup and restoration is an essential part of any system maintenance plan. While each organization’s backup plan is highly individualized, Sourcefire 3D System provides a mechanism for archiving data so that the Defense Center or 3D Sensor can be restored in case of disaster.

You can restore a backup onto a replacement appliance if the two appliances are the same model and are running the same version of the Sourcefire 3D System software.

WARNING! Do not use the backup and restore process to copy the configuration files between sensors. The configuration files include information that uniquely identifies a sensor and cannot be shared.

By default, system configuration files are saved in the backup file. You can also choose to back up the following, if applicable for the range of appliances in your deployment:

• the entire intrusion event database

• the entire RNA event database

• additional files that reside on the appliance

WARNING! If you applied any SEU updates, those updates are not backed up. You need to apply the latest SEU update after you restore.


Using Backup and RestoreCreating Backup Files Chapter 12

You can save backup files to the appliance or to your local computer. Additionally, if you are using a Series 2 Defense Center, you can use remote storage as detailed in Managing Remote Storage on page 393.

See the following sections for more information.

• See Creating Backup Files on page 414 for information about backing up files from the appliance.

• See Creating Backup Profiles on page 418 for information about creating backup profiles that you can use later as templates for creating backups.

• See Performing Sensor Backup with the Defense Center on page 419 for information about backing up managed sensors with the Defense Center.

• See Uploading Backups from a Local Host on page 420 for information about uploading backup files from a local host.

• See Restoring the Appliance from a Backup File on page 421 for information about how to restore a backup file to the appliance.

Creating Backup FilesRequires: IPS or DC/

MDCTo view and use existing system backups go to the System Backup Management page. You should periodically save a backup file that contains all of the configuration files required to restore the appliance, in addition to event and packet data. You may also want to back up the system when testing configuration changes so that you can revert to the saved configuration, if needed. You can choose to save the backup file on the appliance or on your local computer.

As an alternative or if your backup file is larger than 4GB, copy it via SCP to a remote host. Uploading a backup from your local computer does not work on backup files larger than 4GB since web browsers do not support uploading files that large. On Series 2 Defense Centers, the backup file can be saved to a remote location; see Managing Remote Storage on page 393.

When your backup task is collecting RNA events, data correlation is temporarily suspended.



The Defense Center and Master Defense Center version of the page is shown below.



For comparison, the 3D Sensor version of the page is shown below.

To create a backup file:

Access: Maint/Admin 1. Select Operations > Tools > Backup/Restore.

The System Backup Management page appears.

2. Click Sensor Backup on a 3D Sensor toolbar or Defense Center Backup on a Defense Center toolbar.

The Backup page appears.

3. In the Name field, type a name for the backup file.


4. Requires: IPS or DC/MDC To archive the configuration, select Backup Configuration.

5. Requires: IPS or DC/MDC To archive the entire event database, select Backup Events.

6. Requires: IPS To archive individual intrusion event data files, select the files that you want to include from the Unified File List.



7. Requires: IPS Ensure that the value of the compressed backup file in the Selected Sum field is less than the value in the Available Space field.

TIP! The compressed value that appears in the Selected Sum field is a conservative estimate of the size of the compressed file. Often, the file will be smaller.

8. If you want to include an additional file in the backup, type the full path and file name in the Additional Files field and click the plus sign (+).

TIP! You can repeat this step to add additional files.

9. Optionally, to be notified when the backup is complete, select the Email when complete check box and type your email address in the accompanying text box.

You must make sure that your mail relay host is configured as described in Configuring a Mail Relay Host and Notification Address on page 338.

10. Optionally, to use secure copy (scp) to copy the backup archive to a different machine, select the Copy when complete check box and then type the following information in the accompanying text boxes:

• the hostname or IP address of the machine where you want to copy the backup

• the path to the directory where you want to copy the backup

• the user name that you want to use to log into the remote machine

• the password for that user name

TIP! Sourcefire recommends that you periodically save backups to a remote location so that the appliance can be restored in case of system failure.


Using Backup and RestoreCreating Backup Profiles Chapter 12


• To save the backup file to the appliance, click Start Backup. The backup file is saved in the /var/sf/backup directory. On Series 2 Defense Centers, you can direct the backup file to a remote location; see Managing Remote Storage on page 393.

When the backup process is complete, you can view the file on the Restoration Database page. For information about restoring a backup file, see Restoring the Appliance from a Backup File on page 421.

• To save this configuration as a backup profile that you can use later, click Save As New.

You can modify or delete the backup profile by selecting Operations > Tools > Backup & Restore and then clicking Backup Profiles. See Creating Backup Profiles on page 418 for more information.

Creating Backup ProfilesRequires: IPS or DC/

MDCYou can use the Backup Profiles page to create backup profiles that contain the settings that you want to use for different types of backups. You can later select one of these profiles when you are backing up the files on your appliance.

TIP! When you create a backup file as described in Creating Backup Files on page 414, a backup profile is automatically created.

To create a backup profile:



2. Click Backup Profiles on the toolbar.

The Backup Profiles page appears with a list of existing backup profiles.

TIP! You can click Edit to modify an existing profile or click Delete to delete a profile from the list.

3. Click Create Profile.

The System Backup page appears.


Using Backup and RestorePerforming Sensor Backup with the Defense Center Chapter 12

4. Type a name for the backup profile.


5. Configure the backup profile according to your needs.

See Creating Backup Files on page 414 for more information about the options on this page.

6. Click Save As New to save the backup profile.

The Backup Profiles page appears and includes your new profile in the list.

Performing Sensor Backup with the Defense CenterRequires: DC You can use the Defense Center to back up data on managed 3D Sensors. The

default name for the backup file uses the name of the managed 3D Sensor.

TIP! If you use a backup file name containing spaces or punctuation characters, they change to underscores.

You cannot use remote backup and restore to manage data on Crossbeam-based software sensors, RNA Software for Red Hat Linux, 3Dx800 sensors, or Intrusion Agents.

To back up a managed sensor:



2. Click Sensor Backup on the toolbar.

The Remote Backup page appears.

3. In the Sensors field, select the managed sensors that you want to back up.

4. To include event data in addition to configuration data, select the Include All Unified Files check box. Note that the unified files are binary file that the Sourcefire 3D System uses to log event data.


Using Backup and RestoreUploading Backups from a Local Host Chapter 12

5. To save the backup file on the Defense Center, select the Retrieve to DC check box.

TIP! To save each sensor’s backup file on the sensor itself, leave this check box unselected.

6. Click Start Backup.

TIP! It can take several minutes to complete the backup. Check the task status for progress.

A success messages appears and the backup task is set up. When the backup is complete, you can view the backup file on the Restoration Database page.

Uploading Backups from a Local HostRequires: DC If you download a backup file to your local host using the download function

described in the Backup Management table on page 421, you can upload it to a Defense Center.

TIP! Uploading a backup larger than 4GB from your local host does not work because web browsers do not support uploading files that large. As an alternative, copy the backup via SCP to a remote host and retrieve it from there. On Series 2 Defense Centers, the backup file can be saved to and retrieved from a remote location; see Managing Remote Storage on page 393.

To upload a backup from your local host:



2. Click Upload Backup.

The Upload Backup page appears.

3. Click Browse, and navigate to the backup file.

After you select the file to upload, click Upload Backup.


Using Backup and RestoreRestoring the Appliance from a Backup File Chapter 12

4. Click Backup Management on the toolbar to return to the System Backup Management page.

The backup file is uploaded and appears in the backup list.

TIP! After the Defense Center verifies the file integrity, refresh the System Backup Management page to reveal detailed file system information.

Restoring the Appliance from a Backup FileRequires: IPS or DC/

MDCYou can restore the appliance from backup files using the System Backup Management page. After you complete the restoration process, you must apply the latest SEU.

If you use local storage, backup files are saved to /var/sf/backup which is listed with the amount of disk space used in the /var partition at the top of the System Backup Management page. On Series 2 Defense Centers, select Enable Remote Storage for Backups to enable or disable remote storage at the top of the System Backup Management page. If you use remote storage, the protocol, backup system, and backup directory are listed at the top of the page. The Backup Management table describes each column and icon on the System Backup Management page.

Backup Management

Column Description

System Information

The originating appliance name, type, and version. Note that you can only restore a backup to an identical appliance type and version.

Date Created

The date and time that the backup file was created

File Name The full name of the backup file

Location The location of the backup file

Size (MB) The size of the backup file, in megabytes

Events? “Yes” indicates the backup includes event data.

View Click with the backup file selected to view a list of the files included in the compressed backup file.

Restore Click with the backup file selected to restore it on the appliance.



To restore the appliance from a backup file:

Access: Admin 1. Select Operations > Tools > Backup/Restore.

The System Backup Management page appears. A Series 2 Defense Center version of the page is shown.

Download Click with the backup file selected to save it to your local computer.

Delete Click with the backup file selected to delete it.

Move On a Series 2 Defense Center when you have a previously-created local backup selected, click to send the backup to the designated remote backup location.

Backup Management (Continued)

Column Description



2. To view the contents of a backup file, select the file and click View.

The manifest appears listing the name of each file, its owner and permissions, and its file size and date. The Defense Center version of the page is truncated to show a sample of the files that are backed up.

3. On the toolbar, click Backup Management to return to the System Backup Management page.

4. Select the backup file that you want to restore and click Restore.

The Restore Screen page appears.

WARNING! This procedure will overwrite all configuration files and, on the 3D Sensor, all event data.

5. Requires: DC/MDC To restore files, select either or both:

• Replace Configuration Data

• Restore Event Data

Then click Restore to begin the restoration.



6. Requires: IPS If you want to restore intrusion event data, select the files that you want to include from the Unified File List box.

Click Restore to begin the restoration.

TIP! To cancel the restoration, click Cancel.

The appliance is restored using the backup file you specified.

7. Reboot the appliance.

8. Apply the latest SEU to re-apply SEU rule and software updates.

9. Re-apply any intrusion, RNA detection, health, and system policies to the restored system.


Administrator Guide

Chapter 13Scheduling Tasks

You can schedule many different types of administrative tasks to run at scheduled times, including:

• running backups

• Requires: IPS applying intrusion policies

• generating reports

• Requires: DC + RNA running Nessus scans

• Requires: DC + RNA synchronizing Nessus plugins

• Requires: DC + RNA running Nmap scans

• Requires: DC + RNA + IPS using RNA rule recommendations

• Requires: IPS importing Security Enhancement Updates (SEUs)

• downloading and installing software updates

• Requires: DC + RNA downloading and installing vulnerability database updates

• Requires: DC pushing downloaded updates to managed sensors

You can schedule tasks to run once or on a recurring schedule.

IMPORTANT! Some tasks (such as those involving automated software and SEU updates and those that require pushing updates or intrusion policies to managed sensors) can place a significant load on networks with low bandwidths. You should always schedule tasks like these to run during periods of low network use.


Scheduling TasksConfiguring a Recurring Task Chapter 13


• Configuring a Recurring Task on page 426 explains how to set up a scheduled task so that it runs at regular intervals.

• Automating Backup Jobs on page 428 provides procedures for scheduling backup jobs.

• Automating Software Updates on page 430 provides procedures for scheduling the download, push, and installation of software updates.

• Automating Vulnerability Database Updates on page 437 provides procedures for scheduling the download, push, and installation of software updates.

• Automating SEU Imports on page 444 provides procedures for scheduling rule updates.

• Automating Intrusion Policy Applications on page 446 provides procedures for scheduling intrusion policy applications.

• Automating Reports on page 448 provides procedures for scheduling reports.

• Automating Nessus Scans on page 450 provides procedures for scheduling Nessus scans.

• Synchronizing Nessus Plugins on page 452 provides procedures for synchronizing your sensor with the Nessus server.

• Automating Nmap Scans on page 454 provides procedures for scheduling Nessus scans.

• Automating Recommended Rule State Generation on page 456 provides procedures for scheduling automatic update of intrusion rule state recommendations based on RNA data.

• Viewing Tasks on page 458 describes how to view and manage tasks after they are scheduled.

• Editing Scheduled Tasks on page 461 describes how to edit an existing task.

• Deleting Scheduled Tasks on page 461 describes how to delete one-time tasks and all instances of recurring tasks.

Configuring a Recurring TaskRequires: IPS or DC/

MDCYou set the frequency for a recurring task using the same process for all types of tasks.

IMPORTANT! You cannot configure a recurring task schedule on the inactive Defense Center in a high availability pair of Defense Centers. You must recreate the recurring task schedule on a newly activated Defense Center when it changes from inactive to active.


Scheduling TasksConfiguring a Recurring Task Chapter 13

Note that the time displayed on most pages on the web interface is the local time, which is determined by using the time zone you specify in your system settings. Further, the Defense Center or 3D Sensor with IPS automatically adjusts its local time display for daylight saving time (DST), where appropriate. However, recurring tasks that span the transition dates from DST to standard time and back do not adjust for the transition. That is, if you create a task scheduled for 2am during standard time, it will run at 3am during DST. Similarly, if you create a task scheduled for 2am during DST, it will run at 1am during standard time.

To configure a recurring task:

Access: Maint/Admin 1. Select Operations > Tools > Scheduling.

The Scheduling page appears.

2. Click Add Task.

The Add Task page appears.

3. From the Job Type list, select the type of task that you want to schedule.

Each of the types of tasks you can schedule is explained in its own section.

4. For the Schedule task to run option, select Recurring.

The page reloads with the recurring task options.

5. In the Start On field, specify the date when you want to start your recurring task. You can use the drop-down list to select the month, day, and year.

6. In the Repeat Every field, specify how often you want the task to recur. You can specify a number of hours, days, weeks, or months.

TIP! You can either type a number or use the arrow buttons to specify the interval. For example, type 2 and select Day(s) to run the task every two days.

7. In the Run At field, specify the time when you want to start your recurring task.


Scheduling TasksAutomating Backup Jobs Chapter 13

8. If you selected Week(s) in the Repeat Every field, a Repeat On field appears. Select the check boxes next to the days of the week when you want to run the task.

9. If you selected Month(s) in the Repeat Every field, a Repeat On field appears. Use the drop-down list to select the day of the month when you want to run the task.

The remaining options on the Add Task page are determined by the task you are creating. See the following sections for more information:

• Automating Backup Jobs on page 428

• Automating Software Updates on page 430

• Automating Vulnerability Database Updates on page 437

• Automating SEU Imports on page 444

• Automating Intrusion Policy Applications on page 446

• Automating Reports on page 448

• Automating Nessus Scans on page 450

• Synchronizing Nessus Plugins on page 452

• Automating Nmap Scans on page 454

• Automating Recommended Rule State Generation on page 456

Automating Backup JobsRequires: IPS or DC/

MDCYou can use the scheduler to automate system backups of a Defense Center or a 3D Sensor with IPS.

TIP! You must design a backup profile before you can configure it as a scheduled task. For information on backup profiles, see Creating Backup Profiles on page 418.

To automate backup tasks:



2. Click Add Task.



Scheduling TasksAutomating Backup Jobs Chapter 13

3. From the Job Type list, select Backup.

The page reloads to show the backup options.

4. Specify how you want to schedule the backup, Once or Recurring.

• For one-time tasks, use the drop-down lists to specify the start date and time.

TIP! The Current Time field indicates the current time on the appliance.

• For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task on page 426 for details.

5. In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.

6. From the Backup Profile list, select the appropriate backup profile.

For more information on creating new backup profiles, see Creating Backup Profiles on page 418.

7. Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.

TIP! The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.


Scheduling TasksAutomating Software Updates Chapter 13

8. Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want status messages sent.

IMPORTANT! You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address on page 338 for more information about configuring a relay host.

9. Click Save.

The backup task is created.

Automating Software UpdatesThe tasks you schedule to automate download, push, and installation of software updates vary depending on whether you are updating an appliance directly or are using a Defense Center to perform the updates.

When automating direct software updates for an appliance, you can schedule automatic software installation and, as long as the appliance has access to the Internet, the appliance automatically downloads the latest update when the installation task runs. So, for example, if you want to update your 3D Sensor directly and it is connected to the internet, you can just schedule the Install Latest Update task. Similarly, if you want to update the software for your Defense Center, you can schedule Install Latest Update to download and install the latest Defense Center update.

If you use your Defense Center to automate software updates for managed 3D Sensors, you must schedule two tasks:

1. Push the update to managed sensors.

2. Install the update on managed sensors.

Note that when the Defense Center runs either the Push Latest Update or the Install Latest Update task, it queries the Sourcefire support site for the latest updates, as long as it has access to the Internet.

You should schedule the push and install tasks to happen in succession. For example, if you want to automate software updates on your managed sensors, you must always push the update to the sensor first, then install it on the sensor.

Always allow enough time between tasks for the process to complete. Tasks should be scheduled at least 30 minutes apart. For example, if you schedule a task to install an update and the update has not finished copying from the Defense Center to the sensor, the installation task will not succeed. However, if the scheduled installation task repeats daily, it will install the pushed update when it runs the next day.

Note that the tasks for pushing the update to managed sensors (on the Defense Center) and installing the update (on any appliance) automatically check the



Support site to ensure that you have the latest version of the update. If your appliance cannot access the Support site, the task does not complete. This behavior also has implications for appliances that cannot access the Support site at all. Specifically, if you manually download an update to an appliance that cannot access the Support site, you cannot schedule either pushes to managed sensors (on the Defense Center) or installs (on any appliance). Instead you must manually push or install the updates as described in Updating System Software on page 398.

If you want to have more control over this process, you can use the Once option to download and install updates during off-peak hours after you learn that an update has been released.

TIP! The automated update process allows you to download and install software patches and feature releases (generally when the last two digits in the four-digit version number change, such as 4.8.1 or 4.8.2.1). For larger, more comprehensive updates (such as 4.8 or 4.9), you must manually upload, push, and install the upgrade files.


• Automating Software Downloads on page 431

• Automating Software Pushes on page 433

• Automating Software Installs on page 435

Automating Software DownloadsRequires: IPS or DC/

MDCYou can create a scheduled task that automatically downloads the latest software updates from Sourcefire. On the Defense Center, you can also automate vulnerability database (VDB) updates. You can use this task to schedule download of updates you plan to push or install manually.

To automate software updates:



2. Click Add Task.




3. From the Job Type list, select Download Latest Update.

The Add Task page reloads to show the update options. The Defense Center version of the page is shown below.

4. Specify how you want to schedule the task, Once or Recurring.





IMPORTANT! If your appliance is not directly connected to the Internet, you should set up a proxy as described in Configuring Network Settings on page 377 to allow it to download updates from the Sourcefire Support site (https://support.sourcefire.com/).

6. In the Update Items section, specify which updates you want to download.

• Select Software to download the most recent software patch.

• Requires: DC Select Vulnerability Database to download the most recent vulnerability database update.

Both options are selected by default.








9. Click Save.

The task is created.

Automating Software PushesRequires: DC/MDC If you are installing software or vulnerability database updates on managed

3D Sensors, you must push the software to the managed sensors before installing. When you push software updates to managed sensors, information about the push process status is reported on the Tasks page. See Viewing the Status of Long-Running Tasks on page 600 for more information.

Note that if you manually download an update to an appliance that cannot access the Support site, you cannot schedule pushes to managed sensors. Instead you must manually push the update as described in Updating System Software on page 398.

When you create the task to push software updates to managed sensors, make sure you allow enough time between the push task and a scheduled install task for the updates to be copied to the sensor.

To push software updates to managed sensors:



2. Click Add Task.




3. From the Job Type list, select Push Latest Update.

The page reloads to show the options for pushing updates.






6. From the Sensor list, select the sensor that you want to receive updates.

7. In the Update Items section, specify which updates you want to push to your managed sensors.

• Select Software to push the software update.

• Requires: DC + RNA Select Vulnerability Database to push the VDB update.

Both options are selected by default.







10. Click Save.

The task is added. You can check the status of a running task on the Task Status page. See Viewing the Status of Long-Running Tasks on page 600 for more information.

Automating Software InstallsRequires: IPS or DC/

MDCIf you are using a Defense Center to create a task to install a software update on a managed sensor, make sure you allow enough time between the task that pushes the update to the sensor and the task that installs the update. See Automating Software Pushes on page 433 for information about pushing updates to managed sensors.

Note that if you manually download an update to an appliance that cannot access the Support site, you cannot schedule installation of that update. Instead you must manually install the update as described in Updating System Software on page 398.

WARNING! Depending on the update being installed, the appliance may reboot after the software is installed.

To schedule a software installation task:



2. Click Add Task.




3. From the Job Type list, select Install Latest Update.

The page reloads to show the options for installing updates. The Defense Center version of the page is shown below.






6. If you are using a Defense Center, from the Sensor list, you have the following options:

• Select the sensor where you want to install the update.

• Select the name of the Defense Center to install the update there.

7. In the Update Items section, select Software to install the software update.




Scheduling TasksAutomating Vulnerability Database Updates Chapter 13



10. Click Save.

The scheduled software installation task is added.

You can check the status of a running task on the Task Status page. See Viewing the Status of Long-Running Tasks on page 600 for more information.

Automating Vulnerability Database UpdatesSourcefire uses vulnerability database (VDB) updates to distribute new operating system fingerprints as we expand the list of operating systems that RNA recognizes. VDB updates also include new vulnerabilities discovered by the Sourcefire Vulnerability Research Team (VRT). You can use the scheduling feature to download and install the latest VDB updates, thereby ensuring that RNA is using the most up-to-date information to evaluate the hosts on your network.

TIP! If your Sourcefire 3D System deployment includes IPS and RNA monitoring the same network segments, make sure that you download and install VDB updates and SEUs on a regular basis. This ensures that your Defense Center is correctly setting the impact flag on the intrusion events generated by the traffic on your network.

When automating VDB updates for your Defense Center, you must automate two separate steps:

1. Downloading the VDB update.

2. Installing the VDB update.

When automating VDB updates for managed sensors with RNA, you must schedule three tasks in this order:

1. Download the VDB update on your Defense Center.

2. Push the VDB update to your managed 3D Sensors that are using the RNA component.

3. Install the VDB update on the Defense Center and on those managed sensors.

Always allow enough time between tasks for the process to complete. For example, if you schedule a task to install an update and the update has not fully



downloaded, the installation task will not succeed. However, if the scheduled installation task repeats daily, it will install the downloaded VDB update when it runs the next day.

Note that if you manually download an update to an appliance that cannot access the Support site, you cannot schedule either pushes to managed sensors (on the Defense Center) or installs (on any appliance). Instead you must manually push or install the updates as described in Updating System Software on page 398.

If you want to have more control over this process, you can use the Once option to download and install VDB updates during off-peak hours after you learn that an update has been released.


• Automating VDB Update Downloads on page 438

• Automating VDB Update Pushes on page 440

• Automating VDB Update Installs on page 442

Automating VDB Update DownloadsRequires: DC/MDC +

RNAYou can create a scheduled task that automatically downloads the latest vulnerability database updates from Sourcefire.

IMPORTANT! You cannot download the VDB using a scheduled task on a sensor. You must download the VDB on the Defense Center and push it to the sensor.

To automate VDB updates:



2. Click Add Task.




3. From the Job Type list, select Download Latest Update.

The Add Task page reloads to show the update options.






IMPORTANT! If your appliance is not directly connected to the Internet, you should set up a proxy as described in Configuring Network Settings on page 377 to allow it to download updates from the Sourcefire Support site (https://support.sourcefire.com/).

6. In the Update Items section, make sure Vulnerability Database is selected.

Both the Software and Vulnerability Database options are selected by default.








9. Click Save.


Automating VDB Update PushesRequires: DC/MDC +

3D Sensor + RNAIf you are installing vulnerability database updates on managed 3D Sensors with RNA, you must push the update to the managed sensors before installing. When you push VDB updates to managed sensors, information about the process status is reported on the Tasks page. See Viewing the Status of Long-Running Tasks on page 600 for more information.

Note that if you manually download an update to an appliance that cannot access the Support site, you cannot schedule pushes to managed sensors. Instead you must manually push the update as described in Updating System Software on page 398.

WARNING! You must download vulnerability database updates before you can push them to managed sensors.

To push VDB updates to managed 3D Sensors with RNA:



2. Click Add Task.




3. From the Job Type list, select Push Latest Update.

The page reloads to show the options for pushing updates.






6. From the Sensor list, select the sensor that you want to receive updates.

7. In the Update Items section, make sure Vulnerability Database is selected.

Both the Software and Vulnerability Database options are selected by default.







10. Click Save.

The task is added. You can check the status of a running task on the Task Status page. See Viewing the Status of Long-Running Tasks on page 600 for more information.

Automating VDB Update InstallsRequires: DC/MDC +

RNAAfter you have downloaded a VDB update, you can schedule the installation process.

You should allow enough time for a scheduled VDB update to download when you set up a scheduled task to install it. If you are creating a task to install a VDB update on a managed sensor, you must allow enough time between the task that pushes the update to the sensor and the task that installs the update. See Automating VDB Update Pushes on page 440 for information about pushing updates to managed sensors.

Note that if you manually download an update to an appliance that cannot access the Support site, you cannot schedule installation of that update. Instead you must manually install the updates as described in Updating System Software on page 398.

To schedule a software installation task:



2. Click Add Task.




3. From the Job Type list, select Install Latest Update.

The page reloads to show the options for installing updates.






6. From the Sensor list, you have the following options:

• If you want to install the update on a managed sensor, select the name of the sensor from the drop-down list.

• If you want to install the update on the Defense Center, select the name of the Defense Center from the drop-down list.

7. In the Update Items section, select Vulnerability Database to install the VDB update.




Scheduling TasksAutomating SEU Imports Chapter 13



10. Click Save.

The scheduled VDB installation task is added.


Automating SEU ImportsRequires: IPS or DC/

MDC + IPSAs new vulnerabilities are identified, the Sourcefire Vulnerability Research Team (VRT) releases Security Enhancement Updates (SEUs). An SEU contains new and updated standard text rules and shared object rules and may contain updated versions of Snort® and features such as preprocessors and decoders. You can automatically download and install SEUs.

The Import SEU task allows you to schedule the following subtasks separately or to combine them into one scheduled task:

1. Download the latest SEU.

2. Import the SEU.

3. Re-apply your intrusion policy so that the new SEU takes effect.

Note that on the Defense Center, you also must re-apply your intrusion policies on your managed 3D Sensors with IPS. Applying an intrusion policy from a Defense Center to a managed sensor after you import an SEU does not apply the SEU to the sensor. However, any new rules or features provided by the SEU that are enabled in the policy you apply to the sensor are also enabled on the sensor by that policy.

The selected subtasks present in the Import SEU task occur in the following order: download, install, rule state update, and policy re-apply. Once one subtask completes, the next configured subtask begins. Note that you can only re-apply policies applied from the appliance where the scheduled task is configured.

If you enable Update when a new SEU is installed for the base policy of an existing policy and the SEU contains changes to the default rule states for existing rules in that base policy, those changes are also imported. Note, however, that if you changed a rule state, the SEU does not override your change.

VRT sometimes uses an SEU to change the default state of one or more rules in a default policy. If you allow SEUs to update your base policy, you also allow the


Scheduling TasksAutomating SEU Imports Chapter 13

SEU to change the default state of a rule in your policy when the default state changes in the default policy you used to create your policy (or in the default policy it is based on). Note, however, that if you have changed the rule state, the SEU will not override your change.

In addition to configuring SEU imports on the Scheduling page, you can also use the recurring SEU import feature on the Import SEU page. For more information on the recurring SEU import feature and a comparison of the two methods of setting up recurring imports, see Importing SEUs and Rule Files in the Analyst Guide. Note that you must be using Snort 2.8.2 or higher to import recurring SEUs on the Import SEU page.

IMPORTANT! SEUs may contain new binaries. Make sure your process for downloading and importing SEUs complies with your security policies. In addition, SEUs can be quite large, so make sure you schedule downloads during periods of low network use.

To schedule an Import SEU task:



2. Click Add Task.


3. From the Job Type list, select Import SEU.

The page reloads to show the options for importing SEUs.


Scheduling TasksAutomating Intrusion Policy Applications Chapter 13






6. To use this task to download the latest SEU, select Download the latest SEU from the support site.

7. To use this task to install the latest downloaded SEU, select Install the latest downloaded SEU.

8. To re-apply intrusion policies after installing an SEU, select Reapply intrusion policies after the SEU import completes.





11. Click Save.


Automating Intrusion Policy ApplicationsRequires: IPS or DC/

MDC + IPSYou can automatically apply intrusion policies at scheduled intervals. This feature is useful if you need to use different policies during different times of the day.


Scheduling TasksAutomating Intrusion Policy Applications Chapter 13

To automate intrusion policy application:



2. Click Add Task.


3. From the Job Type list, select Apply Policy.

The page reloads to show the options for applying an intrusion policy.






6. In the Policy Name field, select the intrusion policy you want to apply from the drop-down list or select Policy Default to apply the policy to each detection engine targeted in the policy.

7. In the Detection Engine field, select the detection engine where you want to apply the policy.


Scheduling TasksAutomating Reports Chapter 13





10. Click Save.



Automating ReportsRequires: IPS or DC/

MDCYou can automate reports so that they run at regular intervals. However, you must design a profile for your report before you can configure it as a scheduled task. See Creating a Report Profile on page 246 for more information about using the report designer to create a report profile.

To automate a report:



2. Click Add Task.



Scheduling TasksAutomating Reports Chapter 13

3. From the Job Type list, select Reports.

The page reloads to show the options for setting up a report to run automatically. The Defense Center version of the page is displayed below.






6. In the Report Profile field, select the report profile that you want to use from the drop-down list.

IMPORTANT! You cannot run remote reports on Crossbeam-based software sensors.

7. Requires: DC If you want to run the report on a managed sensor, in the Remote Run field, select the name of the sensor from the drop-down list.




Scheduling TasksAutomating Nessus Scans Chapter 13



10. Click Save.


Automating Nessus ScansYou can schedule regular Nessus scans of targets on your network. Automated scans allow you to test periodically to make sure that operating system updates or other changes do not introduce vulnerabilities on your enterprise-critical systems. You can also schedule scans to test for recurrent vulnerabilities to attacks that have happened in the past. See the following sections for more information:

• Preparing Your System to Run a Nessus Scan on page 450

• Scheduling a Nessus Scan on page 451

Note that a Policy & Response Administrator can also use a Nessus scan as a remediation. For more information, see Nessus Scan Remediations in the Analyst Guide.

Preparing Your System to Run a Nessus ScanIf you have not used the Nessus scanning capability before, you need to complete several Nessus configuration steps prior to defining a scheduled scan.

1. If you do not have an existing external Nessus server, set up the Nessus server on your Defense Center.

For more information on starting the server and configuring and activating a Nessus user, see Configuring a Local Nessus Server on page 641.

2. Create a scan instance to define the Nessus server to be used by your scan.

For more information on setting up a Nessus server connection profile, see Creating a Nessus Scan Instance on page 643.

IMPORTANT! Make note of the name of the scan instance you create. You need to select this name when prompted for the Nessus Remediation name when setting up the scheduled scan.


Scheduling TasksAutomating Nessus Scans Chapter 13

3. Create a scan target to define the target hosts and host ports to scan.

For more information on setting up a scan target, see Creating a Nessus Scan Target on page 645.

4. Create a remediation definition to define what plugins and Nessus scan settings should be used when the scheduled scan runs.

For more information on setting up a remediation definition, see Creating a Nessus Remediation on page 646.

5. Continue with Scheduling a Nessus Scan.

Scheduling a Nessus ScanRequires: DC + RNA You can automate Nessus scanning using a specific scan remediation by

scheduling the scan.

To schedule Nessus scanning:



2. Click Add Task.


3. From the Job Type list, select Nessus Scan.

The page reloads to show the options for automating Nessus scans.


Scheduling TasksSynchronizing Nessus Plugins Chapter 13






6. In the Nessus Remediation field, select the Nessus remediation for the Nessus server where you want to run the scan.

7. In the Nessus Target field, select the scan target that defines the target hosts you want to scan.





10. Click Save.


Synchronizing Nessus PluginsRequires: DC + RNA You can automate synchronization with the Nessus server to obtain an up-to-date

list of plugins before you scan. You may want to schedule your plugin synchronization to occur shortly before your scheduled Nessus scans to make sure that you scan with the latest list of plugins.


Scheduling TasksSynchronizing Nessus Plugins Chapter 13

To schedule Nessus plugin synchronization:



2. Click Add Task.


3. From the Job Type list, select Synchronize Nessus Plugins.

The page reloads to show the Nessus plugin synchronization options.



The Current Time field indicates the current time on the appliance.



6. In the Nessus Instance field, select the instances with the Nessus plugins that you want to synchronize.




Scheduling TasksAutomating Nmap Scans Chapter 13



9. Click Save.


Automating Nmap ScansYou can schedule regular Nmap scans of targets on your network. Automated scans allow you to refresh operating system and service information previously supplied by an Nmap scan. Because RNA cannot update Nmap-supplied data, you need to rescan periodically to keep that data up to date. You can also schedule scans to automatically test for unidentified services on hosts in your network. See the following sections for more information:

• Preparing Your System for an Nmap Scan

• Scheduling an Nmap Scan

Note that a Policy & Response Administrator can also use an Nmap scan as a remediation. For example, when an operating system conflict occurs on a host, that conflict can trigger an Nmap scan. Running the scan obtains updated operating system information for the host, which resolves the conflict. For more information, see Nmap Scan Remediations in the Analyst Guide.

Preparing Your System for an Nmap ScanIf you have not used the Nmap scanning capability before, you must complete several Nmap configuration steps prior to defining a scheduled scan.

1. Create a scan instance to define the Nmap server to be used by your scan.

For more information on setting up a Nmap server connection profile, see Creating an Nmap Scan Instance in the Analyst Guide.

IMPORTANT! Make note of the name of the scan instance you create. You need to select this name when prompted for the Nmap Configuration name when setting up the scheduled scan.

2. Create a scan target to define the target hosts and host ports to scan.

For more information on setting up a scan target, see Creating an Nmap Scan Target in the Analyst Guide.


Scheduling TasksAutomating Nmap Scans Chapter 13

3. Create a remediation definition to define what plugins and Nmap scan settings should be used when the scheduled scan runs.

For more information on setting up a remediation definition, see Creating an Nmap Remediation in the Analyst Guide.

4. Continue with Scheduling an Nmap Scan.

Scheduling an Nmap ScanRequires: DC + RNA You can schedule a scan of a host or hosts on your network using the Nmap

utility.

Once Nmap replaces a host’s operating system or services detected by RNA with the results from an Nmap scan, RNA no longer updates the information replaced by Nmap for the host. Nmap-supplied service and operating system data remains static until you run another Nmap scan. If you plan to scan a host using Nmap, you may want to set up regularly scheduled scans to keep Nmap-supplied operating system and services up to date. If the host is deleted from the network map and re-added, any Nmap scan results are discarded and RNA resumes monitoring of all operating system and service data for the host.

To schedule Nmap scanning:



2. Click Add Task.


3. From the Job Type list, select Nmap Scan.

The page reloads to show the options for automating Nmap scans.


Scheduling TasksAutomating Recommended Rule State Generation Chapter 13






6. In the Nmap Remediation field, select the Nmap remediation to use when running the scan.

7. In the Nmap Target field, select the scan target that defines the target hosts you want to scan.





10. Click Save.


Automating Recommended Rule State GenerationRequires: DC + RNA +

IPSIMPORTANT! If the system automatically generates scheduled recommendations for an intrusion policy with unsaved changes, you must discard your changes in that policy and commit the policy if you want the policy to reflect the automatically generated recommendations. See Committing Intrusion Policy Changes in the Analyst Guide for more information.


Scheduling TasksAutomating Recommended Rule State Generation Chapter 13

You can automatically generate rule state recommendations based on RNA data for your network using the most recently saved configuration settings in your custom intrusion policy.

When the task runs, the system automatically generates recommended rule states. Optionally, depending on the configuration of your policy, it also modifies the states of intrusion rules based on the criteria described in Managing RNA Rule State Recommendations in the Analyst Guide. Modified rule states take effect the next time you apply your intrusion policy. See Using RNA Recommendations in the Analyst Guide for more information.

To generate recommendations:



2. Click Add Task.


3. From the Job Type list, select RNA Recommended Rules.

The page reloads to show the options for generating RNA-recommended rule states.

4. Optionally, click the policies link in the Job Type field to display the Detection & Prevention page, where you can configure RNA Recommended Rules in a policy. See Managing RNA Rule State Recommendations in the Analyst Guide for more information.


Scheduling TasksViewing Tasks Chapter 13






7. Next to Policies, select one or more policies where you want to generate recommendations. You have the following options:

• In the Policies field, select one or more policies. Use the Shift and Ctrl keys to select multiple policies.

• Click the All Policies check box to select all policies.





10. Click Save.


Viewing TasksAfter adding scheduled tasks, you can view them and evaluate their status. The View Options section of the page allows you to view scheduled tasks using a calendar and a list of scheduled tasks.




• Using the Calendar on page 459

• Using the Task List on page 460

Using the CalendarRequires: DC/MDC or

3D SensorThe Calendar view option allows you to view which scheduled tasks occur on which day.

To view scheduled tasks using the calendar:



2. You can perform the following tasks using the calendar view:

• Click << to move back one year.

• Click < to move back one month.



• Click > to move forward one month.

• Click >> to move forward one year.

• Click Today to return to the current month and year.

• Click Add Task to schedule a new task.

• Click a date to view all scheduled tasks for the specific date in a task list table below the calendar.

• Click a specific task on a date to view the task in a task list table below the calendar.

IMPORTANT! For more information about using the task list, see Using the Task List on page 460.

Using the Task ListRequires: DC/MDC or

3D SensorThe Task List shows a list of tasks along with their status. The task list appears at below the calendar when you open the calendar. In addition, you can access it by selecting a date or task from the calendar. (See Using the Calendar on page 459 for more information.)

Task List Columns

Column Description

Name Displays the name of the scheduled task.

Type Displays the type of scheduled task.

Start Time Displays the scheduled start date and time.

Frequency Displays how often the task is run.

Comment Displays the comment that accompanies the scheduled task.

Status Describes the current status for a scheduled task. • A check mark icon indicates that the task ran successfully. • A question mark icon indicates that the task is in an

unknown state.• A red ! indicates that the task failed.

Creator Displays the name of the user that created the scheduled task.

Delete Deletes the scheduled task.


Scheduling TasksEditing Scheduled Tasks Chapter 13

Editing Scheduled TasksRequires: DC/MDC or

3D SensorYou can edit a scheduled task that you previously created. This feature is especially useful if you want to test a scheduled task once to make sure that the parameters are correct. Later, after the task completes successfully, you can change it to a recurring task.

To edit an existing scheduled task:



2. Click either the task that you want to edit or the day on which the task appears.

The Task Details table containing the selected task or tasks appears.

3. Locate the task you want to edit in the table and click Edit.

The Edit Task page appears showing the details of the task you selected.

4. Edit the task to meet your needs, including the start time, the job name, and how often the task runs, once or recurring. You cannot change the type of job.

The remaining options are determined by the task you are editing. See the following sections for more information:

• Automating Backup Jobs on page 428

• Automating Software Updates on page 430

• Automating Vulnerability Database Updates on page 437

• Automating SEU Imports on page 444

• Automating Intrusion Policy Applications on page 446

• Automating Reports on page 448

• Automating Nessus Scans on page 450

• Synchronizing Nessus Plugins on page 452

• Automating Nmap Scans on page 454

• Automating Recommended Rule State Generation on page 456

5. Click Save to save your edits.

Your change are saved and the Scheduling page appears again.

Deleting Scheduled TasksThere are two types of deletions you can perform from the Schedule View page. You can delete a specific one-time task that has not yet run or you can delete every instance of a recurring task. If you delete an instance of a recurring task, all instances of the task are deleted. If you delete a task that is scheduled to run once, only that task is deleted.


Scheduling TasksDeleting Scheduled Tasks Chapter 13

The following sections describe how to delete tasks:

• To delete all instances of a task, see Deleting a Recurring Task on page 462.

• To delete a single instance of a task, see Deleting a One-Time Task on page 462.

Deleting a Recurring TaskRequires: DC/MDC or

3D SensorWhen you delete one instance of a recurring task, you automatically delete all instances of that task.

To delete a recurring task:



2. On the calendar, select an instance of the recurring task you want to delete.

The page reloads to display a table of tasks below the calendar.

3. Locate an instance of the recurring task you want to delete in the table and click Delete.

All instances of the recurring task are deleted.

Deleting a One-Time TaskRequires: DC/MDC or

3D SensorYou can delete a one-time scheduled task or delete the record of a previously-run scheduled task using the task list.

To delete a single task or, if it has already run, delete a task record:



2. Click the task that you want to delete or the day on which the task appears.

A table containing the selected task or tasks appears.

3. Locate the task you want to delete in the table and click Delete.

The instance of the task you selected is deleted.


Administrator Guide

Chapter 14Monitoring the System

The Sourcefire 3D System provides many useful monitoring features to assist you in the daily administration of your system, all on a single page. For example, on the Host Statistics page you can monitor basic host statistics, intrusion event information, and statistics for the Data Correlator and RNA processes for the current day. You can also monitor both summary and detailed information on all processes that are currently running on the Defense Center or 3D Sensor. The following sections provide more information about the monitoring features that the system provides:

• Viewing Host Statistics on page 464 describes how to view host information such as:

• system uptime

• disk and memory usage

• RNA process statistics

• Data Correlator statistics

• system processes

• intrusion event information

On the Defense Center, you can also use the health monitor to monitor disk usage and alert on low disk space conditions. For more information, see Understanding Health Monitoring on page 483.


Monitoring the SystemViewing Host Statistics Chapter 14

• Monitoring System Status and Disk Space Usage on page 468 describes how to view basic event and disk partition information.

• Viewing System Process Status on page 468 describes how to view basic process status.

• Understanding Running Processes on page 471 describes the basic system processes that run on the appliance.

• Viewing IPS Performance Statistics on page 476 describes how to view IPS performance statistics and how to generate graphs based on these statistics.

• Viewing RNA Performance Statistics on page 478 describes how to view RNA performance statistics and how to generate graphs based on these statistics.

Viewing Host StatisticsRequires: Any The Statistics page lists the current status of following:

• general host statistics; see the Host Statistics table on page 464 for details

• Data Correlator statistics (Defense Center only - requires RNA); see the Data Correlator Process Statistics table on page 465 for details

• RNA process statistics (Defense Center only - requires RNA); see the RNA Process Statistics table on page 466 for details

• intrusion event information (requires IPS); see the Intrusion Event Information table on page 467 for details

The Host Statistics table describes the host statistics listed on the Statistics page.

Host Statistics

Category Description

Time The current time on the system.

Uptime The number of days (if applicable), hours, and minutes since the system was last started.

Memory Usage The percentage of system memory that is being used.

Load Average The average number of processes in the CPU queue for the past 1 minute, 5 minutes, and 15 minutes.



If your Sourcefire 3D System deployment includes a Defense Center managing 3D Sensors with RNA, you can also view statistics about the Data Correlator and RNA processes for the current day. As the 3D Sensors perform data acquisition, decoding, and analysis, the RNA process correlates the data with the fingerprint and vulnerability databases, and then produces binary files that are processed by the Data Correlator running on the Defense Center. The Data Correlator analyzes the information from the binary files, generates events, and creates the RNA network map.

The statistics that appear for RNA and the Data Correlator are averages for the current day, using statistics gathered between 12:00AM and 11:59PM for each detection engine.

The Data Correlator Process Statistics table describes the statistics displayed for the Data Correlator process.

Disk Usage The percentage of the disk that is being used. Click the arrow to view more detailed host statistics. See Monitoring System Status and Disk Space Usage on page 468 for more information.

Processes A summary of the processes running on the system. See Viewing System Process Status on page 468 for more information.

Host Statistics (Continued)


Data Correlator Process Statistics


Events/Sec Number of RNA events that the Data Correlator receives and processes per second

Flows/Sec Number of flows that the Data Correlator receives and processes per second

CPU Usage - User (%) Average percentage of CPU time spent on user processes for the current day

CPU Usage - System (%) Average percentage of CPU time spent on system processes for the current day

VmSize (KB) Average size of memory allocated to the Data Correlator for the current day, in kilobytes

VmRSS (KB) Average amount of memory used by the Data Correlator for the current day, in kilobytes



The RNA Process Statistics table describes the statistics displayed for the RNA process.

On 3D Sensors with IPS and on Defense Centers that manage sensors with IPS, you can also view the time and date of the last intrusion event, the total number of events that have occurred in the past hour and the past day, and the total number in the database.

The information in the Intrusion Event Information section of the Statistics page is based on intrusion events stored on the sensor rather than those sent to the Defense Center. If you manage your sensor so that intrusion events are not stored locally, no intrusion event information is listed on this page. This is also the case for 3D Sensors that cannot store events locally.

RNA Process Statistics


Packets Dropped (%) Average percentage of packets dropped by the RNA process for the current day

Mbits/Second Average number of megabits per second processed by the RNA process for the current day

Packets/Second Average number of packets per second processed by the RNA process for the current day

CPU Usage - User (%) Average percentage of CPU time spent by user processes for the current day

CPU Usage - System (%) Average percentage of CPU time spent by system processes for the current day

VmSize (KB) Average size of memory allocated to the RNA process for the current day, in kilobytes

VmRSS (KB) Average amount of memory used by the RNA process for the current day, in kilobytes



The Intrusion Event Information table describes the statistics displayed in the Intrusion Event Information section of the Statistics page.

To view the Statistics page:

Access: Maint/Admin 1. Select Operations > Monitoring > Statistics.

The Statistics page appears. The Defense Center version of the page is shown below.

Intrusion Event Information

Statistic Description

Last Alert Was The date and time that the last event occurred

Total Events Last Hour The total number of events that occurred in the past hour

Total Events Last Day The total number of events that occurred in the past twenty-four hours

Total Events in Database The total number of events in the events database


Monitoring the SystemMonitoring System Status and Disk Space Usage Chapter 14

2. On the Defense Center, you can also list statistics for managed sensors. From the Select Device(s) box and click Select Devices. You can use the Shift and Ctrl keys to select multiple devices at once.

The Statistics page is updated with statistics for the devices that you selected.

Monitoring System Status and Disk Space UsageRequires: Any The Disk Usage section of the Statistics page provides a quick synopsis of

partition status. You can monitor this page from time to time to ensure that enough disk space is available for system processes and the database.

TIP! On the Defense Center you can also use the health monitor to monitor disk usage and alert on low disk space conditions. For more information, see Understanding Health Monitoring on page 483.

To access disk usage information:


The Statistics page appears.

2. Click the down arrow next to Disk Usage to expand it.

The Disk Usage section expands.

On the Defense Center, to view disk usage information for a specific sensor:

Access: Maint/Admin 1. Select the sensor name from the Select Device(s) box, and click Select Devices.

The page reloads, listing host statistics for each sensor you selected.

2. Click the down arrow next to Disk Usage to expand it.

The Disk Usage section expands.

Viewing System Process StatusRequires: Any The Processes section of the Host Statistics page allows you to see the

processes that are currently running on an appliance. It provides general process information and specific information for each running process. If you are managing sensors with a Defense Center, you can use the Defense Center’s web interface to view the process status for any managed sensor.


Monitoring the SystemViewing System Process Status Chapter 14

The Process Status table describes each column that appears in the process list.

To expand the process list:


The Statistics page appears.

Process Status

Column Description

Pid The process ID number

Username The name of the user or group running the process

Pri The process priority

Nice The nice value, which is a value that indicates the scheduling priority of a process. Values range between -20 (highest priority) and 19 (lowest priority)

Size The memory size used by the process (in kilobytes, unless the value is followed by m, which indicates megabytes)

Res The amount of resident paging files in memory (in kilobytes, unless the value is followed by m, which indicates megabytes)

State The process state:• D - process is in uninterruptible sleep (usually Input/Output)• N - process has a positive nice value• R - process is runnable (on queue to run)• S - process is in sleep mode• T - process is being traced or stopped• W - process is paging• X - process is dead• Z - process is defunct• < - process has a negative nice value

Time The amount of time (in hours:minutes:seconds) that the process has been running

Cpu The percentage of CPU that the process is using

Command The executable name of the process


Monitoring the SystemViewing System Process Status Chapter 14

2. On the Defense Center, select the device or devices you want to view process statistics for and click Select Devices.

3. Click the down arrow next to Processes.

The process list expands, listing general process status that includes the number and types of running tasks, the current time, the current system uptime, the system load average, CPU, memory, and swap information, and specific information about each running process.

Cpu(s) lists the following CPU usage information:

• user process usage percentage

• system process usage percentage

• nice usage percentage (CPU usage of processes that have a negative nice value, indicating a higher priority)

Nice values indicate the scheduled priority for system processes and can range between -20 (highest priority) and 19 (lowest priority).

• idle usage percentage

Mem lists the following memory usage information:

• total number of kilobytes in memory

• total number of used kilobytes in memory

• total number of free kilobytes in memory

• total number of buffered kilobytes in memory

Swap lists the following swap usage information:

• total number of kilobytes in swap

• total number of used kilobytes in swap

• total number of free kilobytes in swap

• total number of cached kilobytes in swap

IMPORTANT! For more information about the types of processes that run on the appliance, see Understanding Running Processes on page 471.


Monitoring the SystemUnderstanding Running Processes Chapter 14

To collapse the process list:

Access: Maint/Admin Click the up arrow next to Processes.

The process list collapses.

Understanding Running ProcessesThere are two different types of processes that run on an appliance: daemons and executable files. Daemons always run, and executable files are run when required.


• Understanding System Daemons on page 471

• Understanding Executables and System Utilities on page 473

Understanding System DaemonsDaemons continually run on an appliance. They ensure that services are available and spawn processes when required. The System Daemons table lists daemons that you may see on the Process Status page and provides a brief description of their functionality. This table is not an exhaustive list of all processes that may run on an appliance.

System Daemons

Daemon Description

crond Manages the execution of scheduled commands (cron jobs)

dhclient Manages dynamic host IP addressing

fpcollect Manages the collection of client and server fingerprints

httpd Manages the HTTP (Apache web server) process

httpsd Manages the HTTPS (Apache web server with SSL) service, and checks for working SSL and valid certificate authentication; runs in the background to provide secure web access to the appliance

keventd Manages Linux kernel event notification messages

klogd Manages the interception and logging of Linux kernel messages

kswapd Manages Linux kernel swap memory



kupdated Manages the Linux kernel update process, which performs disk synchronization

mysqld Manages Sourcefire 3D System database processes

ntpd Manages the Network Time Protocol (NTP) process

pm Manages all Sourcefire processes, starts required processes, restarts any process that fails unexpectedly

reportd Manages reports

rnareportd Manages RNA reports

safe_mysqld Manages safe mode operation of the database; restarts the database daemon if an error occurs and logs runtime information to a file

SFDataCorrelator Manages data transmission

sfestreamer(Defense Center only)

Manages connections to third-party client applications that use the Event Streamer

sfmgr Provides the RPC service for remotely managing and configuring an appliance using an sftunnel connection to the appliance

sfreactd Manages Check Point OPSEC integration; only seen if Checkpoint SAM support is enabled

SFRemediateD(Defense Center only - requires RNA)

Manages remediation responses

sftimeserviced(Defense Center only)

Forwards time synchronization messages to managed sensors

sfmbservice(requires IPS)

Provides access to the sfmb message broker process running on a remote appliance, using an sftunnel connection to the appliance. Currently used only by health monitoring to send health events and alerts from a 3D Sensor to a Defense Center or, in a high availability environment, between Defense Centers

sftroughd Listens for connections on incoming sockets and then invokes the correct executable (typically the Sourcefire message broker, sfmb) to handle the request

System Daemons (Continued)

Daemon Description



Understanding Executables and System UtilitiesThere are a number of executables on the system that run when executed by other processes or through user action. The System Executables and Utilities table describes the executables that you may see on the Process Status page.

sftunnel Provides the secure communication channel for all processes requiring communication with a remote appliance

sshd Manages the Secure Shell (SSH) process; runs in the background to provide SSH access to the appliance

syslogd Manages the system logging (syslog) process

System Daemons (Continued)

Daemon Description

System Executables and Utilities

Executable Description

awk Utility that executes programs written in the awk programming language

bash GNU Bourne-Again SHell

cat Utility that reads files and writes content to standard output

chown Utility that changes user and group file permissions

chsh Utility that changes the default login shell

correlator(Defense Center only - requires RNA)

Analyzes binary files created by RNA to generate events, flow data, and the network map

cp Utility that copies files

df Utility that lists the amount of free space on the appliance

echo Utility that writes content to standard output

egrep Utility that searches files and folders for specified input; supports extended set of regular expressions not supported in standard grep



find Utility that recursively searches directories for specified input

grep Utility that searches files and directories for specified input

halt Utility that stops the server

httpsdctl Handles secure Apache Web processes

hwclock Utility that allows access to the hardware clock

ifconfig Indicates the network configuration executable. Ensures that the MAC address stays constant

iptables Handles access restriction based on changes made to the Access Configuration page. See Configuring the Access List for Your Appliance on page 325 for more information about access configuration.

iptables-restore Handles iptables file restoration

iptables-save Handles saved changes to the iptables

kill Utility that can be used to end a session and process

killall Utility that can be used to end all sessions and processes

ksh Public domain version of the Korn shell

logger Utility that provides a way to access the syslog daemon from the command line

md5sum Utility that prints checksums and block counts for specified files

mv Utility that moves (renames) files

myisamchk Indicates database table checking and repairing

mysql Indicates a database process; multiple instances may appear

openssl Indicates authentication certificate creation

perl Indicates a perl process

System Executables and Utilities (Continued)




ps Utility that writes process information to standard output

RNA (requires RNA)

Captures packets, decodes and performs session reassembly, correlating acquired data with the RNA fingerprint database, then generates binary files that the Data Correlator processes to generate the network map and to populate the database with events and flow data

sed Utility used to edit one or more text files

sfheartbeat Identifies a heartbeat broadcast, indicating that the appliance is active; heartbeat used to maintain contact between a sensor and Defense Center

sfmb Indicates a message broker process; handles communication between Defense Centers and sensor.

sfsnort(requires IPS)

Indicates that Snort is running

sh Public domain version of the Korn shell

shutdown Utility that shuts down the appliance

sleep Utility that suspends a process for a specified number of seconds

smtpclient Mail client that handles email transmission when email event notification functionality is enabled

snmptrap Forwards SNMP trap data to the SNMP trap server specified when SNMP notification functionality is enabled

ssh Indicates a Secure Shell (SSH) connection to the appliance

sudo Indicates a sudo process, which allows users other than root to run executables

top Utility that displays information about the top CPU processes

touch Utility that can be used to change the access and modification times of specified files




Monitoring the SystemViewing IPS Performance Statistics Chapter 14

Viewing IPS Performance StatisticsRequires: IPS or

DC/MDC + IPSThe IPS performance statistics page allows you to generate graphs that depict performance statistics for IPS over a specific period of time. Graphs can be generated to reflect number of intrusion events per second, number of megabits per second, average number of bytes per packet, and the percent of packets uninspected by Snort. These graphs can show statistics for the last hour, last day, last week, or last month of operation.

IMPORTANT! Because of the way traffic is processed on 3Dx800 sensors, performance statistics for those sensors are under reported.

IPS performance statistics refer only to the data stored locally on the 3D Sensor.

To view the IPS performance statistics:

Access: Maint/Admin Select Operations > Monitoring > Performance > IPS.

The IPS page appears. The Defense Center version of the page is shown below.


• Generating IPS Performance Statistics Graphs on page 476

• Saving IPS Performance Statistics Graphs on page 478

Generating IPS Performance Statistics GraphsRequires: IPS or

DC/MDC + IPSYou can generate graphs that depict performance statistics for a Defense Center or a 3D Sensor with IPS based on the number of events per second, megabits per second, or average bytes per packet.

vim Utility used to edit text files

wc Utility that performs line, word, and byte counts on specified files




Monitoring the SystemViewing IPS Performance Statistics Chapter 14

New data is accumulated for statistics graphs every five minutes. Therefore, if you reload a graph quickly, the data may not change until the next five-minute increment occurs.

The IPS Performance Statistics Graph Types table lists the available graph types.

To generate IPS performance statistics graphs:

Access: Maint/Admin 1. Select Operations > Monitoring > Performance > IPS.

The IPS page appears. The Defense Center version of the page is shown below.

2. From the Select Device list, select the detection engines whose data you want to view.

3. From the Select Graph(s) list, select the type of graph you want to create.

IPS Performance Statistics Graph Types

Graph Type Output

Events/Sec Displays a graph that represents the number of events that are generated on the sensor per second

Mbits/Sec Displays a graph that represents the number of megabits of traffic that pass through the sensor per second

Avg Bytes/Packet

Displays a graph that represents the average number of bytes included in each packet

Percent Packets Dropped

This graph depicts the average percentage of uninspected packets across all detection resources (instances of Snort) assigned to the selected detection engine. If you assign two detection resources to a detection engine that has two interface sets and each interface set is connected to a different network segment, then an average of 50% may indicate that one segment has a 90% drop rate and the other has a 10% drop rate. It may also indicate that both segments have a drop rate of 50%. The graph only represents the total % drop when there is a single detection resource assigned to a selected detection engine.


Monitoring the SystemViewing RNA Performance Statistics Chapter 14

4. From the Select Time Range list, select the time range you would like to use for the graph.

You can choose from last hour, last day, last week, or last month.

5. Click Graph.

The graph appears, displaying the information you specified.

Saving IPS Performance Statistics GraphsRequires: IPS or

DC/MDC + IPSAfter you have generated an IPS performance statistics graph, you can save the graph as a graphic file for later use.

To save the graph:

Access: Maint/Admin Right-click on the graph and follow the instructions for your browser to save the image.

Viewing RNA Performance StatisticsRequires: DC + RNA The RNA Performance page allows you to generate graphs that display

RNA-related performance statistics over a specific period of time. Graphs can be generated to display:

• the number of events generated by the Data Correlator per second

• the number of megabits analyzed by the RNA process per second

• average number of bytes included in each packet analyzed by the RNA process

• the percentage of packets dropped by RNA



• the number of packets, in thousands, analyzed by the RNA process per second

• the number of established connections analyzed by the RNA process per second

These graphs can show statistics for the last hour, last day, last week, or last month of operation.

To access the RNA Performance page:

Access: Maint/Admin Select Operations > Monitoring > Performance > RNA.

The RNA page appears.


• Generating RNA Performance Statistics Graphs on page 479

• Saving RNA Performance Statistics Graphs on page 481

Generating RNA Performance Statistics GraphsRequires: DC + RNA You can generate graphs that display performance statistics for managed

3D Sensors with RNA.

New data is accumulated for statistics graphs every five minutes. Therefore, if you reload a graph quickly, the data may not change until the next five-minute increment occurs.

The RNA Performance Statistics Graph Types table lists the available graph types.

RNA Performance Statistics Graph Types

Graph Type Output

Processed Events/Sec Displays a graph that represents the number of events that the Data Correlator processes per second

Processed Flows/Sec Displays a graph that represents the number of flows that the Data Correlator processes per second

Generated Events/Sec Displays a graph that represents the number of events that RNA generates per second



To generate RNA performance statistics graphs:

Access: Maint/Admin 1. Select Operations > Monitoring > Performance > RNA.

The RNA page appears.

2. From the Select Target list, select the Defense Center, the managed 3D Sensors, or the detection engines that you want to include.

Depending on whether you select a detection engine or a sensor, the Select Graph(s) list adjusts to display the available graphs.

3. From the Select Graph(s) list, select the type of graph you want to create.

TIP! You can select multiple graphs by holding down the Ctrl or Shift keys while clicking on the graph type.

4. From the Select Time Range list, select the time range you would like to use for the graph.

You can choose from last hour, last day, last week, or last month.

Mbits/Sec Displays a graph that represents the number of megabits of traffic that are analyzed by the RNA process per second

Avg Bytes/Packet Displays a graph that represents the average number of bytes included in each packet analyzed by the RNA process

Percent Packets Dropped

Displays a graph that represents the percentage of packets dropped by RNA

K Packets/Sec Displays a graph that represents the number of packets analyzed by the RNA process per second, in thousands

Syn/Ack/Sec Displays a graph that represents the number of established connections observed by the RNA process per second

RNA Performance Statistics Graph Types (Continued)

Graph Type Output



5. Click Graph.

The graph appears, displaying the information you specified. If you selected multiple graphs, each graph appears on the page.

Saving RNA Performance Statistics GraphsRequires: DC + RNA After you have generated an RNA performance statistics graph, you can save the

graph as a graphic file for later use.

To save the graph:

Access: Maint/Admin 1. Create an RNA performance statistic graph as described in Generating RNA Performance Statistics Graphs on page 479.

2. Right-click on the graph and follow the instructions for your browser to save the image.


Administrator Guide

Chapter 15Using Health Monitoring

The health monitor provides numerous tests for determining the health of an appliance from the Defense Center. You can use the health monitor to create a collection of tests, referred to as a health policy, and apply the health policy to one or more appliances. You can create one health policy for every appliance in your system, customize a health policy for the specific appliance where you plan to apply it, or use one of the default health policies. You can also import a health policy exported from another Defense Center.

The tests, referred to as health modules, are scripts that test for criteria you specify. You can modify a health policy by enabling or disabling tests or by changing test settings, and you can delete health policies that you no longer need. You can also suppress messages from selected appliances by blacklisting them.

The tests in a health policy run automatically at the interval you configure. You can also run all tests or a specific test on demand. The health monitor collects health events based on the test conditions configured. Optionally, you can also configure email, SNMP, or syslog alerting in response to health events.

At the Defense Center, you can view health status information for the entire system or for a particular appliance. Fully customizable event views allow you to quickly and easily analyze the health status events gathered by the health monitor. These event views allow you to search and view event data and to access other information that may be related to the events you are investigating.

You can also generate troubleshooting files for an appliance if you are asked to do so by Support.


• Understanding Health Monitoring on page 483



Using Health MonitoringUnderstanding Health Monitoring Chapter 15

• Using the Health Monitor Blacklist on page 534


Understanding Health MonitoringYou can use the health monitor to check the status of critical functionality across your Sourcefire 3D System deployment. Monitor the health of your entire Sourcefire 3D System through the Defense Center by applying health policies to each of the managed appliances and collecting the resulting health data at the Defense Center. Pie charts and status tables on the Health Monitor page visually represent the health status for monitored appliances, so you can check status at a glance, then drill down into status details if needed.

You can use the health monitor to access health status information for the entire system or for a particular appliance. The Health Monitor page provides a visual summary of the status of all appliances on your system. Individual appliance health monitors let you drill down into health details for a specific appliance.

You can also view health events in the standard Sourcefire 3D System table view. From an individual appliance’s health monitor, you can open a table view of occurrences of a specific event, or you can retrieve all the health events for that appliance. You can also search for specific health events. For example, if you want to see all the occurrences of CPU usage with a certain percentage, you can search for the CPU usage module and enter the percentage value.

You can also configure email, SNMP, or syslog alerting in response to health events. A health alert is an association between a standard alert and a health status level. For example, if you need to make sure an appliance never fails due to hardware overload, you can set up an email alert. You can then create a health alert that triggers that email alert whenever CPU, disk, or memory usage reaches the Warning level you configure in the health policy applied to that appliance. You can set alerting thresholds to minimize the number of repeating alerts you receive.



Because health monitoring is an administrative activity, only users with Admin access privileges can access system health data. For more information on assigning user privileges, see Modifying User Privileges and Options on page 306.

IMPORTANT! Except for the Defense Center, Sourcefire 3D System appliances do not have health monitoring policies applied to them by default. If you want to monitor the health of a managed appliance, you have to apply a health policy to that appliance. For more information on available default health policies you can apply to an appliance, see Predefined Health Policies on page 490. For more information on creating customized health policies, see Creating Health Policies on page 497. For details on applying policies, see Applying Health Policies on page 528.

For more information on health policies and the health modules you can run to test system health, see the following topics:

• Understanding Health Policies on page 484

• Understanding Health Modules on page 485

• Understanding Health Monitoring Configuration on page 489

Understanding Health PoliciesA health policy is a collection of health module settings you apply to an appliance to define the criteria that the Defense Center uses when checking the health of the appliance. The health monitor tracks a variety of health indicators to ensure that your Sourcefire 3D System hardware and software are working correctly.

When you create health policies, you choose which tests to run to determine appliance health. You can also apply one of the five default health policies to each appliance. For example, to monitor the health of a 3D Sensor with IPS, you can create a policy that monitors just the intrusion event rate and the IPS process, or you can apply the default policy, which also monitors CPU, disk, and memory usage, the Data Correlator process, and traffic status.



Understanding Health ModulesHealth modules, also sometimes referred to as health tests, are scripts that test for the criteria you specify in a health policy. The available health modules are described in the Health Modules table.

Health Modules

Module Description

Appliance Heartbeat This module determines if an appliance heartbeat is being heard from the sensor and alerts based on the sensor heartbeat status.

Automatic Application Bypass Status

This module determines if a detection engine has been bypassed because it did not respond within the number of seconds set in the bypass threshold, and alerts when a bypass occurs.

CPU Temperature This module determines if the CPU on the sensor is overheated and alerts when the temperature exceeds temperatures configured for the module. This module only runs on 3Dx800 sensors.

CPU Usage This module checks that the CPU on the appliance is not overloaded and alerts when CPU usage exceeds the percentages configured for the module.

Card Reset This module checks for network cards which have restarted due to hardware failure and alerts when a reset occurs.

Data Correlator Process

This module determines if the Data Correlator process (SFDataCorrelator) is restarting too often, which may indicate a problem with the process, and alerts when the number of restarts exceeds limits configured for the module.

The restart counter does not count actual restarts. The module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count. The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal.

If the module finds that the process is not running at all, it increments the restart counter by one, but sets the module status to Critical for that test, regardless of the limits set for the module. The status remains Critical until the module finds that the process is running. At that point, the module sets status according to the restart counter value and the configured limits for the module.

For more information on system daemons such as SFDataCorrelator, see Understanding System Daemons on page 471.



Defense Center Status

This module ensures that there are heartbeats from connected Defense Centers and alerts based on the Defense Center status.

This module only runs on Master Defense Centers.

Disk Usage This module compares disk usage on the appliance to the limits configured for the module and alerts when usage exceeds the percentages configured for the module.

eStreamer Process This module determines if the eStreamer process is restarting too often, which may indicate a problem with the process, and alerts when the number of restarts exceeds limits configured for the module.



This module only runs on Defense Centers.

Event Stream Status This module compares the number of events per second to the limits configured for this module and alerts if the limits are exceeded. If the Event Stream is zero, the eStreamer process may be down or the Defense Center may not be sending events.

This module only runs on Master Defense Centers.

Fan Alarm This module determines if fans need to be replaced on the sensor and alerts based on the fan status. This module only runs on 3Dx800 sensors.

Hardware Alarms This module determines if hardware needs to be replaced on a 3Dx800 or 3D9900 sensor and alerts based on the hardware status. On the 3D9900, the module also reports on the status of hardware-related daemons. This module only runs on 3Dx800 sensors and 3D9900 sensors.

For more information on the details reported for 3D9900 sensors, see Interpreting Hardware Alert Details for 3D9900 Sensors on page 560.

Health Modules (Continued)

Module Description



Health Monitor Process

This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the Defense Center exceeds the Warning or Critical limits.

This module only runs on Defense Centers.

IPS Event Rate This module compares the number of intrusion events per second to the limits configured for this module and alerts if the limits are exceeded. If the IPS Event Rate is zero, the IPS process may be down or the 3D Sensor may not be sending events. Select Analysis & Reporting > Event Summary > Intrusion Event Statistics to check if events are being received from the sensor.

IPS Process This module determines if the IPS process (snort) has been restarting too often, which may indicate a problem with the process, and alerts when the number of restarts exceeds the limits configured for the module. The IPS process (also known as snort) is the packet decoder on a 3D Sensor with that is licensed for IPS component. If the IPS process is down or has been restarting, the IPS Event Rate results may be inaccurate.

The restart counter does not indicate the number of restarts. Instead, the module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count. The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal.


Link State Propagation

This module determines when a link in a paired inline interface set fails and triggers the link state propagation mode.

MDC Event Service This module monitors the health of the internal eStreamer process used to transmit events to the Master Defense Center from the Defense Center.

Memory Usage This module compares memory usage on the appliance to the limits configured for the module and alerts when usage exceeds the levels configured for the module.

PEP Status This module monitors the application of PEP rules to interface sets on a 3D9900. If PEP rules cannot be applied to interfaces in an interface set, the module generates an alert.


Module Description



Power Supply This module determines if power supplies on the sensor require replacement and alerts based on the power supply status. This module only runs on the Series 2 DC3000, MDC3000, 3Dx800, 3D9900, 3D3500, 3D4500, and 3D6500 appliances.

RNA Event Status This module indicates whether a specified period of time has passed since any RNA events have been detected by a sensor.

RNA Host License Limit

This module determines if sufficient RNA host licenses remain and alerts based on the warning level configured for the module.

RNA Process This module determines if the RNA process (rna) is restarting too often, which may indicate a problem with the process, and alerts based on the number of restarts configured for the module.



Time Synchronization Status

This module tracks the synchronization of a sensor clock that obtains time using NTP with the clock on the NTP server and alerts if the difference in the clocks is more than ten seconds.

Traffic Status This module determines if the sensor currently collects traffic and alerts based on the traffic status.


Module Description


Using Health MonitoringConfiguring Health Policies Chapter 15

Understanding Health Monitoring ConfigurationThere are several steps to setting up health monitoring on your Sourcefire 3D System, as indicated in the following procedure:

1. Create health policies for your appliances.

You can set up specific policies for each kind of appliance you have in your Sourcefire 3D System, enabling only the appropriate tests for that appliance.

TIP! If you want to quickly enable health monitoring without customizing the monitoring behavior, you can apply one of the default policies provided for that purpose.

For more information on setting up health policies, see Configuring Health Policies on page 489.

2. Apply a health policy to each appliance where you want to track health status. For information on the default health policies available for immediate application, see Predefined Health Policies on page 490.

3. Optionally, configure health monitor alerts.

You can set up email, syslog, or SNMP alerts that trigger when the health status level reaches a particular severity level for specific health modules.

For more information on setting up health monitor alerts, see Configuring Health Monitor Alerts on page 539.

After you set up health monitoring on your system, you can view the health status at any time on the Health Monitor page or the Health Table Events View. For more information about viewing system health data, see the following topics:




Configuring Health PoliciesA health policy contains configured health test criteria for several modules. You can control which health modules run against each of your appliances and configure the specific limits used in the tests run by each module. For more information on the health modules you can configure in a health policy, see Understanding Health Monitoring on page 483.

You can create one health policy that can be applied to every appliance in your system, customize each health policy to the specific appliance where you plan to apply it, or use the default health policies provided for you. You can also import a health policy exported from another Defense Center.



When you configure a health policy, you decide whether to enable each health module for that policy. You also select the criteria that control which health status each enabled module reports each time it assesses the health of a process.

For more information on the default health policy, which is applied to the Defense Center and Master Defense Center automatically, see Default Health Policy on page 493.


• Predefined Health Policies on page 490

• Creating Health Policies on page 497

• Applying Health Policies on page 528

• Editing Health Policies on page 530

• Deleting Health Policies on page 533

Predefined Health PoliciesThe Defense Center health monitor includes several default health policies to make it easier for you to quickly implement health monitoring for your appliances. The Default Health Policy is automatically applied to the Defense Center. To also monitor sensor health, you can push health policies to 3D Sensors.

IMPORTANT! You cannot apply a health policy to RNA Software for Red Hat Linux or Crossbeam-based software sensors.


• Default 3D Sensor Health Policy on page 491

• Default 3Dx800 Health Policy on page 491

• Suggested 3D9900 Health Policy on page 492

• Default Health Policy on page 493

• Default Intrusion Sensor Health Policy on page 495

• Default IPS (3Dx800 only) Health Policy on page 495

• Default RNA Sensor Health Policy on page 496



Default 3D Sensor Health PolicyUse the Default 3D Sensor Health Policy to monitor health on any 3D Sensor. Enabled health modules for this policy are listed in the Enabled Health Modules: 3D Sensor Health Policy table.

Default 3Dx800 Health PolicyUse the Default 3Dx800 Health Policy to monitor health on 3Dx800 sensors. Enabled health modules for this policy are listed in the Enabled Health Modules: Default 3Dx800 Health Policy table. Note that the Hardware Alarm module should

Enabled Health Modules: 3D Sensor Health Policy

Module For more information, see...


Configuring Automatic Application Bypass Monitoring on page 502


Configuring Data Correlator Process Monitoring on page 506

Disk Usage Configuring Disk Usage Monitoring on page 508

IPS Event Rate Configuring IPS Event Rate Monitoring on page 515

IPS Process Configuring IPS Process Monitoring on page 516


Configuring Link State Propagation Monitoring on page 518

Memory Usage Configuring Memory Usage Monitoring on page 520

Power Supply Configuring Power Supply Monitoring on page 522

RNA Process Configuring RNA Process Monitoring on page 525

Traffic Status Configuring Traffic Status Monitoring on page 527



be used instead of the Power Supply module to monitor power supply health on the 3Dx800 sensor models.

Suggested 3D9900 Health PolicyThe Defense Center interface does not include a default health policy specifically for 3D9900 sensors. Sourcefire recommends that you start with the default 3D Sensor policy and enable the Hardware Alarms module. If the sensor will be running RNA, enable the RNA Process module as well.

Health modules that should be enabled when creating a policy for this type of sensor are listed in the Suggested Health Modules: 3D9900 Health Policy table. Note that the CPU Usage module cannot be enabled when monitoring 3D9900

Enabled Health Modules: Default 3Dx800 Health Policy




CPU Temperature

Configuring CPU Temperature Monitoring on page 503


Fan Alarm Configuring Fan Monitoring on page 512

Hardware Alarms

Configuring Hardware Monitoring on page 513








sensor models. CPU usage for a 3D9900 may reach 100% during normal sensor operation, so the data provided by the module would generate misleading events.

Default Health PolicyUse the Default Health Policy to monitor health on a Defense Center. Enabled health modules for this policy are listed in the Enabled Defense Center Health Modules - Default Health Policy table.

Suggested Health Modules: 3D9900 Health Policy





Hardware Alarms







PEP Status Configuring PEP Status Monitoring on page 521




Enabled Defense Center Health Modules - Default Health Policy




Appliance Heartbeat Configuring Appliance Heartbeat Monitoring on page 501



Use the Default Health Policy to monitor health on a Master Defense Center. Enabled health modules for this policy are listed in the Enabled MDC Health Modules - Default Health Policy table.







Time Synchronization Status

Configuring Time Synchronization Monitoring on page 526



Configuring RNA Host Usage Monitoring on page 524

Enabled Defense Center Health Modules - Default Health Policy (Continued)


Enabled MDC Health Modules - Default Health Policy




Defense Center Status

Configuring Defense Center Status on page 507


eStreamer Process

Configuring eStreamer Process Monitoring on page 509

Event Stream Configuring Event Stream Monitoring on page 511






Default Intrusion Sensor Health PolicyUse the Default IPS Health Policy to monitor health on legacy Intrusion Sensors that you have not upgraded to Version 4.9.1. Enabled health modules for this policy are listed in the Enabled Health Modules: Default Intrusion Sensor Health Policy table.

Default IPS (3Dx800 only) Health PolicyUse the Default IPS (3Dx800 only) Health Policy to monitor IPS health on 3Dx800 sensors. Enabled health modules for this policy are listed in the Enabled Health Modules: Default IPS (3Dx800 only) Health Policy table. Note that the Hardware

Enabled Health Modules: Default Intrusion Sensor Health Policy







Health Monitor Process

Configuring Health Status Monitoring on page 514










Alarm module should be used instead of the Power Supply module to monitor power supply health on the 3Dx800 sensor models.

Default RNA Sensor Health PolicyUse the Default RNA Sensor Health Policy to monitor health on legacy RNA Sensors that you have not upgraded to Version 4.9.1. Enabled health modules for

Enabled Health Modules: Default IPS (3Dx800 only) Health Policy




CPU Temperature

Configuring CPU Temperature Monitoring on page 503




Fan Alarm Configuring Fan Monitoring on page 512

Hardware Alarms








this policy are listed in the Enabled Health Modules: Default RNA Sensor Health Policy table.

Creating Health PoliciesRequires: DC/MDC If you want to customize a health policy to use with your appliances, you can

create a new policy. The settings in the policy initially populate with the settings from the health policy you select as a basis for the new policy. You can enable or disable modules within the policy and change the alerting criteria for each module as needed.

TIP! Instead of creating a new policy, you can export a health policy from another Defense Center and then import it onto your Defense Center. You can then edit the imported policy to suit your needs before you apply it. For more information, see Importing and Exporting Objects on page 583.

To create a health policy:

Access: Maint/Admin 1. Select Operations > Monitoring > Health.

The Health Monitor page appears.

Enabled Health Modules: Default RNA Sensor Health Policy

















2. On the toolbar, click Health Policy.

The Health Policy page appears.

3. Click Create Policy to create a new policy.

The Create Health Policy page appears.

4. Select the existing policy that you want to use as the basis for the new policy from the Copy Policy drop-down list.

5. Enter a name for the policy.

6. Enter a description for the policy.



7. Select Save to save the policy information.

The Health Policy Configuration page appears, including a list of the modules.

8. Configure settings on each module you want to use to test the health status of your appliances, as described in the following sections:

• Configuring Policy Run Time Intervals on page 500

• Configuring Appliance Heartbeat Monitoring on page 501

• Configuring Automatic Application Bypass Monitoring on page 502

• Configuring CPU Temperature Monitoring on page 503

• Configuring CPU Usage Monitoring on page 504

• Configuring Card Reset Monitoring on page 505

• Configuring Data Correlator Process Monitoring on page 506

• Configuring Defense Center Status on page 507

• Configuring Disk Usage Monitoring on page 508

• Configuring eStreamer Process Monitoring on page 509

• Configuring Event Stream Monitoring on page 511

• Configuring Fan Monitoring on page 512



• Configuring Hardware Monitoring on page 513

• Configuring Health Status Monitoring on page 514

• Configuring IPS Event Rate Monitoring on page 515

• Configuring IPS Process Monitoring on page 516

• Configuring Link State Propagation Monitoring on page 518

• Configuring MDC Event Service Monitoring on page 519

• Configuring Memory Usage Monitoring on page 520

• Configuring PEP Status Monitoring on page 521

• Configuring Power Supply Monitoring on page 522

• Configuring RNA Event Status Monitoring on page 523

• Configuring RNA Host Usage Monitoring on page 524

• Configuring RNA Process Monitoring on page 525

• Configuring Time Synchronization Monitoring on page 526

• Configuring Traffic Status Monitoring on page 527

IMPORTANT! Make sure you enable each module that you want to run to test the health status on each Health Policy Configuration page as you configure the settings. Disabled modules do not produce health status feedback, even if the policy that contains the module has been applied to an appliance.

9. Click Save to save the policy.

You must apply the policy to each appliance for it to take effect. For more information on applying health policies, see Applying Health Policies on page 528.

Configuring Policy Run Time Intervals

Requires: DC/MDC You can control how often health tests run by modifying the Policy Run Time Interval for the health policy. The maximum run time interval you can set is 99999 minutes.

WARNING! Do not set a run interval of less than five minutes.

To configure a policy run time interval:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Policy Run Time Interval.

The Health Policy Configuration - Policy Run Time Interval page appears.



2. In the Run Interval (mins) field, enter the time in minutes that you want to elapse between automatic repetitions of the test.

3. You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit.

• To return to the Health Policy page without saving any of your settings for this module, click Cancel.

• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel, you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring Appliance Heartbeat Monitoring

Requires: DC Supported Platforms: Defense Center

The Defense Center receives heartbeats from its managed appliances once every two minutes or every 200 events, whichever comes first, as an indicator that the appliance is running and communicating properly with the Defense Center. Use the Appliance Heartbeat health status module to track whether the Defense Center receives heartbeats from managed appliances. If the Defense Center does not detect a heartbeat from a appliance, the status classification for this module changes to Critical. That status data feeds into the health monitor.

To configure Appliance Heartbeat health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Appliance Heartbeat.

The Health Policy Configuration - Appliance Heartbeat page appears.

2. Select On for the Enabled option to enable use of the module for health status testing.








Configuring Automatic Application Bypass Monitoring

Requires: DC/MDC Supported Platforms: 3D Sensors except 3D9900

Use this module to detect when a detection engine is bypassed because it did not respond within the number of seconds configured as the bypass threshold. If a bypass occurs, this module generates an alert. That status data feeds into the health monitor.

For more information on automatic application bypass, see Automatic Application Bypass on page 212.

To configure automatic application bypass monitoring status:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Automatic Application Bypass Status.

The Automatic Application Bypass Status page appears.








You must apply the health policy to the appropriate 3D Sensor if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring CPU Temperature Monitoring

Requires: DC/MDC Supported Platforms: 3Dx800

The temperature of the central processing unit (CPU) on your 3Dx800 sensor provides an important barometer for the health of your sensor. Overheating a CPU can damage the processing unit. Use the CPU Temperature health status module to set CPU temperature limits.

If the CPU temperature on the monitored sensor exceeds the Warning limit, the status classification for that module changes to Warning. If the CPU temperature on the monitored sensor exceeds the Critical limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

By default, the Critical limit is set to 52 degrees Celsius and the Warning limit is set to 50 degrees Celsius. The maximum temperature you can set for either limit is 100 degrees Celsius, and the Critical limit must be greater than the Warning limit.

WARNING! Sourcefire recommends that you do not set the Critical limit higher than 65 degrees Celsius and that you do not set the Warning limit higher than 55 degrees Celsius.

To configure CPU temperature health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select CPU Temperature.

The Health Policy Configuration - CPU Temperature page appears.




3. In the Critical Threshold Celsius field, enter the number of degrees, in Celsius, that should trigger a critical health status.

4. In the Warning Threshold Celsius field, enter the number of degrees, in Celsius, that should trigger a warning health status.





You must apply the health policy to the appropriate sensors if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring CPU Usage Monitoring

Requires: DC/MDC Supported Platforms: All except 3D9900

Excessive CPU usage can indicate that you need to upgrade your hardware or that there are processes that are not functioning correctly. Use the CPU Usage health status module to set CPU usage limits.

If the CPU usage on the monitored appliance exceeds the Warning limit, the status classification for that module changes to Warning. If the CPU usage on the monitored appliance exceeds the Critical limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

The maximum percentage you can set for either limit is 100 percent, and the Critical limit must be higher than the Warning limit.

Note that this module is not available for health policies applied to 3D9900 sensors.



To configure CPU Usage health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select CPU Usage.

The Health Policy Configuration - CPU Usage page appears.


3. In the Critical Threshold % field, enter the percentage of CPU usage that should trigger a critical health status.

4. In the Warning Threshold % field, enter the percentage of CPU usage that should trigger a warning health status.






Configuring Card Reset Monitoring

Requires: DC/MDC Supported Platforms: 3D500 - 3D6500 except 3Dx800

Use the card reset monitoring health status module to track when the network card restarts because of hardware failure. If a reset occurs, this module generates an alert. That status data feeds into the health monitor.

To configure card reset monitoring:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Card Reset.

The Card Reset Monitoring page appears.








You must apply the health policy to the appropriate Defense Center if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring Data Correlator Process Monitoring

Requires: DC/MDC Supported Platforms: All

The Data Correlator, short for the system daemon SFDataCorrelator, manages data transmission. Use the Data Correlator Process health status module to set limits for the number of restarts that trigger a change in the health status.



If the module checks the Data Correlator process as many times as configured in the Warning Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Warning. If the module checks the Data Correlator process as many times as configured in the Critical Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Critical. That status data feeds into the health monitor.



The maximum number of restarts you can set for either limit is 100, and the Critical limit must be higher than the Warning limit.

To configure Data Correlator Process health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Data Correlator Process.

The Health Policy Configuration - Data Correlator Process page appears.


3. In the Critical Number of restarts field, enter the number of process restarts that should trigger a critical health status.

4. In the Warning Number of restarts field, enter the number of process restarts that should trigger a warning health status.






Configuring Defense Center Status

Requires: MDC Supported Platforms: Master Defense Center

Use the Defense Center Status health status module to monitor the status of a Defense Center or Defense Centers managed by the Master Defense Center where the health policy is applied. If a heartbeat is not obtained from the managed Defense Center or Defense Centers, this module generates an alert. That status data feeds into the health monitor.



To configure Defense Center Status:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Defense Center Status.

The Defense Center Status page appears.






You must apply the health policy to the appropriate Defense Center if you want your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring Disk Usage Monitoring


Without sufficient disk space, an appliance cannot run. The health monitor can identify low disk space conditions on your appliances before the space runs out. Use the Disk Usage health status module to set disk usage limits for the / and /volume partitions on the appliance.

IMPORTANT! Although the disk usage module lists the /boot partition as a monitored partition, the size of the partition is static so the module does not alert on the boot partition.

If the disk usage on the monitored appliance exceeds the Warning limit, the status classification for that module changes to Warning. If the disk usage on the monitored appliance exceeds the Critical limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.




To configure Disk Usage health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Disk Usage.

The Health Policy Configuration - Disk Usage page appears.


3. In the Critical Threshold % field, enter the percentage of disk usage that should trigger a critical health status.

4. In the Warning Threshold % field, enter the percentage of disk usage that should trigger a warning health status.






Configuring eStreamer Process Monitoring

Requires: DC/MDC Supported Platforms: Defense Center

Use the eStreamer Process health status module to monitor the health of the eStreamer process on the Defense Center. eStreamer, short for the Sourcefire Event Streamer, allows you to stream Sourcefire 3D System intrusion and network discovery data from the Sourcefire Defense Center to an eStreamer client.

You can set limits for the number of restarts that trigger a change in the health status. The restart counter does not count actual restarts. The module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count.



The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal.


If the module checks the eStreamer process as many times as configured in the Warning Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Warning. If the module checks the eStreamer process as many times as configured in the Critical Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Critical. That status data feeds into the health monitor.


To configure eStreamer Process health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select eStreamer Process.

The Health Policy Configuration - eStreamer Process page appears.











Configuring Event Stream Monitoring

Requires: DC/MDC Supported Platforms: Master Defense Center

Use the Event Stream Status module to monitor the health of the event stream process on a Defense Center by generating alerts when too many seconds elapse between events received by the Master Defense Center.

You can configure the elapsed duration between events, in seconds, that causes an alert to be generated. If the wait exceeds the number of seconds configured in the Warning Seconds since last event limit, the status classification for that module changes to Warning. If the wait exceeds the Critical Seconds since last event limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

The maximum number of seconds you can set for either limit is 600, and the Critical limit must be higher than the Warning limit. The minimum number of seconds is 300.

To configure Event Stream Status health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Event Stream Status.

The Health Policy Configuration - Event Stream Status page appears.


3. In the Critical Seconds since last event field, enter the maximum number of seconds to wait between events, before triggering a critical health status.



4. In the Warning Seconds since last event field, enter the maximum number of seconds to wait between events, before triggering a warning health status.





You must apply the health policy to the Master Defense Center for your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring Fan Monitoring

Requires: DC/MDC Supported Platforms: 3Dx800

Use the Fan Alarm health status module to warn of fan failure on a 3Dx800 sensor. If the Fan Alarm module finds a fan that has failed, the status classification for that module changes to Critical. That status data feeds into the health monitor.

To configure Fan Alarm health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Fan Alarm.

The Health Policy Configuration - Fan Alarm monitor page appears.









Configuring Hardware Monitoring

Requires: DC/MDC Supported Platforms: 3Dx800, 3D9900

Use the Hardware Alarm health status module to detect hardware failure on a 3Dx800 or 3D9900 sensor. If the Hardware Alarm module finds a hardware component that has failed, the status classification for that module changes to Critical. That status data feeds into the health monitor.

Note that the Hardware Alarm module can be used in addition to the Power Supply module to monitor power supply health on the 3Dx800 sensor models.

For more information on the hardware status conditions that can cause hardware alerts on 3D9900 sensors, see Interpreting Hardware Alert Details for 3D9900 Sensors on page 560.

To configure Hardware Alarm health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Hardware Alarms.

The Health Policy Configuration - Hardware Alarm monitor page appears.









Configuring Health Status Monitoring


Use the Health Monitor Process module to monitor the health of the health monitor on a Defense Center by generating alerts when too many minutes elapse between health events received from monitored appliances.

For example, if a Defense Center (myrtle.example.com) monitors a sensor (dogwood.example.com), you apply a health policy with the Health Monitor Process module enabled to myrtle.example.com. The Health Monitor Process module then reports events that indicate how many minutes have elapsed since the last event was received from dogwood.example.com.

You can configure the elapsed duration between events, in minutes, that causes an alert to be generated. If the wait exceeds the number of minutes configured in the Warning Minutes since last event limit, the status classification for that module changes to Warning. If the wait exceeds the Critical Minutes since last event limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

The maximum number of minutes you can set for either limit is 144, and the Critical limit must be higher than the Warning limit. The minimum number of minutes is 5.

To configure Health Monitor Process module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Health Monitor Process.

The Health Policy Configuration - Health Monitor Process page appears.


3. In the Critical Minutes since last event field, enter the maximum number of minutes to wait between events, before triggering a critical health status.



4. In the Warning Minutes since last event field, enter the maximum number of minutes to wait between events, before triggering a warning health status.





You must apply the health policy to the Defense Center for your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring IPS Event Rate Monitoring

Requires: DC/MDC Supported Platforms: IPS

Use the IPS Event Rate health status module to set limits for the number of packets per second that trigger a change in the health status. If the event rate for the IPS process on the monitored sensor exceeds the number of events per second configured in the Events per second (Warning) limit, the status classification for that module changes to Warning. If the event rate exceeds the number of events per second configured in the Events per second (Critical) limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

Typically, the event rate for a network segment averages 20 events per second. For a network segment with this average rate, Events per second (Critical) should be set to 50 and Events per second (Warning) should be set to 30. To determine limits for your system, find the Events/Sec value on the Statistics page for your sensor (Operations > Monitoring > Statistics), then calculate the limits using these formulas:

• Events per second (Critical) = Events/Sec * 2.5

• Events per second (Warning) = Events/Sec *1.5

The maximum number of events you can set for either limit is 999, and the Critical limit must be higher than the Warning limit.



To configure IPS Event Rate Monitor health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select IPS Event Rate.

The Health Policy Configuration - IPS Event Rate page appears.


3. In the Events per second (Critical) field, enter the number of events per second that should trigger a critical health status.

4. In the Events per second (Warning) field, enter the number of events per second that should trigger a warning health status.






Configuring IPS Process Monitoring


The IPS process (also known as Snort) is the packet decoder on a 3D Sensor with the IPS component. Use the IPS Process health status module to monitor the health of the IPS process on a sensor. You can configure how many restarts trigger a change in the health status for the process.

The restart counter does not count actual restarts. The module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count. The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for



example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal.


If the module checks the IPS process as many times as configured in the Warning Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Warning. If the module checks the IPS process as many times as configured in the Critical Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Critical. That status data feeds into the health monitor.


To configure IPS Process Monitor health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select IPS Process.

The Health Policy Configuration - IPS Process page appears.











Configuring Link State Propagation Monitoring


Use the Link State Propagation health status module to detect the interface link state propagation status on an inline interface pair. If a link state propagates to the paired interface, the status classification for that module changes to Critical and the state reads:

Module Link State Propagation: ethx_ethy is Triggered

where x and y are the paired interface numbers.

To configure Link State Propagation health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Link State Propagation.

The Health Policy Configuration - Link State Propagation monitor page appears.









Configuring MDC Event Service Monitoring


Use the MDC health status module to monitor the health of the internal eStreamer process on the Defense Center that is used to transmit events to the Master Defense Center.

You can set limits for the number of restarts that trigger a change in the health status. The restart counter does not count actual restarts. The module checks if any restarts occurred during the period between tests. Even if multiple restarts occur between tests, the module only increments the restart counter by one each time it checks. If any restarts occur, the module adds one to the restart count. The first time the module checks and no restarts have occurred since the last test, the module resets the counter to zero. The alert level also lowers by one level (for example, Critical is reduced to Warning or Warning is reduced to Normal). The second time the module checks and no restarts have occurred since the last test, the alert level resets to Normal.


If the module checks the MDC event service as many times as configured in the Warning Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Warning. If the module checks the MDC event service as many times as configured in the Critical Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Critical. That status data feeds into the health monitor.




To configure MDC Event Service health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select MDC Event Service.

The Health Policy Configuration - MDC Event Service Process page appears.









Configuring Memory Usage Monitoring


Use the Memory Usage health status module to set memory usage limits. The module calculates free memory by adding free memory and cached memory. If the memory usage on the monitored appliance exceeds the Warning limit, the status classification for that module changes to Warning. If the memory usage on the monitored appliance exceeds the Critical limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.




To configure Memory Usage health module settings:

Access: Maint/Admin 1. On the Health Policy Configuration page, select Memory Usage.

The Health Policy Configuration - Memory Usage page appears.


3. In the Critical Threshold % field, enter the percentage of memory usage that should trigger a critical health status.

4. In the Warning Threshold % field, enter the percentage of memory usage that should trigger a warning health status.






Configuring PEP Status Monitoring

Requires: DC/MDC Supported Platforms: 3D9900

Use the PEP Status health status module to monitor the application of PEP rules to interface sets on a 3D9900. If PEP rules cannot be applied to interfaces in an interface set, this module generates an alert. That status data feeds into the health monitor.



To configure PEP Status health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select PEP Status.

The Health Policy Configuration - PEP Status monitor page appears.







Configuring Power Supply Monitoring

Requires: DC/MDC Supported Platforms: Series 2 DC3000, MDC3000, 3D9900, 3Dx800, 3D3500, 3D4500, 3D6500

Use the Power Supply health status module to detect a power supply failure on a Series 2 DC3000, MDC3000, 3Dx800, 3D9900, 3D3500, 3D4500, or 3D6500 sensor. If the Power Supply module finds a power supply that has no power, the status classification for that module changes to No Power. If the module cannot detect the presence of the power supply, the status changes to Critical Error. That status data feeds into the health monitor. You can expand the Power Supply item on the Alert Detail list in the health monitor to see specific status items for each power supply.

Note that the Hardware Alarm module can be used in addition to the Power Supply module to monitor power supply health on the 3Dx800 sensor models.

To configure Power Supply health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Power Supply.

The Health Policy Configuration - Power Supply monitor page appears.









Configuring RNA Event Status Monitoring

Requires: DC/MDC Supported Platforms: DC

Use the RNA Event Status module to monitor the health of the RNA process on a sensor from the Defense Center by generating alerts when too many seconds elapse between RNA events received by the Defense Center. You can configure the elapsed duration between events, in seconds, that causes an alert to be generated. If the wait exceeds the number of seconds configured in the Warning Seconds since last event limit, the status classification for that module changes to Warning. If the wait exceeds the Critical Seconds since last event limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

The maximum number of seconds you can set for either limit is 7200, and the Critical limit must be higher than the Warning limit. The minimum number of seconds is 3600.

Note that the RNA Health module was renamed to the RNA Event Status module in 4.9.1 and that the supported platforms changed from 3D Sensor to Defense Center in 4.9.1.

To configure RNA Event Status module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Event Status.

The Health Policy Configuration - RNA Event Status page appears.




3. In the Critical Seconds since last event field, enter the maximum number of seconds to wait between events, before triggering a critical health status.

4. In the Warning Seconds since last event field, enter the maximum number of seconds to wait between events, before triggering a warning health status.





You must apply the health policy to the Defense Center for your settings to take effect. See Applying Health Policies on page 528 for more information.

Configuring RNA Host Usage Monitoring

Requires: DC/MDC Supported Platforms: RNA

Use the RNA Host License Limit health status module to set RNA Host shortage limits. If the number of remaining RNA Hosts on the monitored sensor falls below the Warning Hosts limit, the status classification for that module changes to Warning. If the number of remaining RNA Hosts on the monitored sensor falls below the Critical Hosts limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

The maximum number of hosts you can set for either limit is 999, and the Critical limit must be higher than the Warning limit.

To configure RNA Host License Limit health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Host License Limit.

The Health Policy Configuration - RNA Host License Limit page appears.




3. In the Critical number Hosts field, enter the remaining number of available hosts that should trigger a critical health status.

4. In the Warning number Hosts field, enter the remaining number of available hosts that should trigger a warning health status.






Configuring RNA Process Monitoring

Requires: DC/MDC Supported Platforms: RNA

Use the RNA Process health status module to set limits for the number of restarts that trigger a change in the health status.



If the module checks the RNA process as many times as configured in the Warning Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Warning. If the module checks the RNA process as many times as configured in the Critical Number of restarts limit, and each time one or more restarts have occurred, the status classification for that module changes to Critical. That status data feeds into the health monitor.




To configure RNA Process health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select RNA Process.

The Health Policy Configuration - RNA Process page appears.









Configuring Time Synchronization Monitoring


Use the Time Synchronization Status module to detect when the time on a managed sensor that uses NTP to obtain time from an NTP server differs by 10 seconds or more from the time on the server.



To configure time synchronization monitoring settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Time Synchronization Status.

The Health Policy Configuration - Time Synchronization Status monitor page appears.







Configuring Traffic Status Monitoring

Requires: DC/MDC Supported Platforms: IPS, RNA

Use the Traffic Status health status module to detect whether a sensor receives traffic. If the Traffic Status module determines that a sensor does not receive traffic, the status classification for that module changes to Critical. That status data feeds into the health monitor.

WARNING! If you enable the Traffic Status module on a sensor where there are unused interfaces that are included in an interface set associated with a detection engine, the module interprets the idleness of the port as a traffic failure and alerts on traffic status. To prevent alerting on idle interfaces, remove those interfaces from all interface sets associated with detection engines. For more information on managing interface sets, see Editing an Interface Set on page 221.



To configure Traffic Status health module settings:

Access: Maint/Admin 1. In the Health Policy Configuration page, select Traffic Status.

The Health Policy Configuration - Traffic Status monitor page appears.







Applying Health PoliciesRequires: DC/MDC When you apply a health policy to an appliance, the health tests for all the

modules you enabled in the policy automatically monitor the health of the processes and hardware on the appliance. Health tests then continue to run at the intervals you configured in the policy, collecting health data for the appliance and forwarding that data to the Defense Center.

If you enable a module in a health policy and then apply the policy to an appliance that does not require that health test, the health monitor reports the status for that health module as disabled.

If you apply a policy with all modules disabled to an appliance, it removes all applied health policies from the appliance so no health policy is applied.

When you apply a different policy to an appliance that already has a policy applied, expect some latency in the display of new data based on the newly applied tests.

IMPORTANT! Default health policies are not replicated between Defense Centers in a high availability pair. Each appliance uses the local default health policy configured for that appliance.



You cannot apply a health policy to RNA Software for Red Hat Linux.

To apply a health policy:



2. Click Health Policy in the health monitor toolbar.


3. Click Apply next to the policy you want to apply.

The Health Policy Apply page appears.

TIP! The status icon next to the Health Policy column ( ) indicates the current health status for the appliance. The status icon next to the System

Policy column ( ) indicates the communication status between the Defense Center and the sensor. Note that you can remove the currently applied policy

by clicking the remove icon ( ).

4. Check the appliances where you want to apply the health policy.

5. Click Apply to apply the policy to the selected appliances.

The Health Policy page appears, with a message indicating if the application of the policy was successful. Monitoring of the appliance starts as soon as the policy is successfully applied.



To unapply a health policy:





3. Click Apply next to the policy you want to apply.

The Health Policy Apply page appears.


• Apply a health policy with all modules disabled.

• Click the x next to the health policy.

Under Health Policy the status of None appears.

Editing Health PoliciesRequires: DC/MDC You can modify a health policy by enabling or disabling modules or by changing

module settings. If you modify a policy that is already applied to an appliance, the changes do not take effect until you reapply the policy.



Applicable health modules for various appliances are listed in the Health Modules Applicable to Appliances table.

Health Modules Applicable to Appliances

Module Applicable Appliance

Appliance Heartbeat Defense Center

Automatic Application Bypass Status 3D Sensors, except 3D9900

CPU Temperature 3Dx800 Only

CPU Usage All except 3D9900

Card Reset All

Data Correlator Process All

Defense Center Status Master Defense Center

Disk Usage All

eStreamer Process Defense Center

Event Stream Status Master Defense Center

Fan Alarm 3Dx800

Hardware Alarms 3Dx800 and 3D9900

Health Monitor Process Defense Center

IPS Event Rate 3D Sensors with IPS

IPS Process 3D Sensors with IPS

Link State Propagation 3D Sensors with IPS

MDC Event Service Master Defense Center

Memory Usage All

PEP Status 3D9900

Power Supply Series 2 DC3000, MDC3000, 3Dx800, 3D3500, 3D4500, and 3D6500



To edit a health policy:





3. Click Edit next to the policy you want to modify.

The Health Policy Configuration page appears, with the Policy Run Time Interval settings selected.

4. Modify settings as needed, as described in the following sections:

• Configuring Policy Run Time Intervals on page 500

• Configuring Appliance Heartbeat Monitoring on page 501

• Configuring Automatic Application Bypass Monitoring on page 502

• Configuring CPU Temperature Monitoring on page 503

• Configuring CPU Usage Monitoring on page 504

• Configuring Card Reset Monitoring on page 505

• Configuring Data Correlator Process Monitoring on page 506

• Configuring Defense Center Status on page 507

RNA Health Defense Center

RNA Host License Limit Defense Center

RNA Process 3D Sensors with RNA

Time Synchronization Status Defense Center

Traffic Status 3D Sensors with IPS, 3D Sensors with RNA

Health Modules Applicable to Appliances (Continued)

Module Applicable Appliance



• Configuring Disk Usage Monitoring on page 508

• Configuring eStreamer Process Monitoring on page 509

• Configuring Event Stream Monitoring on page 511

• Configuring Fan Monitoring on page 512

• Configuring Hardware Monitoring on page 513

• Configuring Health Status Monitoring

• Configuring IPS Event Rate Monitoring on page 515

• Configuring IPS Process Monitoring on page 516

• Configuring Link State Propagation Monitoring on page 518

• Configuring MDC Event Service Monitoring on page 519

• Configuring Memory Usage Monitoring on page 520

• Configuring PEP Status Monitoring on page 521

• Configuring Power Supply Monitoring on page 522

• Configuring RNA Event Status Monitoring on page 523

• Configuring RNA Host Usage Monitoring on page 524

• Configuring RNA Process Monitoring on page 525

• Configuring Time Synchronization Monitoring on page 526

• Configuring Traffic Status Monitoring on page 527





6. Reapply the policy to the appropriate appliances as described in Applying Health Policies on page 528.

Deleting Health PoliciesRequires: DC/MDC You can delete health policies that you no longer need. If you delete a policy that

is still applied to an appliance, the policy settings remain in effect until you apply a different policy. In addition, if you delete a health policy that is applied to a sensor, any health monitoring alerts in effect for the sensor remain active until you


Using Health MonitoringUsing the Health Monitor Blacklist Chapter 15

deactivate the underlying associated alert. For more information on deactivating alerts, see Activating and Deactivating Alerts in the Analyst Guide.

TIP! To stop health monitoring for an appliance, create a health policy with all modules disabled and apply it to the appliance. For more information on creating health policies, see Creating Health Policies on page 497. For more information on applying health policies, see Applying Health Policies on page 528.

To delete a health policy:





3. Click Delete next to the policy you want to delete.

A message appears, indicating if the deletion was successful.

Using the Health Monitor BlacklistIn the course of normal network maintenance, you disable appliances or make them temporarily unavailable. Because those outages are deliberate, you do not want the health status from those appliances to affect the summary health status on your Defense Center or Master Defense Center.

You can use the health monitor blacklist feature to disable health monitoring status reporting on an appliance, module, or detection engine. For example, if you know that a segment of your network will be unavailable, you can temporarily disable health monitoring for a 3D Sensor on that segment to prevent the health status on the Defense Center from displaying a warning or critical state because of the lapsed connection to the 3D Sensor.

When you disable health monitoring status, health events are still generated, but they have a disabled status and do not affect the health status for the health monitor. If you remove the appliance, module, or detection engine from the blacklist, the events that were generated during the blacklisting continue to show a status of disabled.

To temporarily disable health events from an appliance, go to the Blacklist configuration page, and add an appliance to the blacklist. After the setting takes effect the appliance no longer includes the appliance when calculating the overall health status. The Health Monitor Appliance Status Summary lists the appliance as disabled.

At times it may be more practical to just blacklist an individual health monitoring module on an appliance or detection engine. For example, when you run out of



RNA host licenses on an appliance, you can blacklist the RNA Host License Limit status messages until you install a new license with more hosts.

Make sure to remove all unused sensing interfaces from any interface sets in use by a detection engine so health monitoring alerts do not generate for those interfaces.

Note that on the main Health Monitor page you can distinguish between appliances that are blacklisted if you expand to view the list of appliances with a particular status by clicking the arrow in that status row. For more information on expanding that view, see Using the Health Monitor on page 545.

A blacklist icon ( ) and a notation are visible once you expand the view for a blacklisted or partially blacklisted appliance.

IMPORTANT! On a Defense Center, Health Monitor blacklist settings are system settings. Therefore if you blacklist a sensor, then delete it and later re-register it with the Defense Center, the blacklist settings remain persistent. The newly re-registered sensor remains blacklisted.

Blacklisting Health Policies or AppliancesRequires: DC/MDC If you want to set health events to disabled for all appliances with a particular

health policy, you can blacklist the policy. If you need to disable the results of a group of appliances’ health monitoring, you can blacklist the group of appliances. Once the blacklist settings take effect, the appliances report a disabled status in the Appliance Status Summary.

Note that if your Defense Center is in a high availability configuration, you can blacklist a managed sensor on one HA peer and not the other. You can also blacklist the HA peer to cause it to mark events generated by it and the sensors from which it receives health events as disabled.

TIP! You can blacklist 3D Sensors only from a Defense Center, not a Master Defense Center. You cannot blacklist intrusion agents.

To blacklist an entire health policy or group of appliances:



2. On the toolbar, click Blacklist.

The Blacklist page appears.



3. Use the drop-down list on the right to sort the list by group, policy, or model. (On a Master Defense Center, sort the list by group, manager, policy or model. Groups on a Defense Center are 3D Sensors. Groups on a Master Defense Center are appliances.)

TIP! The status icon next to the Health Policy column ( ) indicates the current health status for the appliance. The status icon next to the System Policy column ( ) indicates the communication status between the Defense Center and the sensor. Note that you can remove the currently applied policy by clicking the remove icon ( ).

4. To blacklist all appliances in a group, model, or policy category, select the category then click Apply. (On a Master Defense Center, to blacklist all appliances associated with a manager, select the manager then click Apply.)

The page refreshes, now indicating the blacklisted state of the appliances.

Blacklisting an ApplianceIf you need to set the events and health status for an individual appliance to disabled, you can blacklist the appliance. Once the blacklist settings take effect, the appliance shows as disabled in the Health Monitor Appliance Module Summary and health events for the appliance have a status of disabled.

To blacklist an individual appliance:





3. Use the drop-down list on the right to sort the list by appliance group, model, or by policy. (On a Master Defense Center, sort the list by group, manager, policy or model.)



4. To blacklist an individual appliance, select and expand a category folder, select the box next to the appropriate appliance, then click Apply.

The page refreshes then indicates the blacklisted state of the appliances. Click Edit and see Blacklisting a Health Policy Module on page 537 to blacklist individual health policy modules.

Blacklisting a Health Policy ModuleRequires: DC/MDC You can blacklist individual health policy modules on appliances. You may want to

do this to prevent events from the module from changing the status for the appliance to warning or critical.

For some modules, you can blacklist that module for a specific detection engine. For example, if you know you are going to disable the RNA detection engine on a sensor and do not want traffic status alerts to change the status for the sensor, you can blacklist the Traffic Status module for that detection engine.

Note that modules that allow you to select a specific detection engine have an arrow next to the module. When any part of a module is blacklisted, the line for that module appears in boldface type in the Defense Center web interface. In addition, the interface indicates the following information in parentheses after each module with detection engines: number of blacklisted detection engines/maximum number of detection engines.

Defense Center Only

Specific health policy modules operate for a Defense Center. When blacklisting modules for Defense Centers, only include the following modules:

• Appliance Heartbeat

• CPU Usage


• Disk Usage

• eStreamer Process

• Health Monitor Process

• MDC Event Service

• Memory Usage

• Time Synchronization Status



• Power Supply

• RNA Host License Limit

Master Defense Center Only

Specific health policy modules operate for a Master Defense Center. When blacklisting modules for Master Defense Centers, only include the following modules:

• CPU Usage


• Defense Center Status

• Disk Usage

• Event Stream Status

• Memory Usage

• Power Supply

For details about applicable modules on all appliances, see the Health Modules Applicable to Appliances table on page 531.

TIP! Once the blacklist settings take effect, the appliance shows as Part Blacklisted or All Modules Blacklisted in the Blacklist page and in the Appliance Health Monitor Module Status Summary but only in expanded views on the main Appliance Status Summary page. Make sure that you keep track of individually blacklisted modules so you can reactivate them when you need them. You may miss necessary warning or critical messages if you accidentally leave a module disabled.

To blacklist an individual health policy module:






Using Health MonitoringConfiguring Health Monitor Alerts Chapter 15

3. Sort by Group, Policy, or Model, then click Edit to display the list of health policy modules.

The health policy modules appear.


• Select each module that you want to blacklist.

• Expand the detection engine list by clicking on the arrow next to modules with detection engine lists, then select each detection engine for which you want to blacklist the module.

5. Click Save.

Configuring Health Monitor Alerts You can set up alerts to notify you through email, through SNMP, or through the system log when the status changes for the modules in a health policy. You can associate an existing alert with health event levels to cause that alert to trigger when health events of a particular level occur.



For example, if you are concerned that your appliances may run out of hard disk space, you can automatically send an email to a system administrator when the remaining disk space reaches the warning level. If the hard drive continues to fill, you can send a second email when the hard drive reaches the critical level.


• Preparing to Create a Health Alert on page 540

• Creating Health Monitor Alerts on page 540

• Interpreting Health Monitor Alerts on page 542

• Editing Health Monitor Alerts on page 543

• Deleting Health Monitor Alerts on page 544

Preparing to Create a Health AlertRequires: DC/MDC If you want to create a health alert, you first need to create the underlying alert

that you associate to the health alert. If you want to use email alerting, you also need to set up your email relay host in your system policy and re-apply that policy.

To prepare your system for alerting:

Access: Admin 1. If you plan to use email alerting:

• Select Operations > System Policy.

• Create a new policy or click Edit next to an existing one.

• In the policy, click Email Notification.

• Enter the name of the Mail Relay Host.

• Click Save Policy and Exit.

• Click Apply and apply the policy to the Defense Center where you plan to create the health alert.

2. Create email, SNMP, or syslog alerts you want to associate with health alerts:

• For more information on creating syslog alerts, see Creating Syslog Alerts in the Analyst Guide.

• For more information on creating email alerts, see Creating Email Alerts in the Analyst Guide.

• For more information on creating SNMP alerts, see Creating SNMP Alerts in the Analyst Guide.

Continue with Creating Health Monitor Alerts on page 540.

Creating Health Monitor AlertsRequires: DC/MDC When you create a health monitor alert, you create an association between a

severity level, a health module, and an alert. You can use an existing alert or configure a new one specifically to report on system health. For more information



on creating the alert, see Preparing to Create a Health Alert on page 540. When the severity level occurs for the selected module, the associated alert triggers.

Note that if you create or update a threshold in a way that duplicates an existing threshold, you are notified of the conflict. When duplicate thresholds exist, the health monitor uses the threshold that generates the fewest alerts and ignores the others. The timeout value for the threshold must be between 5 and 4,294,967,295 minutes.

To create health monitor alerts:

Access: Admin 1. Select Operations > Monitoring > Health.


2. Click Health Monitor Alerts in the health monitor toolbar.

The Health Monitor Alerts page appears.

3. Type a name for the health alert in the Health Alert Name field.

4. From the Severity list, select the severity level you want to use to trigger the alert.

5. From the Module list, select the modules for which you want the alert to apply.

TIP! To select multiple modules, press Shift + Ctrl and click the module names.



6. From the Alert list, select the alert which you want to trigger when the selected severity level is reached.

TIP! Click Alerts in the toolbar to open the Alerts page. For more information on creating alerts, see Creating Alerts in the Analyst Guide.

7. In the Threshold Timeout field, type the number of minutes that should elapse before each threshold period ends and the threshold count resets.

8. Click Save to save the health alert.

A message appears, indicating if the alert configuration was successfully saved. The Active Health Alerts list now includes the alert you created.

Interpreting Health Monitor AlertsThe alerts generated by the health monitor contain the following information:

• Severity, which indicates the severity level of the alert.

• Module, which specifies the health module whose test results triggered the alert.

• Description, which includes the health test results that triggered the alert.

For more information on health alert severity levels, see the Alert Severities table.

For more information on health modules, see Understanding Health Modules on page 485.

Alert Severities

Severity Description

Critical The health test results met the criteria to trigger a Critical alert status.

Warning The health test results met the criteria to trigger a Warning alert status.

Normal The health test results met the criteria to trigger a Normal alert status.

Error The health test did not run.

Recovered The health test results met the criteria to return to a normal alert status, following a Critical or Warning alert status.



Editing Health Monitor AlertsRequires: DC/MDC You can edit existing health monitor alerts to change the severity level, health

module, or alert associated with the health monitor alert.

To edit health monitor alerts:





3. Select the alert you want to modify in the Active Health Alerts list.

4. Click Load to load the configured settings for the selected alert.

5. Modify settings as needed. For more information, see Creating Health Monitor Alerts on page 540.

6. Click Save to save the modified health alert.

A message appears, indicating if the alert configuration was successfully saved.



Deleting Health Monitor AlertsRequires: DC/MDC You can delete existing health monitor alerts.

IMPORTANT! Deleting a health monitor alert does not delete the associated alert. You must deactivate or delete the underlying alert to ensure that alerting does not continue. For more information on deactivating alerts, see Activating and Deactivating Alerts in the Analyst Guide. For more information on deleting alerts, see Deleting Alerts in the Analyst Guide.

To delete health monitor alerts:





3. Select the alert you want to delete in the Active Health Alerts list.

4. Click Delete.

A message appears, indicating if the alert configuration was successfully deleted.


Administrator Guide

Chapter 16Reviewing Health Status

You can obtain information about the health of your Sourcefire 3D System through the Health Monitor. Administrators can create and apply a health policy to an appliance. The Health Monitor then generates health events to indicate the current status of any aspects of appliance health that you chose to monitor. For more information on viewing the health status of your appliance, see the following topics:




Using the Health MonitorRequires: DC/MDC The Health Monitor page provides the compiled health status for all sensors

managed by the Defense Center, plus the Defense Center. The Status table provides a count of the managed appliances for this Defense Center by overall health status. The pie chart supplies another view of the health status breakdown, indicating the percentage of appliances currently in each health status category.


Reviewing Health StatusUsing the Health Monitor Chapter 16

To use the health monitor:

Access: Maint/Admin/Any Analyst except

Restricted

1. Click Health Monitor on the toolbar.


2. Select the appropriate status in the Status column of the table or the appropriate portion of the pie chart to the list appliances with that status.

TIP! If the arrow in the row for a status level points down, the appliance list for that status shows in the lower table. If the arrow points right, the appliance list is hidden.

The following topics provide details on the tasks you can perform from the Health Monitor page:

• Interpreting Health Monitor Status on page 547





Reviewing Health StatusUsing Appliance Health Monitors Chapter 16

Interpreting Health Monitor StatusAvailable status categories, by severity, include Error, Critical, Warning, Normal, and Disabled, as described in the Health Status Indicator table.

Using Appliance Health MonitorsRequires: DC/MDC The Appliance health monitor provides a detailed view of the health status of an

appliance.

IMPORTANT! Your browser session will not be automatically timed out while you are viewing the Health Monitor page.

Health Status Indicator

Status Level

Status Icon

Status Color

Description

Error White Indicates that at least one health monitoring module has failed on the appliance and has not been successfully re-run since the failure occurred. Contact your technical support representative to obtain an update to the health monitoring module.

Critical Red Indicates that the critical limits have been exceeded for at least one health module on the appliance and the problem has not been corrected.

Warning Yellow Indicates that warning limits have been exceeded for at least one health module on the appliance and the problem has not been corrected.

Normal Green Indicates that all health modules on the appliance are running within the limits configured in the health policy applied to the appliance.

Recovered Green Indicates that all health modules on the appliance are running within the limits configured in the health policy applied to the appliance, including modules that were in a Critical or Warning state.

Disabled Blue Indicates that an appliance is disabled or blacklisted, that the appliance does not have a health policy applied to it, or that the appliance is currently unreachable.



To view the status summary for a specific appliance:


Restricted

1. Select Operations > Monitoring > Health.


2. To show the list of appliances with a particular status, click the arrow in that status row.


3. In the Appliance column of the appliance list, click the name of the appliance for which you want to view details in the health monitor toolbar.

The Health Monitor Appliance page appears.

4. Optionally, in the Module Status Summary graph, click the color for the event status category you want to view. The Alert Detail list toggles the display to show or hide events.


• Interpreting Appliance Health Monitor Status on page 549

• Viewing Alerts by Status on page 549

• Running All Modules for an Appliance on page 550



• Running a Specific Health Module on page 551

• Generating Health Module Alert Graphs on page 553

• Generating Appliance Troubleshooting Files on page 554

Interpreting Appliance Health Monitor StatusAvailable status categories, by severity, include Error, Critical, Warning, Normal, and Disabled, as described in the Appliance Health Status Indicator table that follows.

Viewing Alerts by StatusRequires: DC/MDC You can show or hide categories of alerts by status.

Appliance Health Status Indicator

Status Level

Status Icon

Status Color

Description

Error White Indicates that the health monitoring module has failed and has not been successfully re-run since the failure occurred. Contact your technical support representative to obtain an update to the health monitoring module.

Critical Red Indicates that the critical limits have been exceeded for the health module on the appliance and the problem has not been corrected.

Warning Yellow Indicates that warning limits have been exceeded for the health module on the appliance and the problem has not been corrected.

Normal Green Indicates that the monitored item is running within the limits configured in the health policy applied to the appliance.

Recovered Green Indicates that the health for the monitored item is back within the limits configured in the health policy applied to the appliance.

Disabled Blue Indicates that a module is disabled or blacklisted, that the appliance does not have a health policy applied to it, or that the appliance is currently unreachable.



To show alerts by status:


Restricted

Click the status icon or the color segment in the pie chart that corresponds to the health status of the alerts you want to view. The alerts for that category appear in the Alert Detail list.

To hide alerts by status:


Restricted

Click the status icon or the color segment in the pie chart that corresponds to the health status of the alerts you want to view. The alerts in the Alert Detail list for that category disappear.

Running All Modules for an ApplianceRequires: DC/MDC Health module tests run automatically at the policy run time interval you configure

when you create a health policy. However, you can also run all health module tests on demand to collect up-to-date health information for the appliance.

To run all health modules for the appliance:


Restricted



2. To expand the appliance list to show appliances with a particular status, click the arrow in that status row.






4. Click Run All Modules.

The status bar indicates the progress of the tests, then the Health Monitor Appliance page refreshes.

IMPORTANT! When you manually run health modules, the first refresh that automatically occurs may not reflect the data from the manually-run tests. If the value has not changed for a module that you just ran manually, wait a few seconds, then refresh the page by clicking the sensor name. You can also wait for the page to refresh again automatically.

Running a Specific Health ModuleRequires: DC/MDC Health module tests run automatically at the policy run time interval you configure

when you create a health policy. However, you can also run a health module test on demand to collect up-to-date health information for that module.



To run a specific health module:


Restricted







4. In the Module Status Summary graph of the Health Monitor Appliance page, click the color for the health alert status category you want to view.

The Alert Detail list expands to list the health alerts for the selected appliance for that status category.

5. In the Alert Detail row for the alert for which you want to view a list of events, click Run.

The status bar indicates the progress of the test, then the Health Monitor Appliance page refreshes.

IMPORTANT! When you manually run health modules, the first refresh that automatically occurs may not reflect the data from the manually-run tests. If the value has not changed for a module that you just manually ran, wait a few seconds, then refresh the page by clicking the sensor name. You can also wait for the page to refresh automatically again.



Generating Health Module Alert GraphsRequires: DC/MDC You can graph the results over a period of time of a particular health test for a

specific appliance.

To generate a health module alert graph:


Restricted











5. In the Alert Detail row for the alert for which you want to view a list of events, click Graph.

A graph appears, showing the status of the event over time. The Alert Detail section below the graph lists all health alerts for the selected appliance.

TIP! If no events appear, you may need to adjust the time range. See Setting Event Time Constraints in the Analyst Guide for more information.

Generating Appliance Troubleshooting FilesRequires: DC/MDC In some cases, if you have a problem with your appliance, Sourcefire Support

may ask you to generate troubleshooting files to help them diagnose the problem.

To generate appliance troubleshooting files:


Restricted






Reviewing Health StatusWorking with Health Events Chapter 16



4. Click Generate Troubleshooting Files and confirm that you want to generate the files.

The file generation task is added to the task status queue.

5. Select Operations > Monitoring > Task Status.

The Task Status page appears.

6. Click the folder for the file generation job entry to expand the entry.

7. Select Click to retrieve generated files.

A File Download dialog box appears.

8. Save the files to a location on your computer.

9. Send the generated files to technical support to assist in troubleshooting your system.

Working with Health EventsThe Defense Center provides fully customizable event views that allow you to quickly and easily analyze the health status events gathered by the health monitor. These event views allow you to search and view event data and to easily access other information that may be related to the events you are investigating.

Many functions that you can perform on the health event view pages are constant across all event view pages. See Understanding Health Event Views on page 556 for more information about these common procedures.

From the Operations > Monitoring > Health menu, you can view health events, and can search for specific events.



See the following sections for more information about viewing events:

• Understanding Health Event Views on page 556 describes the types of events that RNA generates.

• Viewing Health Events on page 556 describes how to access and use the Event View page.

• Searching for Health Events on page 563 describes how to search for specific events using the Event Search page.

Understanding Health Event ViewsThe Defense Center health monitor logs health events, which you can see on the Health Event View page. If you understand what conditions each health module tests for, you can more effectively configure alerting for health events. For more information on the different types of health modules that generate health events, see Understanding Health Modules on page 485.

For more information about viewing and searching for health events, see the following sections:

• Viewing Health Events on page 556

• Understanding the Health Events Table on page 561

• Searching for Health Events on page 563

Viewing Health EventsYou can view the appliance health data collected by your health monitor in several ways.


• Viewing All Health Events on page 556

• Viewing Health Events by Module and Appliance on page 557

• Working with the Health Events Table View on page 559

• Searching for Health Events on page 563

Viewing All Health Events

Requires: DC/MDC The Table View of Health Events page provides a list of all health events on the selected appliance. For a description of the health modules that generated the events that you may see on this page, see Understanding Health Modules on page 485.

When you access health events from the Health Monitor page on your Defense Center, you retrieve all health events for all managed appliances.



To view all health events on all managed appliances:


Restricted



2. In the toolbar, click Health Events.

The Events page appears, containing all health events.

If no events appear, you may need to adjust the time range. See Setting Event Time Constraints in the Analyst Guide for more information.

TIP! You can bookmark this view to allow you to return to the page in the health events workflow containing the Health Events table of events. The bookmarked view retrieves events within the time range you are currently viewing, but you can then modify the time range to update the table with more recent information if needed. For more information, see Setting Event Time Constraints in the Analyst Guide.

Viewing Health Events by Module and Appliance

Requires: DC/MDC You can query for events generated by a specific health module on a specific appliance.

To view the health events for a specific module:


Restricted











5. In the Alert Detail row for the alert for which you want to view a list of events, click Events.

The Health Events page appears, containing query results for a query with the name of the appliance and the name of the selected health alert module as constraints.

If no events appear, you may need to adjust the time range. See Setting Event Time Constraints in the Analyst Guide for more information.

6. If you want to view all health events for the selected appliance, expand Search Constraints and click the Module Name constraint to remove it.



Working with the Health Events Table View

Requires: DC/MDC The Health Event View Functions table describes each action you can perform from the Event View page.

Health Event View Functions

To... You can...

learn more about the contents of the columns that appear in the Health event view

find more information in Understanding the Health Events Table on page 561.

modify the time and date range for events listed in the Health table view

find more information in Setting Event Time Constraints in the Analyst Guide.

Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This can occur even if you configured a sliding time window for the appliance.

sort the events that appear, change what columns display in the table of events, or constrain the events that appear

find more information in Sorting Drill-down Workflow Pages in the Analyst Guide.

delete health events select the check box next to the events you want to delete and click Delete. To delete all the events in the current constrained view, click Delete All, then confirm you want to delete all the events.

navigate through event view pages find more information in Navigating to Other Pages in the Workflow in the Analyst Guide.

navigate to other event tables to view associated events

find more information in Navigating between Workflows in the Analyst Guide.

bookmark the current page so that you can quickly return to it

click Bookmark This Page, provide a name for the bookmark and click Save. See Using Bookmarks in the Analyst Guide for more information.

navigate to the bookmark management page select Analysis & Reporting > Bookmarks or, from any event view, click View Bookmarks. See Using Bookmarks in the Analyst Guide for more information.

generate a report based on data in the table view click Report Designer. See Generating Reports from Event Views on page 235 for more information.



Interpreting Hardware Alert Details for 3D9900 SensorsFor 3D9900 sensor models, hardware alarms generate in response to the events described in the Conditions Monitored for 3D9900 Sensors table. The triggering condition can be found in the message detail for the alert.

select another health events workflow click Workflows or select from the Workflows drop-down list in the toolbar. See Selecting Workflows in the Analyst Guide for more information.

view the details associated with a single health event

click the down arrow link on the left side of the event.

view event details for multiple health events select the check box next to the rows that correspond with the events you want to view details for and then click View.

view event details for all events in the view click View All.

view all events of a particular status click the status icon in the Status column for an event with that status.

Health Event View Functions (Continued)

To... You can...

Conditions Monitored for 3D9900 Sensors

Condition Monitored Causes of Yellow or Red Error Conditions

NFE card presence If NFE hardware is detected that is not valid for the appliance, health status for the Hardware Alarms module changes to red and the message details include a reference to the NFE card presence.

NFE temperature • If NFE temperature exceeds 89 degrees Fahrenheit, health status for the Hardware Alarms module changes to yellow and the message details include a reference to the NFE temperature.

• If NFE temperature exceeds 99 degrees Fahrenheit, health status for the Hardware Alarms module changes to red and the message details include a reference to the NFE temperature.

NFE Platform daemon If the NFE Platform daemon goes down, health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon.



Understanding the Health Events TableYou can use the Defense Center’s health monitor to determine the status of critical functionality within the Sourcefire 3D System. You create and apply health policies to your appliances, which monitor a variety of aspects, including hardware and software status. The Health Monitor modules you choose to enable

NFE Message daemon If the NFE Message daemon goes down, health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon.

NFE TCAM daemon If the NFE TCAM daemon goes down, health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon.

LBIM presence If the Load-Balancing Interface Module (LBIM) switch assembly is not present or not communicating, health status for the Hardware Alarms module changes to red and the message details include a reference to the LBIM presence.

Scmd daemon If the Scmd daemon goes down, health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon.

Psls daemon If the Psls daemon goes down, health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon.

Ftwo daemon If the Ftwo daemon goes down, health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon.

Rulesd (host rules) daemon

If the Rulesd daemon goes down, health status for the Hardware Alarms module changes to yellow and the message details include a reference to the daemon.

nfm_ipfragd (host frag) daemon

If the nfm_ipfragd daemon goes down, health status for the Hardware Alarms module changes to red and the message details include a reference to the daemon.

Conditions Monitored for 3D9900 Sensors (Continued)

Condition Monitored Causes of Yellow or Red Error Conditions



in your health policy run various tests to determine appliance health status. When the health status meets criteria that you specify, a health event is generated. For more information on health monitoring, see Monitoring the System on page 463.

The fields in the health events table are described in the Health Event Fields table.

To display the table view of health events:


Restricted



Health Event Fields

Field Description

Module Name The name of the health module that generated the event. For a list of health modules, see the Health Modules table on page 485.

Test Name The name of the test. This is typically the same as the module name.

Time The timestamp for the health event.

Description The description of the health module that generated the event. For example, health events generated when a process was unable to execute are labeled Unable to Execute.

Value The value (number of units) of the result obtained by the health test that generated the event.

For example, if the Defense Center generates a health event whenever a sensor it is monitoring is using 80 percent or more of its CPU resources, the value could be a number from 80 to 100.

Units The units descriptor for the result. You can use the asterisk (*) to create wildcard searches.

For example, if the Defense Center generates a health event when a sensor it is monitoring is using 80 percent or more of its CPU resources, the units is a percentage sign (%).

Status The status (Critical, Yellow, Green, or Disabled) reported for the appliance.

Sensor The appliance where the health event was reported.



2. On the toolbar, click Health Events.

The table view appears. For information on working with health events, see Working with Health Events on page 555.

TIP! If you are using a custom workflow that does not include the table view of health events, click Workflows. On the Select Workflow page, click Health Events.

Searching for Health EventsRequires: DC/MDC You can use Event Search to search for specific network discovery events. You

can create, save, and re-use event searches. When creating new searches or modifying default searches, there are a number of options you can configure. The Health Event Search Criteria table describes each search criterion you can specify.

Health Event Search Criteria

Search Field Description

Module Name Specify the name of the module which generated the health events you want to view. For example, to view events that measure CPU performance, type CPU. The search should retrieve applicable CPU Usage and CPU temperature events.

Value Specify the value (number of units) of the result obtained by the health test for the events you want to view.

For example, if you specify a value of 15 and type CPU in the Units field, you retrieve events where the appliance CPU was running at 15% utilization at the time the test ran.

Description Specify the description of the events you want to view. For example, you could enter Unable to Execute to view any health events where a process was unable to execute. You can use an asterisk (*) in this field to create wildcard searches.



To run and save health event searches:

Access: Any Analystexcept Restricted/

Admin

1. Select Analysis & Reporting > Searches > Health Events.

The Search page appears.

2. Optionally, if you want to save the search, enter a name for the search in the Name field.

If you do not enter a name, one is created automatically when you save the search.

3. Enter your search criteria.

See Health Event Search Criteria on page 563 for more information about the values you can enter for search criteria.

Units Specify the units descriptor for the result obtained by the health test for the events you want to view. You can use an asterisk (*) in this field to create wildcard searches.

For example, if you type % in the Units field, you retrieve all events for the Disk Usage modules, because the Disk Usage module has a “%” label in the Units field (and no additional text). However, if you type *% in the Units field, you retrieve all events for any modules that contain text followed by a “%” sign in the Units field.

Status Specify the status for the health events that you want to view. Valid status levels are Critical, Warning, Normal, Error, and Disabled.

For example, type Critical to retrieve all health events that indicate a critical status.

Appliance Specify the name of appliance.

Health Event Search Criteria (Continued)

Search Field Description



4. Optionally, if you want to save the search so that other users can access it, disable the Save As Private check box. Otherwise, leave the check box selected to save the search as private.

TIP! If you want to save a search as a restriction for restricted data users, you must save it as a private search.


• Click Search to execute the search.

Your search results appear in the default health events workflow, constrained by the current time range. To use a different workflow, including a custom workflow, use the Workflows menu on the toolbar. For information on specifying a different default workflow, see Configuring Event View Settings on page 27.

• Click Save if you are modifying an existing search and want to save your changes.

• Click Save as New Search to save the search criteria. The search is saved and associated with your user account (if you selected Save As Private), so that you can run it at a later time.

For more information about searching, see the following sections:

• Loading a Saved Search in the Analyst Guide

• Deleting a Saved Search in the Analyst Guide


Administrator Guide

Chapter 17Auditing the System

You can audit activity on your system in two ways. The appliances that are a part of the Sourcefire 3D System generate an audit record for each user interaction with the web interface, and also record system status messages in the system log.

The following sections provide more information about the monitoring features that the system provides:

• Managing Audit Records on page 566 describes how to view and manage system audit information.

• Viewing the System Log on page 578 describes how to view the system log, which contains system status messages.

TIP! Defense Centers and 3D Sensors with IPS also provide full-featured reporting features that allow you to generate reports for almost any type of data accessible in an event view, including auditing data. For more information, see Working with Event Reports on page 232.

Managing Audit RecordsRequires: DC/MDC or

3D SensorDefense Centers and 3D Sensors log read-only auditing information for user activity. Audit logs are presented in a standard event view that allows you to view, sort, and filter audit log messages based on any item in the audit view. You can easily delete and report on audit information.


Auditing the SystemManaging Audit Records Chapter 17

The audit log stores a maximum of 100,000 entries. When the number of audit log entries exceeds 100,000, the appliance prunes the oldest records from the database to reduce the number to 100,000.


• Viewing Audit Records on page 567

• Suppressing Audit Records on page 570

• Understanding the Audit Log Table on page 574

• Searching Audit Records on page 575

Viewing Audit RecordsRequires: DC/MDC or

3D SensorYou can use the appliance to view a table of audit records. Then, you can manipulate the view depending on the information you are looking for. The predefined workflow includes a single table view of events. You can also create a custom workflow that displays only the information that matches your specific needs. For information on creating a custom workflow, see Creating Custom Workflows in the Analyst Guide.

The Audit Log Actions table below describes some of the specific actions you can perform on an audit log workflow page.

Audit Log Actions

To... You can...

learn more about the contents of the columns in the table

find more information in Understanding the Audit Log Table on page 574.

modify the time range used when viewing audit records

find more information at Setting Event Time Constraints in the Analyst Guide.

Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This can occur even if you configured a sliding time window for the appliance.

sort and constrain events on the current workflow page

find more information in Sorting Table View Pages and Changing Their Layout in the Analyst Guide.

navigate within the current workflow page

find more information in Navigating to Other Pages in the Workflow in the Analyst Guide.



navigate between pages in the current workflow, keeping the current constraints

click the appropriate page link at the top left of the workflow page. For more information, see Using Workflow Pages in the Analyst Guide.

drill down to the next page in the workflow

use one of the following methods:• To drill down to the next workflow page

constraining on a specific value, click a value within a row. Note that this only works on drill-down pages. Clicking a value within a row in a table view constrains the table view and does not drill down to the next page.

• To drill down to the next workflow page constraining on some events, select the checkboxes next to the events you want to view on the next workflow page, then click View.

• To drill down to the next workflow page keeping the current constraints, click View All.

TIP! Table views always include “Table View” in the page name.

For more information, see Constraining Events in the Analyst Guide.

constraining on a specific value

Click a value within a row.

If you click a value on a drilldown page, you move to the next page and constrain on the value.

Note that clicking a value within a row in a table view constrains the table view and does not drill down to the next page.

TIP! Table views always include “Table View“ in the page name.

For more information, see Constraining Events in the Analyst Guide.

Audit Log Actions (Continued)

To... You can...



To view audit records:

Access: Admin Select Operations > Monitoring > Audit.

The first page of the default audit log workflow appears. To use a different workflow, including a custom workflow, use the Workflows menu on the toolbar. For information on specifying a different default workflow, see Configuring Event View Settings on page 27. If no events appear, you may need to adjust the time range. For more information, see Setting Event Time Constraints in the Analyst Guide.

TIP! If you are using a custom workflow that does not include the table view of audit events, from the Workflows menu on the toolbar, select Audit Log.

Working with Audit Events

Requires: Any You can change the layout of the event view or constrain the events in the view by a field value.

When disabling columns, after you click the close icon ( ) in the column heading that you want to hide, in the pop-up window that appears, click Apply. When you disable a column, it is disabled for the duration of your session (unless you add it

delete audit records use one of the following methods:• To delete some items, select the check

boxes next to events you want to delete, then click Delete.

• To delete all items in the current constrained view, click Delete All, then confirm you want to delete all the events.

temporarily use a different workflow

click Workflows. For more information, see Selecting Workflows in the Analyst Guide.

bookmark the current page so that you can quickly return to it

click Bookmark This Page. For more information, see Using Bookmarks in the Analyst Guide.

navigate to the bookmark management page

click View Bookmarks. For more information, see Using Bookmarks in the Analyst Guide.

generate a report based on the data in the current view

click Report Designer. For more information, see Generating Reports from Event Views on page 235.

Audit Log Actions (Continued)

To... You can...



back later). Note that when you disable the first column, the count column is added.

To hide or show other columns, select or clear the appropriate check boxes before you click Apply. To add a disabled column back to the view, use the Expand arrow

( ) to expand the search constraints, then click the column name under Disabled Columns.

Clicking a value within a row in a table view constrains the table view and does not drill down to the next page.

TIP! Table views always include “Table View” in the page name.


• Constraining Events in the Analyst Guide.

• Using Compound Constraints in the Analyst Guide

• Sorting Drill-down Workflow Pages in the Analyst Guide

• Understanding the Audit Log Table on page 574

Suppressing Audit RecordsRequires: Any If your auditing policy does not require that you audit specific types of user

interactions with the Sourcefire 3D System, you can prevent those interactions from generating audit records. For example, by default, each time a user views the online help, the Sourcefire 3D System generates an audit record. If you do not



need to keep a record of these interactions, you can automatically suppress them.

To set up the suppression mechanism, you must have access to an appliance’s root user account, and you must be able to either access the appliance’s console or open a secure shell.

WARNING! Make sure that only authorized personnel have access to the appliance and to its root account.

To suppress audit records you must create one or more files in the /etc/sf directory in the following form:

AuditBlock.type

where type is address, message, subsystem, or user.

If you create an AuditBlock.type file for a specific type of audit message, but later decide that you no longer want to suppress them, you must delete the contents of the AuditBlock.type file but leave the file itself on the Sourcefire 3D System.

The contents for each audit block type must be in a specific format as described in the Audit Block Types table. Make sure you use the correct capitalization for the file names. Note also that the contents of the files are case sensitive.

Audit Block Types

Type Description

Address Create a file named AuditBlock.address and include, one per line, each IP address that you want to suppress from the audit log. You can use partial IP addresses provided that they map from the beginning of the address. For example, the partial address 10.1.1 matches addresses from 10.1.1.0 through 10.1.1.255.

Message Create a file named AuditBlock.message and include, one per line, the message substrings that you want to suppress.

Note that substrings are matched so that if you include backup in your file, all messages that include the word backup are suppressed.



When you add an AuditBlock file, an audit record with a subsystem of Audit and a message of Audit Filter type Changed is added to the audit events. For security reasons, this audit record cannot be suppressed.

Subsystem Create a file named AuditBlock.subsystem and include, one per line, each subsystem that you want to suppress.

Note that substrings are not matched. You must use exact strings. See the Subsystem Names table for a list of subsystems that are audited.

User Create a file named AuditBlock.user and include, one per line, each user account that you want to suppress. You can use partial string matching provided that they map from the beginning of the username. For example, the partial username IPSAnalyst matches the usernames IPSAnalyst1 and IPSAnalyst2.

Audit Block Types (Continued)

Type Description

Subsystem Names

Name Includes user interactions with...

Admin Administrative features such as system and access configuration, time synchronization, back up and restore, sensor management, user account management, and scheduling

Alerting Alerting functions such as email, SNMP, and syslog alerting

Audit Log Audit event views

Audit Log Search Audit event searches

Configuration Email alerting

COOP Continuity of operations feature

Date Date and time range for event views

Default Subsystem Options that do not have assigned subsystems

Detection & Prevention Policy

Menu options for intrusion policies

Error System-level errors



eStreamer eStreamer configuration

EULA Reviewing the end user license agreement

Events RNA and intrusion event views

Events Clipboard Intrusion event clipboard

Events Reviewed Reviewed intrusion events

Events Search Any event search

Failed to install SEU seu_id

Installing SEUs

Header Initial presentation of the user interface after a user logs in

Health Health monitoring

Health Events Health monitoring event views

Help Online help

High Availability High availability feature

IDS Impact Flag Impact flag configuration

IDS Policy Intrusion policies

IDSPolicy > policy_name > Appliance > det_engine_name

Applying intrusion policies

IDSRule sid:sig_id rev:rev_num

Intrusion rules by SID

Incidents Intrusion incidents

Insert Policy Apply Job Applying policies

Install Installing updates

Intrusion Events Intrusion events

Subsystem Names (Continued)




Understanding the Audit Log TableRequires: DC/MDC or

3D SensorEach appliance generates an audit event for each user interaction with the web interface. Each event includes a time stamp, the user name of the user whose

Login Web interface login and logout functions

Menu Any menu option

Object export > obj_type > obj_name

Importing objects of a specific type and name

Preferences User preferences such as the time zone for a user account and individual event preferences

Policy Any policy, including intrusion and OPSEC policies

Register Registering sensors on a Defense Center

RemoteStorageDevice Configuring remote storage devices

Reports Report listing and report designer features

Rules Intrusion rules including the rule editor and the rule importation process

SEU Import Log Viewing the SEU import log

SEU Install Installing SEUs

Status Syslog, as well as host and performance statistics

System Various system-wide settings

System Policy > policy_nameAppliance > appliance_name

Applying system policies

Task Queue Viewing the task queue

Users Creating and modifying user accounts

Subsystem Names (Continued)




action generated the event, a source IP, and text describing the event. The fields in the audit log table are described in the Audit Log Fields table.

Searching Audit RecordsRequires: DC/MDC or

3D SensorYou can search audit records to find information specific to a user, a specific subsystem, or an audit record message.

You may want to create searches customized for your network environment, then save them to re-use later. The search criteria you can use are described in the Audit Record Search Criteria table. Note that audit searches are not case-

Audit Log Fields

Field Description

Time Time and date that the appliance generated the audit record

User User name of the user that triggered the audit event

Subsystem Menu path the user followed to generate the audit record

For example, Operations > Monitoring > Audit is the menu path to view the audit log.

Message Action the user performed

For example, “Page View” signifies that the user simply viewed the page indicated in the Subsystem, while “Save” means that the user clicked the Save button on the page.

Source IP IP address of the host used by the user

Count The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows.



sensitive. For example, searching for Analyst01 or analyst01 yields the same results.

For more information on searching, including how to load and delete saved searches, see Searching for Events in the Analyst Guide.

Audit Record Search Criteria

Search Field Description Example

User Enter the user name of the user who triggered the audit events you want to see. You can use an asterisk (*) as a wildcard character in this field.

jsmith returns all audit records involving the user jsmith.

Subsystem Enter the full menu path a user would follow to generate the audit records you want to see. You can use an asterisk (*) as a wildcard character in this field.

Operations > Monitoring > Audit and *Audit both return audit records that involve using the audit log.

*Audit* returns all of the above records, plus records that involve searching for audit records.

Message The action the user performed or the button the user clicked on the page. You can use an asterisk (*) as a wildcard character in this field.

Apply returns audit records where the user applied an intrusion policy.

Save Rule returns audit records where the user saved a compliance rule.

Page View returns audit records where the user viewed the page.

Time Specify the date and time the audit record was generated. See Specifying Time Constraints in Searches in the Analyst Guide for the syntax for entering time.

> 2006-01-15 13:30:00 returns all audit records generated after January 15, 2006 at 1:30pm.

Source IP Enter the IP address of the host that you want to view audit records for.

IMPORTANT! You must type a specific IP address. You cannot use IP ranges when searching audit logs.

172.16.1.37 returns all audit records generated by a user from the 172.16.1.37 IP address.



To search for audit records:

Access: Admin 1. Select Analysis & Reporting > Searches > Audit Log.

The Audit Log search page appears.

TIP! To search the database for a different kind of event, select it from the Table list.

2. Optionally, if you want to save the search, enter a name for the search in the Name field.

If you do not enter a name, the web interface automatically creates one when you save it.

3. Enter your search criteria in the appropriate fields, as described in the Audit Record Search Criteria table. If you enter multiple criteria, the appliance returns only the records that match all the criteria.

4. If you want to save the search so that other users can access it, clear the Save As Private check box. Otherwise, leave the check box selected to save the search as private.

TIP! If you want to save a search as a restriction for restricted data users, you must save it as a private search.


• Click Search to start the search.

Your search results appear in the default audit log workflow, constrained by the current time range. To use a different workflow, including a custom workflow, use the Workflows menu on the toolbar. For information on specifying a different default workflow, see Configuring Event View Settings on page 27.


Auditing the SystemViewing the System Log Chapter 17

• Click Save if you are modifying an existing search and want to save your changes.

• Click Save as New Search to save the search criteria. The search is saved (and associated with your user account if you selected Save As Private), so that you can run it at a later time.

Viewing the System LogRequires: DC/MDC or

3D SensorThe System Log (syslog) page provides you with system log information for the appliance. The system log displays each message generated by the system. The following items are listed in order:

• the date that the message was generated

• the time that the message was generated

• the host that generated the message

• the message itself

IMPORTANT! System log information is local. For example, you cannot use the Defense Center to view system status messages in the system logs on your managed sensors.

You can view system log messages for specific components by using the filter feature. For more information, see Filtering System Log Messages on page 579.

If you want to use a 3D3800 sensor in compliance with ICSA requirements, you can also configure system logging using a four-digit year format. For more information, see Using Four-Digit Year Formats on the 3D3800 on page 581.



To view the syslog:

Access: Maint/Admin Select Operations > Monitoring > Syslog.

The System Log page appears. The Defense Center version of the page is shown below.

TIP! On the 3D9900, the Load Balancing Interface Module (LBIM) forwards messages to the sensor's syslog. You can find these messages by filtering on lbim.

Filtering System Log MessagesRequires: DC/MDC or

3D SensorYou can view system log messages for specific components by using the filter feature. Filtering allows you to search for specific messages based on content.

The filter functionality uses the UNIX file search utility Grep, and as such, you can use most syntax accepted by Grep. This includes using Grep-compatible regular expressions for pattern matching. You can use a single word as a filter, or you can use Grep-supported regular expressions to search for content.

WARNING! The System Log page does not allow the use of pipe characters for OR expressions. For example, if you use [word_1|word_2], you will receive an invalid filter error.



The System Log Filter Syntax table shows the regular expression syntax you can use in System Log filters:

System Log Filter Syntax

Syntax Component

Description Example

. Matches any character or white space

Admi. matches Admin, AdmiN, Admi1, and Admi&

[[:alpha:]] Matches any alphabetic character [[:alpha:]]dmin matches Admin, bdmin, Cdmin, and so on.

[[:upper:]] Matches any uppercase alphabetic character

[[:upper:]]dmin matches Admin, Bdmin, Cdmin, and so on.

[[:lower:]] Matches any lowercase alphabetic character

[[:lower:]]dmin matches admin, bdmin, cdmin, and so on.

[[:digit:]] Matches any numeric character [[:digit:]]dmin matches 0dmin, 1dmin, 2dmin, and so on.

[[:alnum:]] Matches any alphanumeric character [[:alnum:]]dmin matches 1dmin, admin, 2dmin, bdmin, and so on.

[[:space:]] Matches any white space, including tabs

Feb[[:space:]]29 matches logs from February 29th.

* Matches one or more instances of the pattern it follows

ab* matches ab, abb, abbb, abbbb, and so on. [ab]* matches ab, abab, ababab, and so on.

? Matches zero or one instances ab? matches a or ab.

\ Allows you to search for a character typically interpreted as regular expression syntax

alert\? matches alert?.



The System Log Filter Examples table shows some example filters you can use on the System Log page.

To search for specific message content in the system log:

Access: Maint/Admin 1. On the System Log page, enter a word or query in the Filter field.

See the System Log Filter Syntax table on page 580 and the System Log Filter Examples table on page 581 for more information about the filter syntax you can use.

Only Grep-compatible search syntax is supported. For example, you could search for all NTP-related system log messages by using ntp as a filter, or search for all messages generated in November by using Nov as a filter. You could view messages from November 27th by using Nov[[:space:]]*27 or Nov.*27, but you could not, however, use Nov 27 or Nov*27 to view these messages.

2. Optionally, to make your search case-sensitive, check Case-sensitive. (By default, filters are not case-sensitive.)

3. Optionally, check Exclusion to search for all system log messages that do not meet the criteria you entered.

4. Click Go.

The messages that match the filter appear.

Using Four-Digit Year Formats on the 3D3800Requires: 3D3800 If needed, you can update the syslog configuration on a 3D3800 to use a

four-digit year format for syslog events. The ICSA-certificated security implementation for the appliance requires the four-digit year format.

To update the logging method to use the four-digit year format:

Access: root 1. Open the rc.config file in a file editor.

2. Change the value for the SYSLOGD_REPLACE_TIMESTAMPS option to yes.

3. Save changes to the file and exit the editor.

System Log Filter Examples

To search for all log entries that... Use...

Are generated on November 5 Nov[[:space:]]*5

Contain the user name “Admin” Admin

Contain authorization debugging information on November 5

Nov[[:space:]]*5.*AUTH.*DEBUG



4. Run SuSEconfig. For example, type: # ./sbin/SuSEconfig

5. Restart the syslogd process. For example, type:#/sbin/syslogd restart


Administrator Guide

Appendix AImporting and Exporting Objects

You can use the Import/Export feature to copy several types of objects, including policies, from one appliance to another appliance of the same type. Object import and export is not intended as a backup tool, but can be used to simplify the process of adding new appliances to your Sourcefire 3D System.

You can import and export the objects listed in the following table.

Objects with Import and Export Capability

Object Requires

Custom Tables DC/MDC

Custom Workflows Any

Dashboards Any

Health Policies DC/MDC

Intrusion Policies IPS or DC/MDC + IPS

PEP Policies DC/MDC + IPS

RNA Detection Policies DC

System Policies Any

User-Defined RNA Detectors DC


Importing and Exporting ObjectsExporting Objects Appendix A

Note that to import an exported object, both appliances must be running the same version of the Sourcefire 3D System. To import an exported intrusion policy, the SEU versions on both appliances must also match.


• Exporting Objects on page 584

• Importing Objects on page 593

Exporting ObjectsRequires: IPS or

DC/MDCYou can export a single object, or you can export several objects at once.

When you export an object, the appliance also exports revision information for that object. The Sourcefire 3D System uses that information to determine whether you can import that object onto another appliance; you cannot import an object revision that already exists on an appliance.

In addition, when you export an object, the appliance also exports system objects that the object depends on, such as authentication objects. For example, if you set up authentication to an LDAP server on your Defense Center, and then export a Defense Center system policy with authentication enabled, the authentication object is exported as well.

Note that depending on the number of objects being exported and the number of objects those objects reference, the export process may take several minutes.


• Exporting a Custom Table on page 584

• Exporting a Custom Workflow on page 585


• Exporting a Health Policy on page 586

• Exporting an Intrusion Policy on page 586

• Exporting a PEP Policy on page 588

• Exporting an RNA Detection Policy on page 588

• Exporting a System Policy on page 588

• Exporting a User-Defined RNA Detector on page 589

• Exporting Multiple Objects on page 590

Exporting a Custom TableRequires: DC + RNA A custom table is table you can construct that combines fields from two or more

of the predefined tables delivered with the Sourcefire 3D System.



To export a custom table:

Access: AnyRNA/Admin

1. Make sure that the Defense Center where you are exporting the custom table and the Defense Center where you plan to import the custom table are running the same version of the Sourcefire 3D System.

If the versions of the Sourcefire 3D System do not match, the import will fail.

2. Select Analysis & Reporting > Custom Tables.

The Custom Tables page appears.

3. Click Export next to the custom table you want to export.

4. Follow your web browser’s prompts to save the exported package to your computer.

Exporting a Custom WorkflowRequires: IPS or

DC/MDCA custom workflow is a workflow that you create to meet the unique needs of your organization. On the Defense Center, you can export custom workflows that you create as well as the predefined custom workflows delivered with the appliance.

Note that if an appliance does not allow you to view the table on which an exported custom workflow is based, you can import the workflow but will not be able to view it. For example, you cannot access a custom workflow based on RNA hosts that you created on the Defense Center and then imported onto a 3D Sensor or Master Defense Center.

To export a custom workflow:

Access: AnyAnalyst/Admin

1. Make sure that the appliance where you are exporting the custom workflow and the appliance where you plan to import the custom workflow are running the same version of the Sourcefire 3D System.


2. Select Analysis & Reporting > Custom Workflows.

The Custom Workflows page appears.

3. Click Export next to the custom workflow you want to export.


Exporting a DashboardRequires: Any A dashboard is a customizable tabbed view that provides you with an at-a-glance

display of your current system status. Dashboards use various widgets to present data about the events collected and generated by the Sourcefire 3D System, as well as information about the status and overall health of the appliances in your deployment.



Note that the dashboard widgets that you can view depend on the type of appliance you are using and on your user role. For example, a dashboard created on the Defense Center and imported onto a 3D Sensor or Master Defense Center may display some invalid, disabled widgets. For more information, see Understanding Widget Availability on page 61.

To export a dashboard:

Access: Any 1. Select Analysis & Reporting > Event Summary > Dashboards.





3. Click Export next to the dashboard you want to export.


Exporting a Health PolicyRequires: DC/ MDC A health policy comprises the criteria used when checking the health of

appliances in your deployment, that is, whether your Sourcefire hardware and software are working correctly.

To export a health policy:



2. On the toolbar, click Health Policy.


3. Click Export next to the policy you want to export.


Exporting an Intrusion PolicyRequires: IPS or

DC/MDCIntrusion policies include a variety of components that you can configure to inspect your network traffic for intrusions and policy violations. These components include preprocessors; intrusion rules that inspect the protocol header values, payload content, and certain packet size characteristics; adaptive profile configurations; RNA recommended rules configurations; and tools that allow you to control how often events are logged and displayed.



Exporting an intrusion policy exports all settings for the policy. For example, if you choose to set a rule to generate events, or if you set SNMP alerting for a rule, or if you turn on the SMTP preprocessor in a policy, those settings remain in place in the exported policy. Custom rules, custom rule classifications, and user-defined variables are also exported with the policy.

Note that if you export an intrusion policy that uses a layer that is shared by a second intrusion policy, that shared layer is copied into the policy you are exporting and the sharing relationship is broken. When you import the intrusion policy on another appliance, you can edit the imported policy to suit your needs, including deleting, adding, and sharing layers.

Also note the following if you export an intrusion policy from a Defense Center, and then import the policy onto a 3D Sensor:

• The Adaptive Profiles feature is ignored if it is enabled in the policy; you cannot configure or use adaptive profiles in an intrusion policy that you apply from a sensor. For more information, see Using Adaptive Profiles in the Analyst Guide.

• Any RNA-recommended rule states in the policy are used on the sensor by importing the built-in RNA Recommended Rules layer as a user layer located immediately above the base layer. Although you cannot configure RNA Recommended Rules on a sensor, you can use the imported RNA Recommended Rules layer as you would any other user layer. For more information, see Managing RNA Rule State Recommendations in the Analyst Guide and Working With Layers in the Analyst Guide.

IMPORTANT! You cannot use the Import/Export feature to update rules created by Sourcefire’s Vulnerability Research Team (VRT). To update rules, download and apply the latest SEU version; see Importing SEUs and Rule Files in the Analyst Guide.

To export an intrusion policy:


1. Make sure that the appliance where you are exporting the intrusion policy and the appliance where you plan to import the policy are running the same version of the Sourcefire 3D System, as well as the same version of the SEU.

If the versions of the Sourcefire 3D System and the SEU do not match, the import will fail.

2. Select Policy & Response > IPS > Intrusion Policy.

The Intrusion Policy page appears.

3. Click Export next to the intrusion policy you want to export.

Depending on the number of rules referenced by the policy you are exporting, the export process may take several minutes.




Exporting a PEP PolicyRequires: DC/MDC +

IPSPEP policies allow you to configure 3D9900 sensors to block, analyze, or pass traffic directly through the sensor with no further inspection by taking advantage of the hardware capabilities on those sensors.

To export a PEP Policy:


1. Make sure that the appliance where you are exporting the PEP policy and the appliance where you plan to import the PEP policy are running the same version of the Sourcefire 3D System.


2. Select Policy & Response > PEP > Policy Management.

The PEP Policy Management page appears.



Exporting an RNA Detection PolicyRequires: DC + RNA RNA detection policies control how RNA events and flow data are collected,

which network segments are monitored by 3D Sensor with RNA and which are monitored with NetFlow-enabled devices, and whether traffic that travels from or to specific ports is excluded from monitoring.

To export an RNA detection policy:


1. Make sure that the Defense Center where you are exporting the detection policy and the Defense Center where you plan to import the detection policy are running the same version of the Sourcefire 3D System.


2. Select Policy & Response > RNA > Detection Policy.

The Detection Policy page appears.



Exporting a System PolicyRequires: Any A system policy controls the aspects of an appliance that are likely to be similar

for other Sourcefire 3D System appliances in your deployment, including database event limits, time settings, login banners, and so on.

Note that when you export a system policy from a Defense Center where external authentication is enabled, the Defense Center also exports the



authentication objects on which the system policy depends. That is, if you set up authentication to an LDAP server on your Defense Center, and then export a Defense Center system policy with authentication enabled, the authentication object is exported as well.

Also note that system policies on Defense Centers contain database settings that do not apply to 3D Sensors. If you export a system policy from a 3D Sensor and then import it onto a Defense Center, the database limits that you could not configure on the sensor are set to the default values on the Defense Center.

To export a system policy:

Access: Admin 1. Make sure that the appliance where you are exporting the system policy and the appliance where you plan to import the system policy are running the same version of the Sourcefire 3D System.


2. Select Operations > System Policy.


3. Click Export next to the system policy you want to export.


Exporting a User-Defined RNA DetectorRequires: DC + RNA User-defined RNA detectors provide RNA with the information needed to identify

non-standard services, including the port used by service traffic, a pattern within the traffic, or both the port and the pattern.

You can export user-defined RNA detectors and Sourcefire-provided detectors that you added to the Sourcefire 3D System using the Import/Export feature. However, you cannot export internal detectors or Sourcefire-provided detectors added via VDB update.

To export a user-defined RNA detector:


1. Make sure that the Defense Center where you are exporting the detector and the Defense Center where you plan to import the detector are running the same version of the Sourcefire 3D System.


2. Select Policy & Response > RNA > RNA Detectors.

The RNA Detectors page appears.



3. Select the check box next to the detector you want to export and click Export.

Depending on how many detectors you have, the detector you want to export may not be on the first page. You can find it by paging through the detector list, or applying one or more filters. For more information, see Working with RNA Detectors in the Analyst Guide.

TIP! To export multiple detectors at once, select the check boxes next to the appropriate detectors, then click Export. You can also select all detectors in the current filtered view by selecting the check box at the top of the page.


Exporting Multiple ObjectsRequires: IPS or

DC/MDCYou can export several different objects at once (in a single package) using the Import/Export feature. When you later import the package onto another appliance, you choose which objects in the package to import.

The following table lists the objects that you can export from the various Sourcefire appliance types.


Object Requires



Dashboards Any





System Policies Any




Depending on the type of object you are exporting, you should keep the following points in mind:

• You must make sure that the appliance you are using to export an object is running the same version of the Sourcefire 3D System as the appliance you plan to use to import the exported object. For intrusion policies, the SEU versions on both appliances must also match. If the versions do not match, the import will fail.

• If you cannot view the table on which a custom workflow is based on your appliance, you can import the workflow but will not be able to view it.

• The dashboard widgets that you can view depend on the type of appliance you are using and on your user role. For example, a dashboard created on the Defense Center and imported onto a 3D Sensor or Master Defense Center may display some invalid, disabled widgets.

• If you export an intrusion policy that uses a layer that is shared by a second intrusion policy, that shared layer is copied into the policy you are exporting and the sharing relationship is broken.

In addition, because RNA Recommended Rules and Adaptive Profiles are not supported on 3D Sensors, there are additional consequences if you export an intrusion policy from a Defense Center and then import the policy onto a 3D Sensor. For more information, see Exporting an Intrusion Policy on page 586.


• When you export a system policy from a Defense Center where external authentication is enabled, the Defense Center also exports the authentication objects on which the system policy depends.

Also note that if you export a system policy from a 3D Sensor and then import it onto a Defense Center, the database limits that you could not configure on the sensor are set to the default values on the Defense Center.

• You can export user-defined RNA detectors and Sourcefire-provided detectors that you added to the Sourcefire 3D System using the Import/Export feature. However, you cannot export internal detectors or Sourcefire-provided detectors added via VDB update.

For detailed information on exporting specific objects, see the following sections:

• Exporting a Custom Table on page 584

• Exporting a Custom Workflow on page 585




• Exporting a Health Policy on page 586

• Exporting an Intrusion Policy on page 586

• Exporting a PEP Policy on page 588

• Exporting an RNA Detection Policy on page 588

• Exporting a System Policy on page 588

• Exporting a User-Defined RNA Detector on page 589

Depending on the number of objects being exported and the number of objects those objects reference, the export process may take several minutes.

To export multiple objects:

Access: Admin 1. Make sure that the appliance where you are exporting the objects and the appliance where you plan to import the objects are running the same version of the Sourcefire 3D System. For intrusion policies, you must also make sure that the SEU version matches.

If the versions of the Sourcefire 3D System (and, for intrusion policies, the SEU version) do not match, the import will fail.

2. Select Operations > Tools > Import/Export.

The Import/Export page appears, including a list of the objects on the appliance.

TIP! You can click the collapse icon ( ) next to an object type to collapse

the list of objects. Click the expand folder icon ( ) next to an object type to reveal objects.

The Defense Center version of the page is shown below with some object types collapsed.

3. Select the check boxes next to the objects you want to export and click Export.


Importing and Exporting ObjectsImporting Objects Appendix A


Importing ObjectsRequires: Any After you export an object from another appliance, you can import it onto a

different appliance as long as that appliance supports it. Note, however, that some imported objects may not be useful depending on the type of appliance you are using and on your user role. The following table lists the objects that you can import on the various Sourcefire appliance types.

Depending on the type of object you are importing, you should keep the following points in mind:

• You must make sure that the appliance where you are importing an object is running the same version of the Sourcefire 3D System as the appliance you used to export the object. For intrusion policies, the SEU versions on both appliances must also match. If the versions do not match, the import will fail.

• If your appliance does not allow you to view the table on which an custom workflow is based, you can import the workflow but will not be able to view it.


Object Requires



Dashboards Any





System Policies Any




• The dashboard widgets that you can view depend on the type of appliance you are using and on your user role. For example, a dashboard created on the Defense Center and imported onto a 3D Sensor or Master Defense Center may display some invalid, disabled widgets.

• If you import an intrusion policy that used a shared layer from a second intrusion policy, the export process breaks the sharing relationship and the previously shared layer is copied into the package. In other words, imported intrusion policies do not contain shared layers.

In addition, because RNA Recommended Rules and Adaptive Profiles are not supported on 3D Sensors, there are additional consequences if you export an intrusion policy from a Defense Center and then import the policy onto a 3D Sensor. For more information, see Exporting an Intrusion Policy on page 586.


• When you import a system policy that was exported from a Defense Center where external authentication is enabled, you also import the authentication objects on which the system policy depends.

Also note that for a system policy exported from a 3D Sensor and then imported onto a Defense Center, the database limits that you could not configure on the sensor are set to the default values on the Defense Center.

Because can export several different objects in a single package, when you import the package you must choose which objects in the package to import. You can only import objects that are supported on the destination appliance.

When you attempt to import an object, your appliance determines whether that object already exists on the appliance. If a conflict exists, you can keep the existing object, replace the existing object with a new object, keep the newest object, or import the object as a new object. If you import an object and then later make a modification to the object on the destination system, and then re-import the object, you must choose which version of the object to keep.

WARNING! If you import default policies or rules to an appliance, you cannot delete them.

Depending on the number of objects being imported and the number of objects those objects reference, the import process may take several minutes.



For information on using imported objects, see the following sections:

• Using Custom Tables in the Analyst Guide

• Using Custom Workflows in the Analyst Guide


• Applying Health Policies on page 528

• Applying an Intrusion Policy in the Analyst Guide

• Applying PEP Policies in the Analyst Guide

• Applying an RNA Detection Policy in the Analyst Guide

• Applying a System Policy on page 324

• Activating and Deactivating RNA Detectors in the Analyst Guide

• Activating and Deactivating RNA Detectors in the Analyst Guide

To import one or more objects:

Access: Admin 1. Make sure that the appliance where you are exporting the objects and the appliance where you plan to import the objects are running the same version of the Sourcefire 3D System. For intrusion policies, you must also make sure that the SEU version matches.

If the version of the Sourcefire 3D System (and, for intrusion policies, the SEU version) do not match, the import will fail.

2. Export the objects you want to import; see Exporting Objects on page 584.



3. On the appliance where you want to import the objects, select Operations > Tools > Import/Export.

The Import/Export page appears.

TIP! You can click the collapse icon ( ) next to an object type to collapse

the list of objects. Click the expand folder icon ( ) next to an object type to reveal objects.

The Defense Center version of the page is shown below with some object types collapsed.

4. Click Upload Package.

The Upload Package page appears.


• Type the path to the package you want to upload.

• Click Browse to browse to locate the package.



6. Click Upload.

The result of the upload depends on the contents of the package:

• If the object and rule versions in the package exactly match versions that already exist on your appliance, a message displays indicating that the versions already exist. The appliance has the most recent objects so you do not need to import them.

• If there is a Sourcefire 3D System or SEU version mismatch between your appliance and the appliance where the package was exported, a message appears, indicating that you cannot import the package. Update the Sourcefire 3D System or the SEU version and attempt the process again.

• If the package contains any object or rule versions that do not exist on your appliance, the Package Import page appears. Continue with the next step.

7. Select the objects you want to import and click Import.

The import process occurs, with the following results:

• If the objects you import do not have previous revisions on your appliance, the import completes automatically and a success message appears. Skip the rest of the procedure.

• If the objects you import do have previous revisions on your appliance, the Import Resolution page appears. Continue with step 8.

8. Expand each object and select the appropriate option:

• To keep the object on your appliance, select Keep existing.

• To replace the object on your appliance with the imported object, select Replace existing.

• To keep the newest object, select Keep existing if newer.

• To save the imported object as a new object, select Import as new, and, optionally, edit the object name.

9. Click Import.

The objects are imported.


Administrator Guide

Appendix BPurging the RNA and RUA

Databases

Requires: DC + RNA orDC + RUA

You can use the RNA/RUA Event Purge page to purge files from the RNA and RUA databases. Note that if you purge database items from the RNA or RUA database, the RNA or RUA process is restarted.

WARNING! Purging a database removes the data you specify from the Defense Center. After the data is deleted, it cannot be recovered.

To purge the RNA database:

Access: RNA/Admin 1. Select Operations > Configuration > RNA/RUA Event Purge.

The RNA/RUA Event Purge page appears.

2. Under RNA Database, perform any or all of the following:

• Select RNA Events to remove all network discovery events from the RNA database.

• Select Hosts to remove all hosts from the RNA database.

• Select Flow Stats to remove all flow data from the RNA database.

• Select Flow Summary to remove all flow summary data from the RNA database.

3. Click Save & Restart RNA.

The items are purged and RNA is restarted.


Purging the RNA and RUA DatabasesAppendix B

To purge the RUA database:

Access: RNA/Admin 1. Select Operations > Configuration > RNA/RUA Event Purge.

The RNA/RUA Event Purge page appears.

2. Under RUA database, perform any or all of the following:

• Select RUA Events to remove all RUA events from the RUA events database.

• Select Users to remove all users from the RUA history database.

3. Click Save & Restart RUA.

The items are purged and RUA is restarted.


Administrator Guide

Appendix CViewing the Status of Long-Running

Tasks

When you perform long-running tasks, such as applying a policy, pushing updates, installing software, and so on, the status of these tasks is reported in the task queue. The task queue provides information about complex tasks and reports when they are complete.


• Viewing the Task Queue on page 600

• Managing the Task Queue on page 602

Viewing the Task QueueRequires: Any When you perform long-running tasks, such as applying a policy, pushing updates,

installing software, and so on, the status of these tasks is reported in the task queue. The task queue provides information about complex tasks and reports when they are complete.


Viewing the Status of Long-Running TasksViewing the Task Queue Appendix C

You view the task queue on the Task Status page, which automatically refreshes every 10 seconds. You can always see the status of tasks that you initiated; if your account has Administrator access, you can also see the status of every task regardless of who initiated it.

The Job Summary section displays the state of the tasks listed on the page, as described in the following table.

The Jobs section provides information about each task, including a brief description, when the task was launched, the current status of the task, and when the status last changed. Tasks of the same type appear together.

Task Queue Task Types

Task Type Description

Running The number of tasks currently in progress.

Waiting The number of tasks waiting for a in-progress task to complete before running.

Completed The number of tasks that completed, regardless of whether they succeeded,

Retrying The number of tasks that are automatically retrying. Note that not all tasks are permitted to try again.

Failed The number of tasks that did not complete successfully.


Viewing the Status of Long-Running TasksManaging the Task Queue Appendix C

To view the task queue:

Access: Maint/P&RAdmin/Admin

You have two options:

• If you manually launched the task, click the Task Status link in the notification box that appeared when you launched the task.

The Task Status page appears in a pop-up window.

• If you scheduled a task, or if a task was launched from a page you are not viewing, select Operations > Monitoring > Task Status.

The Task Status page appears.

For information on the actions you can perform on the Task Status page, see the next section, Managing the Task Queue.

Managing the Task QueueRequires: Any If you have Administrator, Maintenance, or Policy & Response Administrator

access, there are several actions you can perform while viewing the task queue (see Viewing the Task Queue on page 600).

Task Queue Actions

To... You can...

remove all completed tasks from the task queue

click Remove Complete Jobs.

remove all failed task from the task queue

click Remove Failed Jobs.

remove a single task from the task queue

click Delete next to the task you want to delete.

Note that you cannot delete a running task. If you need to delete a running task (for example, if a task repeatedly fails) contact Sourcefire Support.

collapse the view of tasks of the same type

click the collapse icon ( ) next to the task type for the tasks you want to hide.

expand the view of tasks of the same type

click the expand folder icon ( ) next to the task type for which you want to view individual tasks.


Glossary

3D Sensor An appliance-based sensor that, as part of the Sourcefire 3D System, can run the IPS component, the RNA component, the RUA component, or combinations of the components.

active detection The addition, to the network map, of data collected by active sources, such as host operating system and service information.

adaptive profile An intrusion policy profile that uses information from RNA host profiles to determine the operating system for the target host of a packet. Profiles within an intrusion policy then automatically adapt to cause the preprocessors to defragment IP packets and reassemble streams in the same way as the operating system on the target host and to cause Snort to analyze the data in the same format as that used by the destination host.

Administrator A type of user role that conveys rights to all Sourcefire 3D System functionality. Administrators can set up an appliance’s network configuration, manage user accounts, and configure system policies and system settings. Users with the Administrator role also have the access rights provided to the Intrusion Event Analyst, RNA Event Analyst, Policy & Response Administrator, and Maintenance User roles.

advanced feature setting

An IPS component feature such as a layer, preprocessor, global rule thresholding, VLAN or subnetwork policy configuration, and so on that you enable, disable, or configure on web interface pages accessed by some means other than directly from the Policy Information page where basic feature settings are accessed.


advanced intrusion policytobasic intrusion policy Glossary

advanced intrusion policy

An intrusion policy with custom user layers, modified advanced feature settings, or both.

alert A message that notifies you when an intrusion event, health event, host input event, RNA event, RUA event, white list event, or compliance event is generated. You can send alerts to an external syslog server, a specific email address, or an SNMP trap server. See email alerting, SNMP alerting, and syslog alerting.

alert rule An intrusion rule that, when triggered, generates an intrusion event and logs the details of the packet that triggered the rule. Compare with pass rule and drop rule.

anomaly detection The detection of anomalous conditions in traffic rate or traffic content that indicates an attack.

audit log A record of user interactions with the web interface. The audit log comprises audit events.

audit event An event that describes a specific user interaction with the web interface. Each audit event contains a time stamp, the user name of the user whose action generated the event, a source IP address, and text describing the event. You can view audit events in the audit log.

banner The first 256 bytes of the first packet detected by a service. A banner is collected only once, the first time a service is detected by RNA. Banners provide additional context to the information gathered by RNA.

base policy A selectable set of configurations that can be any one of the default intrusion policies provided by Sourcefire or a custom user layer.

base policy layer A built-in layer in an intrusion policy comprised of all of the default basic feature settings and advanced feature settings for the IPS component. The default settings in the base policy layer are determined by the base policy selected for the intrusion policy.

basic feature setting An IPS component feature in a basic intrusion policy that you can access directly from the Intrusion Policy information page. Basic features include the policy name, description and protection mode, and management of detection engines, variables, rules, and RNA recommended rules.

basic intrusion policy An intrusion policy with no custom user layers and no modified advanced feature settings. Although layers are transparent to the user in a basic intrusion policy, a basic intrusion policy includes the read-only base policy layer, a modifiable system-defined user layer that is initially named My Changes and, optionally, a read-only RNA Recommendations layer immediately above the base policy. In addition to default basic feature settings, a basic intrusion policy also includes default advanced feature settings.


bit masktoclustering Glossary

bit mask The notation used to identify which bits in an IP address correspond to the network address and subnet portions of the address.

bookmark A saved link to a specific location and time in an event analysis. Bookmarks retain information about the workflow you are using, the part of the workflow you are viewing, the page number within the workflow you are viewing, the time range you selected, and any columns you disabled as well as any constraints you imposed. The bookmarks you create are available to all users with unrestricted analyst access.

bridge A network device that forwards traffic between network segments. RNA identifies bridges as network devices that communicate using Cisco Discovery Protocol (CDP) or Spanning Tree Protocol (STP). RNA may identify switches as bridges.

built-in layer A read-only layer in an intrusion policy. An intrusion policy always includes a built-in base policy layer and, optionally, can include a built-in RNA Recommendations layer.

Classless Inter-Domain Routing (CIDR) notation

A notation that defines IP address ranges by combining an IP address with a bit mask that signifies the subnet mask used to define the number of IP addresses in the specified range. For example, if you want to define the network described by 192.168.1.x with a subnet mask of 255.255.255.0, use 192.168.1.1/24, where 24 signifies the number of bits in the subnet mask.

client application An application that runs on one host and relies on another host (a server) to perform some operation. For example, email clients are client applications that allow you to send and receive email. When RNA detects that a user on a host is using a specific client application to access another host, it reports that information in the host profile and network map, including the name and version (if available) of the client application.

client application event

Information that describes client application activity on monitored hosts. For each detected client application, RNA logs the IP address that used the application and when the application was last used, as well as the application name, version, and the number of times its use was detected.

clipboard A holding area where you can copy up to 25,000 intrusion events that you can later add to incidents. The contents of the clipboard are sorted by the date and time that the events were generated.

clustering A feature that allows you to increase the amount of traffic inspected on a network segment by connecting two fiber-based 3D9900 sensors in a clustered pair. When you establish a clustered pair configuration, you combine the 3D9900 sensors resources into a single, shared configuration.


complex conditiontocurrent identity Glossary

complex condition A complex way of qualifying compliance rules, flow trackers, host profile qualifications, and traffic profiles. A complex condition comprises at least two simple conditions, linked to each other with an AND or an OR operator.

complex constraint A constraint set in an event view or event search that constrains an event query using all the criteria from a specific event.

compliance event An event generated by the Defense Center when a compliance rule triggers. You can search, view, and delete compliance events and can configure the number of compliance events saved in the database. Note that white list events, generated by white list violations, are a special kind of compliance event.

compliance policy Describes the network activity that constitutes a security policy violation, using compliance rules and compliance white lists. You can specify responses to each rule or white list within a policy.

compliance rule Along with compliance white lists, one of the ways you can specify criteria that network traffic must meet in order to violate a compliance policy. You can use the Defense Center to configure compliance rules to trigger (and generate a compliance event) when a specific intrusion event, RNA event, or flow event occurs, or when your network traffic deviates from your normal network traffic pattern as characterized in a traffic profile. You can constrain compliance rules with host profile qualifications, flow trackers, snooze periods, and inactive periods. You can also configure the Defense Center to launch a response, such as an alert or remediation, when a compliance rule triggers.

compliance white list Along with compliance rules, one of the ways you can specify criteria that network traffic must meet in order to violate a compliance policy. You can use the Defense Center to configure compliance white lists to specify which operating systems, services, client applications, and protocols are allowed to run on the hosts in a specific subnet. You can also configure the Defense Center to launch a response, such as an alert or remediation, when a white list is violated. Note that a compliance white list is not associated with the white list of IP addresses that you can configure in certain remediations.

compliance white list event

See white list event.

compliance white list violation

See white list violation.

current identity The operating system or service identity that RNA finds most likely to be correct, which is used to assign host vulnerability, to assess impact of an attack, to evaluate compliance rules written against operating system identifications, host profile qualifications, and compliance white lists, to display in the Hosts and Services table views in workflows and in the host profile, and to calculate the operating system and service statistics on the RNA Statistics page.


custom fingerprinttoderived fingerprint Glossary

custom fingerprint See fingerprint.

custom table A table you can construct that combines fields from two or more of the predefined tables delivered with the Sourcefire 3D System. For example, you could combine the host criticality information from the host attributes table with information from the flow data table to examine flow data in a new context. Custom tables include Sourcefire-defined custom tables, which are custom tables delivered with the Defense Center.

custom workflow A workflow that you create to meet the unique needs of your organization. Compare with predefined workflow and, on the Defense Center, saved custom workflow.

dashboard A display that provides tabs of at-a-glance information about many aspects of the performance on your Sourcefire 3D System. You can configure as many dashboards as you need and decide which dashboard widgets appear on each tab to fit your system monitoring needs. The dashboard appears as the default home page for all user roles except the restricted event analyst roles.

dashboard widget A dashboard widget provides status or performance information about a specific aspect of your Sourcefire 3D System. You can select which widgets to add to your dashboard.

data correlator A program that generates events and creates the network map on the Defense Center, using the data collected by RNA.

decoder A component of IPS that places sniffed packets into a format that can be understood by a preprocessor.

Defense Center A central management point that allows you to manage sensors and automatically aggregate the events they generate. You can also push policies created on the Defense Center and software updates to managed sensors. If you manage 3D Sensors with IPS and RNA with a Defense Center, the Defense Center correlates intrusion events with host vulnerabilities and assigns impact flags to the intrusion events. Impact correlation lets you focus on attacks most likely to affect high-priority hosts. The Defense Center also correlates intrusion information with user identity data from the RUA database.

defragmentation policy

Describes how the IP defragmentation preprocessor (a component of IPS) should reassemble fragmented IP packets, based on the target host’s operating system. Note that adaptive profiles use adaptive defragmentation policies.

derived fingerprint An operating system fingerprint created by RNA from all passively collected fingerprints for a host by applying a formula which calculates the most likely identity using the confidence value of each collected fingerprint and the amount of corroborating fingerprint data between identities.


detection enginetoevent Glossary

detection engine The mechanism that is responsible for analyzing the traffic on the network segment where a sensor is connected. A detection engine has two main components: an interface set and a detection resource. RNA uses RNA detection engines, IPS uses IPS detection engines, and RUA uses RUA detection engines.

detection policy See RNA detection policy.

detection resource A portion of a sensor's computing resources used as part of a detection engine.

DNS cache Temporary storage of previously resolved IP addresses. Configuring DNS caching allows you to resolve those IP addresses without performing additional lookups. This can reduce the amount of traffic on your network and speed the display of event pages.

drill-down page An intermediate workflow page used to constrain event views. Generally, a drill-down page presents constraints that you can select to advance to a more narrowly constrained page or a table view.

drop event An intrusion event generated when a drop rule triggers. Drop events are marked with black inline result flags on RNA compliance event views and IPS intrusion event views.

drop rule An intrusion rule whose rule state is set to Drop and Generate Events. When a malicious packet triggers the rule, IPS drops the packet and generates an intrusion event (specifically, a drop event). You can only use a drop rule within an inline intrusion policy that is applied to detection engines that are deployed inline. Compare with alert rule and pass rule.

dynamic rule state A rule state that is set for a specified period of time in response to a detected rate anomaly in traffic matching the rule.

email alerting The transmission of an alert as an email message.

eStreamer See Event Streamer.

event Information that is stored as an event. An event contains multiple fields that describe the activity that caused the event to be generated. IPS generates intrusion events, which also include drop events and preprocessor events. RNA generates network discovery events and flow events, as well as events that provide general information about your network topology: client application events, host events, host attributes, and service events. A vulnerability is also considered an RNA event. You can use the policy and response feature to configure your Defense Center to generate compliance events and white list events, as well as remediation status events. RUA generates RUA events when it detects user logins or user additions or deletions. In addition, every appliance generates records of user activity called audit events. The health monitor on the Defense Center also generates health events.


event analysttofingerprint Glossary

event analyst An event analyst examines event data collected by the Sourcefire 3D System. The Intrusion Event Analyst, RNA Event Analyst, and Restricted Event Analyst roles, or their read-only counterparts, can be assigned to a user to provide access to event analysis functionality.

Event Streamer Also known as eStreamer, a component of the Sourcefire 3D System that allows you to stream event data from a Defense Center or 3D Sensor to external client applications.

event suppression A feature that allows you to use suppress intrusion events when a specific IP address or range of IP addresses triggers a rule. Event suppression is useful for eliminating false positives. For example, if you have a mail server that transmits packets that look like a specific exploit, you can suppress events for the rules that are triggered by your mail server, so that you only see the events for legitimate attacks.

event thresholding A feature that allows you to limit the number of times the system logs and displays an intrusion event, based on how many times the event is generated within a specified time period. Use event thresholding if you are overwhelmed with a large number of identical events.

event view A workflow view containing a set of events. You can constrain the events included in an event view using an event search or using simple constraints or complex constraints.

export A method that you can use to transfer various configurations from appliance to appliance. You can export intrusion policies, RNA detection policies, system policies, health policies, dashboards, custom workflows and tables, and some RNA detectors. After you export a configuration from one appliance, you can import it onto another appliance of the same type.

external authentication

A method (such as LDAP authentication or RADIUS authentication) that uses externally stored user credentials to authenticate user names and passwords when users log into Sourcefire 3D System appliances. Compare with internal authentication.

fail-open card A network interface card that allows network traffic to pass through a 3D Sensor that uses IPS detection engines that are deployed inline, even if the appliance itself fails or loses power.

feature license A license you can add to an appliance that enables additional features, including NetFlow, Intrusion Agents, Sourcefire 3D Sensor Software for X-Series, Sourcefire Virtual 3D Sensors, and the ability to monitor a number of hosts with RNA or users with RUA.

fingerprint An established definition that RNA compares against specific packet header values and other unique data from network traffic to identify a host's operating


flow datatohealth module Glossary

system. If RNA misidentifies or cannot identify a host's operating system, you can create a custom fingerprint that identifies the host.

flow data See flow event.

flow event An event generated when RNA detects that a connection between a monitored host and any other host is terminated. Flow events include information about the collected traffic, including the first packet of the transaction, the last packet of the transaction, the source IP address and port, the destination IP address and port, the number of packets and bytes sent and received by the monitored host, and the client application and URL involved in the transaction, if applicable.

flow summary Flow data aggregated over a five-minute interval. You can choose to store flow data only as flow summaries to save disk space.

flow tracker One or more conditions that constrain a compliance rule so that after the rule’s initial criteria are met, RNA begins tracking certain flows. The rule then triggers only if the tracked flows meet additional criteria.

gateway A device that acts as an entrance to and controls traffic within your organization’s network. When you set up your 3D Sensor or Defense Center, you must specify the IP address of the gateway device for your network.

GID (generator ID) A number that indicates which component of the Sourcefire 3D System generated an intrusion event. GIDs help you analyze events more effectively by categorizing the type of event in the same way a rule’s SID offers context for the packets that trigger rules.

health alert An alert generated by the Defense Center or Master Defense Center when a specific health event occurs.

health event An event that is generated when one of the appliances in your deployment meets (or fails to meet) performance criteria specified in a health module. Health events indicate which module triggered the event and when the event was triggered.

health monitor A feature that continuously monitors the performance of the appliances in your deployment. The health monitor uses health modules to test various performance aspects of the appliances. You configure the health monitor using a health policy.

health monitor blacklist

A blacklist that temporarily disables aspects of health monitoring to prevent the Defense Center from generating unnecessary health events. You can disable monitoring for a group of appliances, a single appliance, or a specific health module.

health module A test of a particular performance aspect of one of the appliances in your deployment. For example, you can monitor CPU usage or available disk space. You can configure health modules to generate health events and health alerts when the performance aspects they monitor reach a certain level.


health policytohost input Glossary

health policy The criteria used when checking the health of an appliance in your deployment. Health policies use health modules to indicate whether your Sourcefire 3D System hardware and software are working correctly. The Defense Center and Master Defense Center are delivered with default health policies; you can modify them or create your own.

high availability A feature that allows you to designate redundant Defense Centers to manage groups of sensors. Event data streams from managed sensors to both Defense Centers and certain configuration elements are maintained on both Defense Centers. If your primary Defense Center fails, you can monitor your network without interruption using the secondary Defense Center.

hop The trip a packet takes from one router or intermediate point to another in the network. RNA detects the number of network hops that exist between the sensors and the hosts they monitor, which provides you with information about the physical location the hosts on your network.

host A device that is connected to a network and has a unique IP address. To RNA, a host is any identified host that is not categorized as a bridge, router, NAT device, or load balancer.

host attribute A tool you can use to provide information about hosts detected by RNA and to classify them in ways that are important to your network environment. For example, you could create a host attribute that designates the physical location of each host on your network. You can use and configure the two predefined host attributes, host criticality and notes, as well as create your own host attributes. In addition, when you create a compliance white list, RNA automatically creates a host attribute that indicates the compliance of the host. You can use host attributes in compliance rules and compliance white lists, and you can search for hosts with specific host attribute values. You also can generate reports based on host attributes.

host criticality A host attribute that indicates the business criticality (importance) of any given host detected by RNA. You can use host criticality values when searching for hosts or when creating compliance rules and compliance white lists.

host event An event indicating that RNA has detected a host. RNA collects information about the hosts on monitored network segments. The information that RNA collects comprises that host’s host profile.

host import input data Host input data imported using a command line utility or the host input API.

host input A feature that allows you to import host data from third-party applications to augment the information in the RNA network map using scripts or command-line files. You can also use the host input feature through the web interface to modify operating system or service identities or deleting services, protocols, host attributes, or client applications.


host input eventtoimport Glossary

host input event An event that is created when a change is made to your network map using the host input feature.

host profile Collected information about a specific host detected by RNA. This includes general host information, such as its name and operating system, as well as its user history, host attributes, the protocols it uses, the services it is running, VLAN information, client applications running on the host, applicable white list violations, detected vulnerabilities, and any scan results for that host.

host profile qualification

A constraint placed on a traffic profile or compliance rule. A host profile qualification within a compliance rule specifies that the Defense Center should generate a compliance event only if the host involved meets certain criteria. A host profile qualification within a traffic profile limits the hosts that are profiled.

host statistics Information you can obtain about an appliance, including uptime, system memory usage, load average, disk usage, a summary of system processes, and, on the Defense Center, information about data correlator processes.

host view The final page in workflows based on RNA events (with the exception of workflows based on vulnerabilities, which use the vulnerability detail page). The host view displays the host profiles of the hosts involved in the events you are viewing.

HTTP Inspection A preprocessor that decodes and normalizes URI data sent to and received from web servers on your network, detects and generates events against possible URI-encoding attacks, and makes the normalized data available for additional rule processing. This is important because HTTP traffic can be encoded in a variety of formats, making it difficult for IPS to inspect packets accurately.

identity conflict A conflict event that occurs when RNA reports a new passive identity that conflicts with the current active identity and previously-reported passive identities.

impact The qualification of each intrusion event on a Defense Center based on whether RNA deployed on the same segment detected a vulnerable service or open port on the target of the attack. If the targeted host is not vulnerable, the impact of the attack is low. However, if the targeted host is vulnerable, then the impact is high and you should act to mitigate the effects of the attack.

impact flag For intrusion events, an indicator of the correlation between intrusion data, RNA network discovery events, and vulnerability information. A red impact flag means that the host is vulnerable to the attack represented by the intrusion event, orange means it is potentially vulnerable, and so on. Intrusion events detected on network segments not monitored by RNA have gray impact flags; this indicates that the Defense Center cannot determine the events’ impact.

import A method that you can use to transfer various configurations from appliance to appliance. You can import intrusion policies, RNA detection policies, system


inactive periodtointrusion event Glossary

policies, health policies, dashboards, custom workflows and tables, and RNA detectors that you previously exported from another appliance of the same type.

inactive period An interval during which a compliance rule does not trigger. You can configure an inactive period to occur daily, weekly, or monthly and to begin at a specified time and last a specified number of minutes. For example, you might perform a nightly Nessus scan on your internal network to look for vulnerabilities. In that case, you could set a daily inactive period on the affected compliance rules for the time and duration of your scan so those rules do not trigger erroneously. See also snooze period.

incident One or more intrusion events that you suspect are involved in a possible violation of your security policy. The Sourcefire 3D System provides incident-handling features that you can use to collect and process information that is relevant to your investigation of the incident.

inline A type of interface set that allows you to deploy a 3D Sensor inline on a network. In this configuration, the IPS component can affect the traffic flow on the monitored network, including dropping malicious packets.

inline intrusion policy An intrusion policy that you apply to an IPS detection engine configured with an inline or inline with fail open interface set. Inline intrusion policies can contain intrusion rules that not only generate intrusion events based on network traffic content, but that also can drop malicious packets and replace their content with benign alternatives. You designate an intrusion policy as inline by setting the protection mode to inline. Compare with passive intrusion policy.

inline with fail open A type of interface set that allows you to use a compatible fail-open card that allows network traffic to continue flowing if the appliance fails for any reason.

interface set One or more sensing interfaces on a 3D Sensor that you can use to monitor network segments for one or more detection engines. You can use passive, inline, or inline with fail open interface sets.

internal authentication

An authentication method that stores user credentials in a local database. When a user logs into the appliance, the user name and password are checked against the information in the database. Compare with external authentication.

intrusion A security breach, attack, or exploit that occurs on your network.

Intrusion Agent Software that can be installed on certain Red Hat Linux, FreeBSD or Sun Solaris servers to transmit intrusion events generated by Snort to the Defense Center. You can use the Defense Center to aggregate event information from Intrusion Agents with data from 3D Sensors with IPS.

intrusion event A record of the network traffic that violated an intrusion policy. Intrusion event data includes the date, time, and the type of exploit, as well as other contextual information about the source of the attack and its target.


intrusion policytolink state propagation mode Glossary

intrusion policy Either an passive intrusion policy or an inline intrusion policy. Intrusion policies include a variety of components that you can configure to inspect your network traffic for intrusions and policy violations. These components include preprocessors; intrusion rules that inspect the protocol header values, payload content, and certain packet size characteristics; adaptive profile configuration; RNA recommended rules configuration; and tools that allow you to control how often events are logged and displayed.

intrusion rule A set of keywords and arguments that, when applied to captured network traffic, identify potential intrusions, policy violations, and security breaches. IPS compares packets against the conditions specified in each rule and, if the packet data matches all the conditions specified in the rule, the rule triggers and generates an intrusion event. Intrusion rules include alert rules, drop rules, and pass rules.

IP address A 32-bit (IPv4) or 128-bit (IPv6) number, usually represented in dot notation (for example, 192.168.34.166), that identifies the host that sends or receives packets on the Internet or on the local network.

IPS A component of the Sourcefire 3D System, separately licensable on 3D Sensors, that provides intrusion detection and prevention capabilities. If you configure a 3D Sensor with IPS with an inline or inline with fail open interface set and use an inline intrusion policy, you can alert on and drop malicious traffic. If instead you use the IPS component with a passive interface set and a passive intrusion policy, then the IPS component can only alert on malicious traffic and cannot affect the network traffic flow.

Intrusion Event Analyst

A user role that provides access to IPS analysis features, including intrusion event views, incidents, and reports. Intrusion Event Analysts see the main toolbar and IPS analysis-related options on the Analysis & Reporting and Operations menus. The Intrusion Event Analyst (Read Only) role provides read-only access to the same set of functions.

layer A complete set of option settings for all IPS features. In a basic intrusion policy, all layer interactions are transparent to the user. You can add custom user layers to the built-in layer or layers in your policy to create a more advanced intrusion policy. In either a basic intrusion policy or an advanced intrusion policy, the setting in a higher layer for an intrusion policy feature or feature option overrides a setting for the same feature or option in a lower layer

LDAP authentication A form of external authentication that verifies user credentials by comparing them to a Lightweight Directory Access Protocol (LDAP) directory stored on an LDAP directory server.

link state propagation mode

An option you can enable for an inline interface set. With this option enabled, when one of the interfaces goes down the other interface in the set is automatically brought down within a few seconds. For copper fail-open NIMs, when the first interface comes back up the second interface comes up


load balancertoNessus plugin Glossary

automatically. Link state propagation mode is also available for fiber interface cards, but that recovery is not automatic. To restore fiber interfaces you must reset the NIM. Crossbeam-based software sensors and 3D9800 sensors do not support this feature.

load balancer A network device that distributes network traffic to optimize performance and resource use. RNA identifies network devices as load balancers if the TTL value changes from the client side, or if the TTL value changes more frequently than a typical boot time. RNA distinguishes between load balancers and NAT devices depending on what side the analyzed traffic is coming from: server (load balancer) or client (NAT device).

MAC address Media Access Control address. A MAC address is a NIC’s (network interface card’s) unique hardware address. RNA detects the MAC addresses and hardware vendors of the NICs for the hosts and network devices on your network.

managed sensor A 3D Sensor, Intrusion Agent, or software sensor configured and managed by a Defense Center.

management interface

The network interface that you use to administer the Defense Center or 3D Sensor. In most installations, the management interface is connected to an internal, protected network. Compare with sensing interface.

Maintenance User A user role that provides access to monitoring and maintenance features. Maintenance users see the main toolbar and maintenance-related options on the Operations top-level menu.

Master Defense Center

A special-purpose appliance that is capable of aggregating intrusion events and compliance events from up to ten other Defense Centers. A Master Defense Center is also able to collect health status from its managed Defense Centers.

NAT device A network device that performs network address translation (NAT), most commonly to share a single internet connection among multiple hosts on a private network. RNA identifies network devices as NAT devices if the TTL value changes from the client side, or if the TTL value changes more frequently than a typical boot time. RNA distinguishes between load balancers and NAT devices depending on what side the analyzed traffic is coming from: server (load balancer) or client (NAT device).

Nessus An open source vulnerability scanner developed through the Nessus Project (http://www.nessus.org/) that uses Nessus plugins to test for vulnerabilities on the hosts that it scans.

Nessus plugin A Nessus script written in the Nessus Attack Scripting Language (NASL) that tests for a specific vulnerability on your system. Over 9000 Nessus plugins exist.

http://www.nessus.org/


Nessus plugin familytoobject, for import or export Glossary

Nessus plugin family A group of Nessus plugins of a particular type. The Sourcefire 3D System integration with Nessus allows you to select the plugins used to scan by enabling or disabling plugin families.

Nessus scan A network scan for vulnerabilities that emulates the actions of an attacker. Nessus scans use plugin families (see Nessus plugin family) to test for specific vulnerabilities on your network. You can manually run Nessus scans, or you can schedule periodic scans. Within a compliance policy, you can configure a Nessus scan as a response (or remediation) to a compliance event or white list event.

NetFlow An open but proprietary network protocol for collecting IP traffic information, developed by Cisco Systems to run on Cisco IOS-enabled equipment. You can use the information collected by NetFlow-enabled devices to supplement the data collected by RNA and to monitor networks not covered by 3D Sensors with RNA.

network device In the Sourcefire 3D System, a bridge, router, NAT device, or load balancer.

network discovery event

A kind of RNA event that communicates the details of changes to the hosts on your monitored network. New events are generated for newly discovered network features, and change events are generated for any change in previously identified network assets. Settings in the system policy determine the types of network discovery events that are stored in the RNA database.

network map A detailed representation of your network generated by RNA. The network map allows you to view your network topology in terms of the hosts and network devices running on your network as well as their associated host attributes, services, and vulnerabilities.

Nmap An open source active scanner that you can use to detect operating systems and services running on a host. Running an Nmap scan adds the information detected to your network map.

Nmap scan A scan of a designated host or hosts to detect operating systems and services.

NTP Network Time Protocol. NTP uses Coordinated Universal Time (UTC time) to synchronize the computer clocks in a network. You can synchronize the Defense Center’s time with an NTP server. You can also configure a Defense Center as an NTP server so that managed sensors can synchronize time with it.

object, for import or export

A policy or rule that is created on an appliance and can be exported from that appliance and imported by another appliance. Depending on the type of appliance and the components you are licensed to use, you can import and export some RNA detectors, custom table views, custom workflows, dashboards, system policies, intrusion policies, custom intrusion rules and rule classifications, RNA detection policies, and health policies.


operating system identitytoPCRE Glossary

operating system identity

The operating system vendor and version details for an operating system on a host.

packet A unit of data routed between a source and a destination on a network. When data travels from one place to another on a network, the file is divided into chunks of an efficient size, called packets, for routing. The packets that comprise a single file may travel different routes through the network, but can be reassembled into the original file at the receiving end. If you are licensed for the IPS component, you can view the portion of a packet that was captured as part of an intrusion event.

packet decoder rule A rule associated with a detection option of the packet decoder included in the IPS component of the Sourcefire 3D System. You must enable packet decoder rules if you want them to generate events. Packet decoder rules have a GID (generator ID) of 116.

packet view A type of workflow page that provides detailed information about the packet that triggered an intrusion rule or the preprocessor that generated an intrusion event. The packet view is the final page in workflows based on intrusion events.

pass rule An intrusion rule that, when triggered, does not generates an intrusion event and does not log the details of the packet that triggered the rule. Pass rules allow you to prevent packets that meet specific criteria from generating an event in specific situations, as an alternative to disabling the intrusion rule. Compare with alert rule and drop rule.

passive A type of interface set that allows you to deploy a 3D Sensor passively on a network. In this configuration, the IPS component cannot affect the traffic flow, and should be used with a passive intrusion policy.

passive detection The detection of host operating system and service information through analysis of traffic passively collected by RNA.

passive intrusion policy

An intrusion policy applied to an IPS detection engine configured with a passive interface set. You can also apply a passive intrusion policy to an IPS detection engine that uses an inline or inline with fail open interface set. You designate an intrusion policy as passive by setting the protection mode to passive. Compare with inline intrusion policy.

payload In an event, the content of http traffic detected by RNA, if available. Payload information is comprised of a payload type, which represents the general content type (for example, audio or video) as well as a payload, which represents the specific type of content (for example, WMV or QuickTime).

PCRE Perl-compatible regular expression. You can search packet payloads for content using PCREs. This is useful if you want to search for content that could be displayed in a variety of ways; the content may have different attributes that you want to account for in your attempt to locate it within a packet’s payload.


PEPtopredefined workflow Glossary

PEP A technology based on the hardware capabilities of 3D9900 interface sets that allows you to use a PEP policy for advanced traffic management.

PEP policy The criteria used when determining if a PEP-capable interface set should block, analyze, or send traffic directly through the sensor with no further inspection.

policy A mechanism for applying settings to an appliance or detection engine. See intrusion policy, passive intrusion policy, inline intrusion policy, defragmentation policy, compliance policy, RNA detection policy, health policy, PEP policy, system policy, and security policy.

policy and response A feature you can use to build a compliance policy that responds in real-time to threats on your network. In addition, the remediation component of policy and response provides a flexible API that allows you to create and upload your own custom remediation modules to respond to policy violations.

Policy & Response Administrator

A user role that provides access to rules and policy configuration. Policy & Response Administrators have access to the main toolbar and rule and policy-related options on the Policy & Response and Operations menus.

policy violation A security breach, attack, exploit, or other misuse of your network as detected by a compliance policy.

port The endpoint of a logical connection on a TCP or UDP network. Each port on a host has a number, which identifies the type of port. Many services have default ports; for example, HTTP traffic typically uses port 80. TCP and UDP use port numbers to separate data transmissions on the same network interface on the same host. With IPS, when you tune your intrusion policy, you can define, in both variables and rules, specific port numbers, such as ports susceptible to shell code exploits, HTTP (or web server) ports, and database server ports. This lets you specify the level of granularity of inspection so that rules execute against ports appropriate to your network needs.

portscan A form of network reconnaissance that is often used by attackers as a prelude to an attack. In a portscan, an attacker sends specially crafted packets to a targeted host. By examining the packets that the host responds with, the attacker can often determine which ports are open on the host and, either directly or by inference, which services are running on these ports.

predefined table A database table delivered with the Sourcefire 3D System. You can use the web interface to view the event information in the predefined tables. Predefined tables cannot be modified. Compare with custom table.

predefined workflow A workflow delivered with the Sourcefire 3D System. You cannot modify predefined workflows. Compare with custom workflow and saved custom workflow.


preprocessortoremediation Glossary

preprocessor A feature of IPS that normalizes traffic and helps identify network layer and transport layer protocol anomalies by identifying inappropriate header options, defragmenting IP datagrams, providing TCP stateful inspection and stream reassembly, and validating checksums. Preprocessors can also render specific types of packet data in a format that the detection engine can analyze; these preprocessors are called data normalization preprocessors, or application-layer protocol preprocessors. Normalizing application-layer protocol encoding allows the detection engine to effectively apply the same content-related rules to packets whose data is represented differently and obtain meaningful results. Preprocessors generate preprocessor events whenever packets trigger preprocessor options that you configure.

preprocessor event A type of intrusion event that is generated when a packet triggers specified preprocessor options. Preprocessor events can help you detect anomalous protocol exploits.

preprocessor rule A rule associated with a detection option of one of the preprocessors or with the portscan flow detector included in the IPS component of the Sourcefire 3D System. You must enable preprocessor rules if you want them to generate events. Preprocessor rules have a preprocessor-specific GID (generator ID).

private search A named set of search terms that is tied to your user account. Only you and users with Administrator access can use your private searches.

protection mode An intrusion policy setting that determines how IPS handles rule states set to Drop and Generate Events in an inline deployment. When you apply an inline intrusion policy to a detection engine on a 3D Sensor with an inline interface set, IPS drops packets that trigger enabled preprocessor rules, packet decoder rules, or intrusion rules that are set to Drop and Generate Events and generates events for the triggered rules.

protected network Your organization’s internal network that is protected from users of other networks by a device such as a firewall. Many of the intrusion rules delivered with the Sourcefire 3D System use variables to define the protected network and the unprotected (or outside) network.

RADIUS authentication

Remote Authentication Dial In User Service. RADIUS is an authentication protocol used to authenticate, authorize, and account for user access to network resources. You can create an external authentication object to allow Sourcefire 3D Systemusers to authenticate through a RADIUS server.

rate filtering A form of anomaly detection that sets a new rule state for a rule based on the rate of matching traffic.

remediation An action that mitigates potential attacks on your system. You can configure remediations and, within a compliance policy, associate them with compliance rules and compliance white lists so that when they trigger, the Defense Center launches the remediation. This not only can automatically mitigate attacks when


remediation status eventtoRNA detector Glossary

you are not immediately available to address them, but also can ensure that your system remains compliant with your organization’s security policy. The Defense Center ships with predefined remediation modules: three that are designed for a particular firewalls and routers, one that lets you perform Nessus scans, one that lets you perform Nmap scans, and one that lets you set host attributes. You also can use a flexible API to create custom remediations.

remediation status event

An event generated when a remediation is launched.

replace rule When using an inline IPS detection engine, you use the replace keyword in a custom standard text rule to replace a specific string with exactly the same number of characters. This allows you to replace the content of malicious packets with benign alternatives. Only the first instance of the content found by the rule is replaced. The sensor automatically updates the packet checksum so that the destination host can receive the packet without error.

report profile A template for an event report. You can create and save custom report profiles. You can then manually run reports based on the profiles, or schedule the Sourcefire 3D System to generate reports automatically. You can use report profiles to add your company logo to reports, define the set of events that appear, specify the amount of detail, and specify the report’s output file format.

response A reaction to a compliance policy violation—either an alert or a remediation.


A user role that can provide access to the same features as Intrusion Event Analyst or RNA Event Analyst access. You can restrict access by only allowing access to those events that match specified search criteria or you can turn off access for an entire category of events. Restricted event analyst users see only the main toolbar and analysis-related options on the Analysis & Reporting and Operations menus. The Restricted Event Analyst (Read Only) role provides read-only access to the same set of functions.

RNA A component of the Sourcefire 3D System that is installed by default on the 3D Sensor and that passively analyzes your network traffic to provide you with a complete, persistent view of your network. RNA identifies new and changed hosts on your network as well as tracks the sessions involving monitored hosts. For each detected host, RNA discovers the services and client applications that they use as well as vulnerabilities to which the host is susceptible. Note that you must add a feature license in the form of an RNA host license on the Defense Center that manages the sensor before you can view RNA data.

RNA detection policy A policy that you apply to RNA detection engines that specifies the kinds of data RNA collects, as well as the network segments each RNA detection engine or NetFlow-enabled device monitors.

RNA detector An RNA detector provides RNA with the information needed to identify non-standard services, including the port used by service traffic, a pattern within


RNA eventtoRUA user Glossary

the traffic, or both the port and the pattern. The Sourcefire 3D System is delivered with many internal RNA detectors, or you can create your own. In addition, Sourcefire may deliver additional RNA detectors that you can add to the Sourcefire 3D System via vulnerability database updates or via the Import/Export feature.

RNA event An event generated by RNA. RNA events include network discovery events, which communicate the details of changes to the hosts on your monitored network, and flow events, which are records of sessions involving monitored hosts. RNA events also include client application events, host events, host attributes, and service events, which provide general information about your network topology. A vulnerability is also considered an RNA event.

RNA Event Analyst A user role that provides access to RNA analysis features, including event views, network maps, host profiles, services, vulnerabilities, client applications, and reports. RNA Event Analysts see the main toolbar and RNA analysis-related options on the Analysis & Reporting and Operations menus. The RNA Analyst (Read Only) role provides read-only access to the same set of functions.

RNA Recommendations layer

A built-in layer in an intrusion policy that exists when you choose to allow IPS to modify the rule states of shared object rules and standard text rules to the states recommended by the RNA recommended rules features. You cannot manually modify or remove this layer. IPS removes or restores the layer when you decide to not use or use, respectively, recommendations for a policy.

RNA recommended rules

A feature that recommends which rules should be enabled or disabled in your intrusion policy, based on information from your RNA network map. You can choose to allow the system to modify rule states based on recommendations, in which case the system adds a read-only RNA Recommendations layer.

router A network device, located at a gateway, that forwards packets between networks. RNA identifies network devices as routers if they are detected communicating using CDP or if they meet other qualifying criteria. For example, if multiple hosts appear to be using the same MAC address, that MAC address is often identified as the router to which the multiple hosts are connected.

RUA Real-time User Awareness, also called RUA, allows your organization to correlate threat, endpoint, and network intelligence with user identity information.

RUA Agent An RUA Agent is an agent you install on a Microsoft Active Directory server to monitor users as they log into the network or when they authenticate against Active Directory credentials for any other reason.

RUA event An event generated by RUA in response to a detected user login or the addition or deletion of a user from the RUA database. RUA events are stored in the RUA database.

RUA user A user detected by RUA whose user identity data is stored in the RUA database.


ruletoSeries 2 appliance Glossary

rule A construct that provides criteria against which network traffic is examined. Rules can detect a variety of intrusions, attacks, exploits, and suspicious traffic. See compliance rule, intrusion rule, alert rule, pass rule, and drop rule.

rule state Whether an intrusion rule is enabled, disabled, or set to Drop within an intrusion policy. If you enable a rule, it is used to evaluate your network traffic; if you disable a rule, it is not used. A drop rule drops any packets that trigger the rule; note that you can set the Drop rule state only in an inline intrusion policy.

saved custom workflow

A custom workflow that is based on a custom table and delivered with the Defense Center. Unlike predefined workflows, you can modify saved custom workflows.

scheduled task An administrative task that you can schedule to run once or at recurring intervals. Depending on the appliance where you are creating the task, you can schedule tasks to run backups, apply an intrusion policy, generate reports, download and install SEUs, manage RNA recommended rules, run Nmap scans, run Nessus scans and synchronize Nessus plugins, download and install software and vulnerability database updates, and push downloaded updates to managed sensors.

security policy An organization's guidelines for protecting its network. For example, your security policy might forbid the use of wireless access points. A security policy may also include an acceptable use policy (AUP), which provides employees with guidelines of how they may use their organization’s systems. For example, your AUP might forbid the use of instant messaging client applications.

sensing interface A network interface on a sensor that you use to monitor a network segment. You can connect sensing interfaces to your network in various ways. How you plan to deploy your detection engines (passively or inline) affects how you connect them to your network. Compare with management interface.

sensitive data A preprocessor that detects sensitive data such as credit card numbers and Social Security numbers in ASCII text. This can be particularly useful for detecting accidental data leaks that can occur, for example, when an employee emails themselves a list of credit card numbers to work with at home.

sensor group On the Defense Center, a logical group that can contain or more managed sensors so you can more readily manage them. For example, you can easily apply a system policy to, or install updates on, multiple sensors at once.

Series 1 appliance The first series of Sourcefire appliance models, including the following models: 3D500 PW, 3D1000 NH, 3D2000 NH, 3D2100 NH, 3D3000 JR, DC1000 JR, DC3000 JR, and the 3Dx800 sensor models.

Series 2 appliance The second series of Sourcefire appliance models, including the following models: 3D500 PB, 3D1000 PB, 3D2000 PB, 3D2100 FR, 3D2500 FR, 3D3500 FR, 3D4500 FR, DC1000 AL, DC3000 AL, and MDC3000 AL. All appliances


servicetoSNMP trap Glossary

currently shipping from Sourcefire, with the exception of the 3Dx800 models, are Series 2 appliances.

service Work performed by a server. NTP, SSH, HTTP, and AIM are examples of services.

service event An event indicating that RNA has detected a service running on a specific host. RNA collects information about all services run by hosts on monitored network segments. The information that RNA collects includes the name of the service, the protocol used by the service, the IP address of the host running a service, and the port on which the service is running.

service identity The service type, vendor, and version details for a service on a host.

SEU (Security Enhancement Update)

An as-needed product update that contains new and updated standard text rules and shared object rules. In addition, SEUs can provide your Defense Centers and 3D Sensors with an updated version of Snort, as well as features such as new preprocessors and decoders.

shared object rule An intrusion rule delivered as a binary module compiled from C source code. You can use shared object rules to detect attacks in ways that standard text rules cannot. You cannot modify the rule keywords and arguments in a shared object rule; you are limited to either modifying variables used in the rule, or modifying aspects such as the source and destination ports and IP addresses and saving a new instance of the rule as a custom shared object rule. Shared object rules have a GID (generator ID) of 3.

SID A unique identifying number assigned to each intrusion rule. When you create a new rule or modify an existing standard text rule, it is given a SID (Signature ID, also called Snort ID) of 1,000,000 or greater. The SIDs for shared object rules and standard text rules delivered with the Sourcefire 3D System are lower than 1,000,000. Also, preprocessors and decoders use SIDs to identify the different types of packets they detect.

simple condition A single constraint placed on a compliance rule, flow tracker, host profile qualification, or traffic profile. You can link simple conditions with other simple or complex conditions using AND or OR operators.

simple constraint A simple constraint sets a single constraint on the events retrieved in an event view or event search.

SNMP alerting The transmission of an alert as an SNMP trap. Each event SNMP trap contains information identifying the server's name, the sensor’s IP address, and the event data.

SNMP trap A message sent by a network device on UDP port 162 using the simple network management protocol (SNMP) when errors or specific events occur on the network. See also SNMP alerting.


snooze periodtosyslog alerting Glossary

snooze period An interval specified in seconds, minutes, or hours after a compliance rule triggers during which the Defense Center stops firing that rule, even if the rule is violated again during the interval. When the snooze period has elapsed, the rule can trigger again (and start a new snooze period). See also inactive period.

Snort An open-source intrusion detection system that performs real-time traffic analysis and packet logging on IP networks. Snort can perform protocol analysis, content searching and matching, and can detect a variety of attacks and probes. Snort uses a flexible rules language to describe network traffic that it should collect or pass. The IPS detection engines use Snort to test packets against decoders, preprocessors, and intrusion rules.

Sourcefire-defined custom table

A table that is delivered with the Defense Center that contains fields from two or more predefined tables.

standard text rule An intrusion rule created based on the identifiers, keywords and arguments available in the rule editor. You can create your own custom standard text rules and modify existing standard text rules provided by Sourcefire. A standard text rule has a GID (generator ID) of 1.

stateful inspection A preprocessor that makes sure that only packets that are part of a TCP session established with a legitimate three-way handshake between a client and server can generate intrusion events. This allows analysts to focus on these events rather than the volume of events caused by denial of service (DoS) attacks like stick or snot.

stream reassembly A preprocessor that IPS uses to collect and reassemble all of the packets that are part of a TCP session’s server-to-client or client-to-server communication stream. Stream reassembly allows the detection engine to inspect the stream as a single entity rather than only the individual packets, which allows the detection engine to identify stream-based attacks.

subnet detection A feature that allows RNA to automatically determine the closest subnets to each RNA detection engine and then make recommendations about which detection engines should be the reporting detection engines for specific subnets.

subnet mask A bit mask used to identify which bits in an IP address correspond to the network address, and which correspond to the subnet portion of the address.

suppression See event suppression.

switch A multiport bridge.

syslog A logging system, also called the system log, used by many operating systems. You can configure the Defense Center or 3D Sensor to perform syslog alerting.

syslog alerting The transmission of an alert as a message to an external syslog. All syslog messages include both a facility and a priority level. The facility indicates the


system policytothree-way handshake Glossary

subsystem (for example, FTP, NTP, or MAIL) that created the message and the priority defines the importance of the message.

system policy Settings that are likely to be similar for multiple appliances in a deployment, such as access configuration, authentication profiles, database limits, DNS cache settings, the mail relay host, a notification address for database prune messages, language selection (English or Japanese), login banner, RNA settings, and time synchronization settings. You can configure a system policy on a Defense Center and then apply the policy to the Defense Center and its managed sensors.

system settings Settings that are specific to a single appliance, such as appliance name, IP address, time settings, licensing, and remote management settings. You can also use the system settings pages to shut down or reboot an appliance and to restart its software.

table view A type of workflow page that displays event information. Table views include a column for each of the fields in the database. For example, the table view of intrusion events includes columns such as Time, Priority, Impact Flag, Source IP, Destination IP. As another example, the table view of RNA network discovery events includes such columns as Time, Event, IP Address, MAC Address, and so on. Generally, you use drill-down pages to constrain the events you want to investigate before moving to the table view that shows you the details about the events you are interested in. The table view is the next to last page in predefined workflows; advancing from the table view leads to the packet view (for workflows based on intrusion events), the host view (for workflows based on RNA events), the vulnerability detail page (for workflows based on vulnerabilities), or the user identity view (for workflows based on RUA events).

tap mode A setting for an inline interface set on a 3D3800, 3D5800, 3D9800, or 3D9900 sensor where a copy of each packet is sent to the sensor and the network traffic flow is undisturbed instead of the packet flow passing through the sensor. Because you are working with copies of packets rather than the packets themselves, you cannot use drop rules or replace rules as you can with a sensor that is deployed in the packet stream.

task queue A queue of jobs that the Defense Center or 3D Sensor needs to perform. When you apply a policy, push updates, install software, and perform other long-running jobs, the jobs are queued and their status reported on the Task Status page. The Task Status page provides a detailed list of jobs and refreshes every ten seconds to update their status.

three-way handshake The process two hosts use to establish a TCP/IP connection. A three-way handshake occurs when the originating host sends a SYN (synchronization) packet to the destination host. The destination then sends its own SYN packet and an ACK (acknowledgement) packet. The originator then returns an ACK which acknowledges the SYN/ACK packets the destination sent. With IPS, you can configure intrusion rules evaluate the data in established TCP sessions only


thresholdingtoVLAN Glossary

(where a three-way handshake has occurred) or on all traffic, including orphaned packets.

thresholding See event thresholding.

traffic profile A profile of the traffic on your network, based on flow data collected by RNA over a time span that you specify. You can create profiles using all the traffic on a monitored network segment, or you can create more targeted profiles using criteria based on the data in flow events. Then, you can use the policy and response feature to detect abnormal network traffic by evaluating new traffic against an existing profile.

transparent inline mode

A setting that allows 3D Sensors configured with inline interface sets that forward packets regardless of whether they contain MAC addresses that are valid for the monitored network.

unidentified host A host whose operating system cannot be identified because RNA has not yet gathered enough information about the host. Compare with unknown host.

unknown host A host whose traffic has been analyzed by RNA, but whose operating system does not match any known fingerprints. Compare with unidentified host.

Unified file A binary file format that the Sourcefire 3D System uses to log event data.

user identity view The user identity view provides details on RUA users and a host history with a graphic representation of the last twenty-four hours of the user’s activity.

user input data Host input data added through the Sourcefire 3D System user interface by setting or modifying an identity.

user layer A layer in an intrusion policy where you can modify the basic feature settings and advanced feature settings in the policy.

UTC time Coordinated Universal Time. Also known as Greenwich Mean Time (GMT), UTC is the standard time common to every place in the world. The Sourcefire 3D System uses UTC, although you can set the local time using the Time Zone feature.

variable A representation of a value that is commonly used in intrusion rules. The Sourcefire 3D System uses pre-configured variables to define networks and port numbers. Rather than hard-coding these values in multiple rules, to tailor a rule to accurately reflect your network environment, you can change the variable value. You can use a variable within an intrusion policy or a specific IPS detection engine.

VLAN A virtual local area network. VLANs map hosts not by geographic location, but by some other criterion (such as by department or primary use). This is useful if you want to separate hosts into small, logical network segments. A host’s host profile shows any VLAN information associated with the host. VLAN information is included in intrusion events (as the innermost VLAN tag in the packet that


vulnerabilitytowidget Glossary

triggered the event). You can filter intrusion policies by VLAN, or target compliance white lists by VLAN.

vulnerability A description of a specific compromise to which a host is susceptible. The Defense Center provides information on the vulnerabilities to which each of your hosts is vulnerable in the hosts’ host profiles. In addition, you can use the vulnerabilities network map to obtain an overall view of the vulnerabilities that RNA has detected on your entire monitored network. If you deem that a host or hosts is no longer vulnerable to a specific compromise, you can deactivate, or mark as invalid, a specific vulnerability.

vulnerability database A database of known vulnerabilities to which hosts may be susceptible. The database includes such technical details as vulnerability title and identification number, technical details, whether any exploits are known to take advantage of the vulnerability, known solutions, and so on. RNA correlates the operating system and services detected on each host with the vulnerability database to help you determine whether a particular host increases your risk of network compromise.

vulnerability detail page

A page in a workflow that provides information about a specific vulnerability, including technical details and known solutions. The vulnerability detail page is the final page in workflows based on vulnerabilities.

white list Either a compliance white list or a list of IP addresses that you can configure within a remediation to exempt the IP addresses from some kind of action. For example, you could configure a firewall-based remediation to block all hosts that trigger a specific compliance rule, with the exception of hosts specified in a white list.

white list event An event generated when RNA detects that a valid target host has become non-compliant with a compliance white list. For example, you can configure the Defense Center to generate a white list event when RNA detects a new non-compliant service running on a target host. Note that a white list event is a special kind of compliance event.

white list violation A white list violation is an event that occurs when RNA generates an event that indicates that a host is out of compliance. The Sourcefire 3D System includes workflows that allow you to view each of the individual white list violations, as well as the number of violations per host.

whois A mechanism for finding contact and registration information for IP addresses. If your Defense Center or 3D Sensor is connected to the Internet, you can use the web interface to look up information about an IP address using the whois feature, which uses ARIN's (American Registry for Internet Numbers) WHOIS service.

widget See dashboard widget.


workflowtoworkflow Glossary

workflow A series of pages you can use to view and evaluate events by moving from a broad view of event data to a more focused view that contains only the events of interest to you. Workflows can include three types of pages, each of which performs a unique function: drill-down pages, table views, and a final page (which could be, depending upon the type of analysis you are performing, a packet view, host view, vulnerability detail page, or user identity view). IPS provides two categories of workflows: predefined workflows and custom workflows. The Defense Center provides three categories of workflows: predefined workflows, custom workflows, and saved custom workflows.


Index

Numerics3D Sensors 15, 16

adding to a Defense Center 117deleting 121deleting 3Dx800s 127disabling communications 138health policy 491host name 137, 146management concepts 100managing 99, 113managing 3Dx800s 125resetting communications 128resetting management 122restarting 137sensor attributes 133sensor information 135Sensors page 115stopping 137time sync 139unregistering 153updating 405, 406

3D9900sclustering 227hardware alert details 560

3Dx800shealth policy 491, 495managing 107, 125, 127resetting communications 128

Aaccess list 325access requirements conventions 39accessing the appliance 21, 23Active Directory 282adding sensors to a Defense Center 117Admin access 305appliance groups 179

creating 180deleting 181editing 180

appliance heartbeat monitoring 485, 501appliance information 135, 362appliance status widget 67Application 212asynchronous routing and interface sets 216audit log

time window 29audit log settings 327auditing

audit records 566field descriptions 575introduction 566searching 575understanding 574viewing 567

authentication objects 269creating 269


Indexdeleting 298editing 286LDAP 269, 270RADIUS 287

authentication profiles 329Auto MDI/MDIX 382Automatic Application Bypass 212automatic application bypass monitoring 502

Bbackup and restore 413

remote backups 419scheduling backups 428

backup filescreating 414location 418restoring 421

backup profiles 418blacklists

health monitoring 534, 537Master Defense Center 184system settings 362, 391

browser requirements 21bypass mode for fail open fiber interfaces 225, 226

Ccard reset monitoring 505CIDR notation 41client application timeout (RNA settings) 343client requirements 21clustering 3D9900s 227communications channel 113, 383compliance events

aggregating 158dashboard widgets 67

context menus 36conventions

access requirements 39platform requirements 38

correlator process 473CPU temperature monitoring 485, 503CPU usage monitoring 485, 504Crossbeam-based sensors 20, 110CSV reports 259

current sessions widget 69current time 87custom

login banner 341report footers 259

custom analysis widgetconfiguring 72enabling 331understanding 69

Ddashboards 59, 89

adding widgets 95custom dashboards 89default dashboard 35, 59deleting 97home page 60modifying 93properties 93settings 331tabs 94, 95viewing 91widgets 60, 64

data correlator process monitoring 485, 506database

limits 332purging 598

DC500 limitations 18default detection engines 191Defense Center 99

adding sensors 117deleting sensors 121disabling communications 138health status 486, 507managing 3D Sensors 113managing with a Master Defense Center 156resetting management 122restarting managed sensors 137time sync 139updating 402

Defense Center groups 179creating 180deleting 181editing 180managing 179

Defense Center, introduction 17detection engine groups 197

creating 197deleting 199


Indexdetection engines

and IPS 189assign variable values 200creating 193creating variables 202default 191definition 186deleting 197deleting variables 203detection engine groups 197detection engine types 194editing 194interface set types 187introduction 185managing 193resetting variables 203understanding 186variables 199

DHCP 378disabling

communications between appliances 138high availability 153

disk usage monitoring 486, 508disk usage widget 80DNS

configuring the cache 337primary server 378secondary server 378tertiary server 378

documentationconventions 38resources 37

domain name 378drop new hosts (RNA settings) 343

Eemail notification 338email relay host 338Enabling Fail-Safe 213eStreamer 20

process monitoring 486, 509event aggregation 157

compliance events 158intrusion events 158limitations 159

event database limits 332event logging (RNA settings) 345event preferences 27event stream monitoring 511

event stream process monitoring 486events

reports 235restoring events from backup files 424time window 29

expanding time window 29exporting

custom tables 584custom workflows 585dashboards 585health policies 586introduction 583intrusion policies 586multiple objects 590policies 584RNA detection policies 588RNA detectors 589system policies 588

external authentication 269, 287

Ffailed logins 304fan monitoring 486, 512feature licenses

adding 370viewing 372

filter configuration 176first boot instructions 44Frames 212

Gglobal policy management 161graphs

health monitoring 553performance statistics 476

groupsappliance groups 179Defense Center groups 179detection engines 197sensor groups 131


Index

Hhardware alerts for 3Dx900s 560hardware monitoring 486, 513health alerts 539, 540

creating 540deleting 544editing 543understanding 542

health events 555field descriptions 562searching 563table view 561understanding 556viewing 556

health modules 485blacklisting 537running all modules 550running specific modules 551

health monitorblacklist 362, 534, 537

health monitor process monitoring 487health monitoring

alerts 539appliance monitoring 547blacklists 391configuring 489creating alerts 540default health policy 493deleting alerts 544editing alerts 543events 555graphs 553health modules 485health monitor 545health policies 484introduction 482link state propagation 518power supplies 522running health modules 550, 551status icons 549status indicators 547time window 29troubleshooting 554understanding 483understanding alerts 542

health policies 484applying 528configuring 489creating 497defaults 490deleting 533editing 530

exporting 586health status monitoring 514high availability 112, 145, 146, 148

configuration guidelines 149disabling 153health monitoring blacklist 535monitoring 152pausing communications 154restarting communications 154setting up 150shared configurations 146shared policies 147understanding 148

home page 35dashboards 60

host statistics 464host timeout, RNA settings 342hostname 378HTML reports 259

IICSA-compliant syslog formats 581importing

introduction 583policies 593

initial setup 43admin user tasks 53Defense Centers 47IPS analyst user tasks 57maintenance user tasks 54Policy and Response Admin user tasks 55RNA analyst user tasks 56

interface sets 207asynchronous routing 216creating 213definition 187deleting 223editing 221forcing into bypass mode 226interface status widget 68interface traffic widget 81introduction 185link state propagation mode 211multiple inline interface sets 216tap mode 210transparent inline mode 209types 187, 209

interface status widget 68interface traffic widget 81


Indexintroduction 14intrusion agents 19, 106

licenses 370intrusion events

aggregating 158widget 81

intrusion policiesexporting 586preferences 339scheduling policy applications 446system policy preferences 336

IPSintroduction 16

IPS analyst access 306IPS event rate monitoring 487, 511, 515IPS process monitoring 487, 516

Jjumbo frames 212

Llanguage 340last successful login 25LDAP 266, 269, 280

Active Directory server 282attribute mapping 274authentication profiles 329authentication server 270examples 281group access settings 275logging in 23managing user accounts 302OpenLDAP directory server 281settings 271shell access 278Sun directory server 284

licensesadding 370feature licenses 370managing 364NetFlow 373, 376product licensing widget 84requesting 370RNA hosts 373, 374

RUA users 374, 375verifying 368viewing 372

link mode, editing 380link state propagation 211

monitoring 518link state propagation monitoring 487local time 87local vs. remote policies 102logging into the appliance 21

using LDAP 23logging out of the appliance 24login banner 341

Mmail relay host 338Maintenance access 305management interface 378management virtual network 383managing

3D Sensors 993Dx800s 107, 125, 127Defense Centers 156managed sensor system settings 133sensors 100, 113time settings 139

Master Defense Center 156adding a Defense Center 165, 168appliance groups 179deleting a Defense Center 171editing settings for the Defense Center 175event aggregation 157filter configuration 176global policy management 161health policies 162intrusion policies 161managing Defense Centers 156policy limitations 163RNA detection policies 162system policies 162system settings 181updating 402

MDC event service monitoring 487, 519memory usage monitoring 487, 520multiple inline interface sets 216


Index

NNAT, working in NAT environments 112Nessus scans

scheduling plugin synchronization 452scheduling scans 450

NetFlowadding devices 392licenses 370, 373, 376system settings options 362

network address translation, see NATnetwork compliance widget 82network gateway 378network interfaces 380network settings

configuring 377using DHCP 378using static 379

Nmap scans, scheduling 454

OOpenLDAP 274, 281

Ppassword settings 303passwords

changing 311failed logins 304force reset 304password options 304strength check options 304

passwords, changing 25PDF reports 259peer manager 151PEP status monitoring 487performance statistics 476, 478platform requirements conventions 38plugins, scheduling plugin synchronization 452Policy & Response Admin access 306power supply monitoring 488, 522preferences 25

changing passwords 25event preferences 27home page 35

intrusion policies 339time zone 34widgets 64

primary Defense Center 148, 149, 150product licensing widget 84product updates widget 85prohibit packet transfer to the Defense Center 135purging the RNA/RUA databases 598

RRADIUS 287

connection settings 288creating authentication objects 287custom attributes 293editing authentication objects 298examples 295shell access 292testing authentication 294user roles 290

read only access 305, 306refresh interval 29registration ID 151registration key 112, 151, 166, 169remote backups 419remote management 383, 386remote reports 240remote storage 393

local storage 393NFS 394SMG 396SSH 395system settings options 362

remote storage, reports 239remote vs. local policies 102report designer 246report profiles

creating 246deleting 263introduction 241predefined 242using 260viewing generated reports 238

reportscreating report profiles 246deleting 239deleting report profiles 263downloading 238footers 259from event views 235


Indexintroduction 232predefined profiles 242remote reports 240remote storage 239report profiles 241scheduling reports 448using a report profile 260viewing generated reports 238

requesting feature licenses 370Requires conventions 38resetting management 122restarting the appliance 382restoring from backup files 421Restricted event analyst access 306, 307right-click menus 36RNA 15

introduction 15performance statistics 478, 479, 481purging the database 598RNA settings in system policies 342subnet detection (system policy) 349summary reports 257

rna (executable name) 475RNA analyst access 305RNA detection policies

exporting 588system policy preferences 336

RNA detectorsexporting 589

RNA events, purging the database 598RNA for Red Hat Linux 20, 109RNA health monitoring 488, 523RNA host usage monitoring 488, 524RNA process monitoring 488, 525RNA recommended rules

scheduling 456RNA settings 347RNA subnet detection settings 349RSS feed widget 86RUA

licenses 370, 374, 375purging RUA events 598system policy settings 352

rule classificationsexporting 587

Sscheduling tasks

backups 428

deleting 461editing 461introduction 425intrusion policy applications 446Nessus scans 450Nmap scans 454recurring tasks 426reports 448RNA recommended rules 456SEU imports 444software downloads 431software installs 435software pushes 433software updates 430synchronizing Nessus plugins 452using the calendar 459using the task list 460VDB downloads 438VDB installs 442VDB pushes 440VDB updates 437viewing 458

searchingaudit records 575CIDR notation 41health events 563

secondary Defense Center 148, 149, 150SecurID 22, 23, 24sensor groups

creating 131deleting 133editing 132managing 131

sensor list 115service timeout (RNA settings) 342serving time to managed sensors 357session logouts 22sessions, current sessions widget 69setup instructions 43, 44SEUs, scheduling imports 444shell access 278, 292shutting down the appliance 382sliding time window 29software sensors 105software updates 398

installing 400scheduling downloads 431scheduling installs 435scheduling pushes 433scheduling updates 430

static time window 29statistics

performance 476, 478


Indexstatistics refresh interval 29status, tasks 600store events only on Defense Center 135subnet detection, system policy settings 349Sun directory server 284syslog

filer examples 581filter syntax 579four-digit years 581viewing 578

system daemons 471system load widget 87system management

backup and restore 413IPS performance statistics 476RNA performance statistics 478software updates 398system policies 320system settings 360uninstalling software updates 409VDB updates 398

system monitoringdisk usage 468host statistics 464introduction 463system processes 468system status 468

system monitoring, system load widget 87system policies 320

access list 325applying 324audit log 327authentication profiles 329creating 321custom login banner 341dashboard settings 331database limits 332deleting 325detection policy preferences 336DNS cache 337editing 323exporting 588language 340mail relay host 338multiple fingerprint settings 345RNA data storage 342RNA settings 342, 347RUA settings 352service vulnerability mapping 358subnet detection settings 349time sync 354vulnerability impact assessment settings 345

system processes

understanding 471viewing 468

system settings 360appliance information 362introduction 360licenses 364managing with a Defense Center 133Master Defense Center 181NetFlow-enabled devices 392network settings 377remote management 383, 386remote storage 393restarting the appliance 382shutting down the appliance 382time sync 389

system time widget 87system utilities and executables 473

Ttap mode 210task queue 600

managing 602viewing 600

testing authentication 280time sync 354, 357

Master Defense Center 183serving time 357setting manually 389setting time on a managed sensor 139

time sync, system time widget 87time synchronization monitoring 488, 526time window 29

default setting 29time zone 34timeout

DNS cache option 337session logout 24session logouts 22

traffic status monitoring 488, 527transparent inline mode 209troubleshooting files 554

Uunauthorized activity 23


Indexuninstalling software updates 409unique NAT ID 112, 386updating

managed 3D Sensors 405unmanaged 3D Sensors 406

updating the software 400product updates widget 85

user accountsaccess types 304account management 264creating 300deleting 312editing 306externally authenticated user accounts 302LDAP users 302managing 299menu access per access type 312password options 304password settings 303privileges 267shell access 278, 292user authentication 264viewing 299

user authentication 264external authentication 266internal authentication 266

user preferences 25changing event preferences 27changing passwords 25home page 35time zone 34

user roles 304

Vvariables

and detection engines 199assigning values for detection engines 200creating in detection engines 202

VDB updates 410scheduling downloads 438scheduling installs 442scheduling pushes 440scheduling updates 437

vulnerability databaseupdating 398

vulnerability lookup (RNA settings) 345vulnerability mapping for services 358

Wweb browser requirements 21what’s next? 52white lists

network compliance widget 82white list events widget 88

widgets 60adding to a dashboard 95appliance status 67availability 61compliance events 67current sessions 69custom analysis 69deleting 97disk usage 80interface status 68interface traffic widget 81intrusion events 81minimizing and maximizing 97moving 97network compliance 82predefined 61, 65preferences 64product licensing 84product updates 85RSS feeds 86system load 87system time 87white list events 88

workflows, default workflows 32

sourcefire 3d system administrator guide v4.9.1

Documents

documentation documentation

sourcefire logo

sourcefire appliances

user documentation

different terms of use

terms of use applicable

use of sourcefires web

noncommercial use