QAHandbookSourcefire.docx

QAHandbookSourcefire.docx

《QAHandbookSourcefire.docx》由会员分享，可在线阅读，更多相关《QAHandbookSourcefire.docx（9页珍藏版）》请在冰豆网上搜索。

QAHandbookSourcefire

Sourcefire3DSensorSoftware

Handbook

Version:

V1.0

Contents

1.Introduction1

2.Component1

3.Prerequisite2

4.Basictopologyandconfiguration3

4.1IDSInternalTAP3

4.2IDSExternalTAP4

5.DefenseCenterOperations5

6.Teststeps9

7.DebugmethodsandKnownissues9

1.Introduction

TheSourcefire3DSystemprovidesyouwithreal-timenetworkintelligenceforreal-timenetworkdefense.Ithasthetoolsyouneedto:

discoverthechangingassetsandvulnerabilitiesonyournetwork,determinethetypesofattacksagainstyournetworkandtheimpacttheyhavetoyourbusinessprocesses,anddefendyournetworkinrealtime.

TIPS:

1.1Wherecanwegetthesourcefiresoftware?

Locatethedirectorytothe/software/cbsnas2/SourceFire/4.10.0/,youcandownloadthesoftwarewhichyouwanttoinstalltotheXOSandinstallit.

1.2AbouttheDefenseCenterupgrading

ThenewestDefenseCenterversionis4.10.2.2,youcandownloadandinstallthenewestpatchfrom/software/cbsnas2/SourceFire/4.10.2.2,pleaseseethe“5DefenseCenter-->Bynavigation:

Operations→Update:

”

1.3TheDefenseCenter’sIPaddressis192.168.213.231,thepasswordissameastheusernameadmin

1.4InordertoinstalltheSourcefire,theharddiskismustrequired.

1.5Knownissue:

thepolicyforthenetwork/vlan,therelevantebasicpolicy（InitialInlinePolicy/InitialPassivePolicy）needstobeinstalledfirstly,afterthat,theuser’spolicyshouldbeinstalled.

2.Component

SourcefireIPS,theintrusiondetectionandpreventioncomponent

SourcefireRNA,theReal-timeNetworkAwarenesscomponent

SourcefireRUA,theReal-timeUserAwarenesscomponent

SourcefireDefenseCenter

TIP!

Sourcefire3DSensorSoftwareforX-SeriesPlatformcanrunIPSandRNAbutnotRUA.

3.Prerequisite

TheX-SeriesPlatformisinstalledandconfigured

TheX-SeriesPlatformisrunningXOSversion9.0orlatereachCPMhasamininumof4GBofRAMeachAPMhasamininumof2GBofRAMandalocalharddiskxslinux_v5vap-groupavailableandaccessibleDefenseCenter（192.168.213.231）correctcbipackage.

4.Basictopologyandconfiguration

IPSmode

circuitbr

device-namebr

vap-groupsf

circuitins

device-nameins

vap-groupsf

promiscuous-modeavtive

circuitouts

device-nameouts

vap-groupsf

promiscuous-modeactive

bridge-modebrtransparent

circuitins

circuitouts

interfacegigabitethernet1/1

logical-allins

circuitins

interfacegigabitethernet1/2

logical-allouts

circuitouts

4.1IDSInternalTAP

circuitins

device-nameins

vap-groupfw

ip-forwarding

ip16.0.0.100/24

vap-groupsf

promiscuous-mode

circuitouts

device-nameouts

vap-groupfw

ip-forwarding

ip17.0.0.100/24

interfacegigabitethernet1/1

logicalins

circuitins

interfacegigabitethernet1/2

logicalouts

circuitouts

4.2IDSExternalTAP

TheconfigurationsaboutXOS:

circuitmonitor

device-namemonitor

vap-groupsf

promiscuous-mode

interfacegigabitethernet1/1

logical-allmonitor

circuitmonitor

TheconfigurationsCiscoSwitch:

monitorsession1sourceinterfacegi0/1

monitorsession1destinationinterfaceGi0/7encapsulationdot1qingressdot1qvlan2407<---有VLAN的配置方法

monitorsession1destinationinterfaceGi0/7ingressdot1qvlan1<---没有VLAN的配置方法

5.DefenseCenterOperations

DCaccess

Sensorcreation

Bynavigation:

Operations→Sensors:

Interface-Setcreation

Bynavigation:

Operations→InterfaceSets:

DetectionEnginecreation

Bynavigation:

Operations→DetectionEngines:

Sensorupdate

Bynavigation:

Operations→Update:

Rulescreation/modification

Bynavigation:

Policy&Response→IPS→InstrusionPolicy:

Policycreation/push

Logs

Bynavigation:

Analysis&Reporting→IPS→InstrusionEvents:

6.Teststeps

InstallXOS

Setbasicconfiguration（vap-group,mgmt,iproute,bridgeorTAP）

CopytheSFinstallationcbipackageto/crossbeam/apps/archive

InstallSFbyCLIcommand“application….”eachparameterandreloadvap-group

WebaccesstoDC

CreatesensorperVAP

CreateInterface-SetperVAP

CreateDetectionEngine

Updatesensorfrom4.10.0torequiredversion（4.10.22）

Createspecficrules

Createpolicyandaddrules

Sendtrafficandverify

7.DebugmethodsandKnownissues

7.1CapturethepackageintheVAP

7.1.1[root@x82admin]#rshsf410_1

7.1.2runthecommand“source/opt/sf/profile”

sf410_1（x82）:

~#source/opt/sf/profile

7.1.3Capturethepackageontheinterfacetapcir）

sf410_1（x82）:

~#/opt/sf/usr/sbin/tcpdump-i%Xtapcir

7.2SincetheLogabouttheSFisveryslowly,wecanusethetool“sflib.sh”tocheckoutthelogimmediately.

7.2.1Copythescriptsflib.shtothe/tmp（CPM）

7.2.2Changetheattributeofthisfile

7.2.3Runthescript

sourcesflib.sh

7.2.4Runthecommand“setlog”

7.2.5RestarttheserviceaboutSF

7.2.6Runthecommand“chklog”

7.2.7Finally,runthecommand“outlog”tocheckoutthelog