QAHandbookSourcefire.docx
《QAHandbookSourcefire.docx》由会员分享,可在线阅读,更多相关《QAHandbookSourcefire.docx(9页珍藏版)》请在冰豆网上搜索。
![QAHandbookSourcefire.docx](https://file1.bdocx.com/fileroot1/2023-1/25/1c355a56-3623-4524-8a1c-488f61be7a2c/1c355a56-3623-4524-8a1c-488f61be7a2c1.gif)
QAHandbookSourcefire
Sourcefire3DSensorSoftware
Handbook
Version:
V1.0
Contents
1.Introduction1
2.Component1
3.Prerequisite2
4.Basictopologyandconfiguration3
4.1IDSInternalTAP3
4.2IDSExternalTAP4
5.DefenseCenterOperations5
6.Teststeps9
7.DebugmethodsandKnownissues9
1.Introduction
TheSourcefire3DSystemprovidesyouwithreal-timenetworkintelligenceforreal-timenetworkdefense.Ithasthetoolsyouneedto:
discoverthechangingassetsandvulnerabilitiesonyournetwork,determinethetypesofattacksagainstyournetworkandtheimpacttheyhavetoyourbusinessprocesses,anddefendyournetworkinrealtime.
TIPS:
1.1Wherecanwegetthesourcefiresoftware?
Locatethedirectorytothe/software/cbsnas2/SourceFire/4.10.0/,youcandownloadthesoftwarewhichyouwanttoinstalltotheXOSandinstallit.
1.2AbouttheDefenseCenterupgrading
ThenewestDefenseCenterversionis4.10.2.2,youcandownloadandinstallthenewestpatchfrom/software/cbsnas2/SourceFire/4.10.2.2,pleaseseethe“5DefenseCenter-->Bynavigation:
Operations→Update:
”
1.3TheDefenseCenter’sIPaddressis192.168.213.231,thepasswordissameastheusernameadmin
1.4InordertoinstalltheSourcefire,theharddiskismustrequired.
1.5Knownissue:
thepolicyforthenetwork/vlan,therelevantebasicpolicy(InitialInlinePolicy/InitialPassivePolicy)needstobeinstalledfirstly,afterthat,theuser’spolicyshouldbeinstalled.
2.Component
SourcefireIPS,theintrusiondetectionandpreventioncomponent
SourcefireRNA,theReal-timeNetworkAwarenesscomponent
SourcefireRUA,theReal-timeUserAwarenesscomponent
SourcefireDefenseCenter
TIP!
Sourcefire3DSensorSoftwareforX-SeriesPlatformcanrunIPSandRNAbutnotRUA.
3.Prerequisite
TheX-SeriesPlatformisinstalledandconfigured
TheX-SeriesPlatformisrunningXOSversion9.0orlatereachCPMhasamininumof4GBofRAMeachAPMhasamininumof2GBofRAMandalocalharddiskxslinux_v5vap-groupavailableandaccessibleDefenseCenter(192.168.213.231)correctcbipackage.
4.Basictopologyandconfiguration
IPSmode
circuitbr
device-namebr
vap-groupsf
circuitins
device-nameins
vap-groupsf
promiscuous-modeavtive
circuitouts
device-nameouts
vap-groupsf
promiscuous-modeactive
bridge-modebrtransparent
circuitins
circuitouts
interfacegigabitethernet1/1
logical-allins
circuitins
interfacegigabitethernet1/2
logical-allouts
circuitouts
4.1IDSInternalTAP
circuitins
device-nameins
vap-groupfw
ip-forwarding
ip16.0.0.100/24
vap-groupsf
promiscuous-mode
circuitouts
device-nameouts
vap-groupfw
ip-forwarding
ip17.0.0.100/24
interfacegigabitethernet1/1
logicalins
circuitins
interfacegigabitethernet1/2
logicalouts
circuitouts
4.2IDSExternalTAP
TheconfigurationsaboutXOS:
circuitmonitor
device-namemonitor
vap-groupsf
promiscuous-mode
interfacegigabitethernet1/1
logical-allmonitor
circuitmonitor
TheconfigurationsCiscoSwitch:
monitorsession1sourceinterfacegi0/1
monitorsession1destinationinterfaceGi0/7encapsulationdot1qingressdot1qvlan2407<---有VLAN的配置方法
monitorsession1destinationinterfaceGi0/7ingressdot1qvlan1<---没有VLAN的配置方法
5.DefenseCenterOperations
DCaccess
Sensorcreation
Bynavigation:
Operations→Sensors:
Interface-Setcreation
Bynavigation:
Operations→InterfaceSets:
DetectionEnginecreation
Bynavigation:
Operations→DetectionEngines:
Sensorupdate
Bynavigation:
Operations→Update:
Rulescreation/modification
Bynavigation:
Policy&Response→IPS→InstrusionPolicy:
Policycreation/push
Logs
Bynavigation:
Analysis&Reporting→IPS→InstrusionEvents:
6.Teststeps
InstallXOS
Setbasicconfiguration(vap-group,mgmt,iproute,bridgeorTAP)
CopytheSFinstallationcbipackageto/crossbeam/apps/archive
InstallSFbyCLIcommand“application….”eachparameterandreloadvap-group
WebaccesstoDC
CreatesensorperVAP
CreateInterface-SetperVAP
CreateDetectionEngine
Updatesensorfrom4.10.0torequiredversion(4.10.22)
Createspecficrules
Createpolicyandaddrules
Sendtrafficandverify
7.DebugmethodsandKnownissues
7.1CapturethepackageintheVAP
7.1.1[root@x82admin]#rshsf410_1
7.1.2runthecommand“source/opt/sf/profile”
sf410_1(x82):
~#source/opt/sf/profile
7.1.3Capturethepackageontheinterfacetapcir)
sf410_1(x82):
~#/opt/sf/usr/sbin/tcpdump-i%Xtapcir
7.2SincetheLogabouttheSFisveryslowly,wecanusethetool“sflib.sh”tocheckoutthelogimmediately.
7.2.1Copythescriptsflib.shtothe/tmp(CPM)
7.2.2Changetheattributeofthisfile
7.2.3Runthescript
sourcesflib.sh
7.2.4Runthecommand“setlog”
7.2.5RestarttheserviceaboutSF
7.2.6Runthecommand“chklog”
7.2.7Finally,runthecommand“outlog”tocheckoutthelog