QAHandbookSourcefire.docx

1、QAHandbookSourcefireSourcefire 3D Sensor Software HandbookVersion: V1.0Contents1. Introduction 12. Component 13. Prerequisite 24. Basic topology and configuration 3 4.1 IDS Internal TAP 3 4.2 IDS External TAP 45. Defense Center Operations 56. Test steps 97. Debug methods and Known issues 91. Introdu

2、ctionThe Sourcefire 3D System provides you with real-time network intelligence for real-time network defense. It has the tools you need to: discover the changing assets and vulnerabilities on your network,determine the types of attacks against your network and the impact they have to your business p

3、rocesses, and defend your network in real time.TIPS:1.1 Where can we get the sourcefire software?Locate the directory to the /software/cbsnas2/SourceFire/4.10.0/, you can download the software which you want to install to the XOS and install it.1.2 About the Defense Center upgradingThe newest Defens

4、e Center version is 4.10.2.2, you can download and install the newest patch from /software/cbsnas2/SourceFire/4.10.2.2, please see the “5 Defense Center - By navigation: Operations Update:”1.3 The Defense Centers IP address is 192.168.213.231, the password is same as the username admin1.4 In order t

5、o install the Sourcefire, the harddisk is must required.1.5 Known issue: the policy for the network/vlan, the relevante basic policy(Initial Inline Policy/Initial Passive Policy) needs to be installed firstly, after that, the users policy should be installed.2. Component Sourcefire IPS, the intrusio

6、n detection and prevention component Sourcefire RNA, the Real-time Network Awareness component Sourcefire RUA, the Real-time User Awareness component Sourcefire Defense CenterTIP! Sourcefire 3D Sensor Software for X-Series Platform can run IPS and RNA but not RUA.3. Prerequisite The X-Series Platfor

7、m is installed and configured The X-Series Platform is running XOS version 9.0 or later each CPM has a mininum of 4GB of RAM each APM has a mininum of 2GB of RAM and a local hard disk xslinux_v5 vap-group available and accessible Defense Center (192.168.213.231) correct cbi package.4. Basic topology

8、 and configuration IPS modecircuit brdevice-name brvap-group sfcircuit insdevice-name insvap-group sfpromiscuous-mode avtivecircuit outsdevice-name outsvap-group sfpromiscuous-mode activebridge-mode br transparentcircuit inscircuit outsinterface gigabitethernet 1/1logical-all inscircuit insinterface

9、 gigabitethernet 1/2logical-all outscircuit outs4.1 IDS Internal TAPcircuit insdevice-name insvap-group fwip-forwardingip 16.0.0.100/24vap-group sfpromiscuous-modecircuit outsdevice-name outsvap-group fwip-forwardingip 17.0.0.100/24interface gigabitethernet 1/1logical inscircuit insinterface gigabit

10、ethernet 1/2logical outscircuit outs4.2 IDS External TAPThe configurations about XOS:circuit monitordevice-name monitorvap-group sfpromiscuous-modeinterface gigabitethernet 1/1logical-all monitorcircuit monitorThe configurations Cisco Switch:monitor session 1 source interface gi 0/1monitor session 1

11、 destination interface Gi0/7 encapsulation dot1q ingress dot1q vlan 2407-有VLAN的配置方法monitor session 1 destination interface Gi0/7 ingress dot1q vlan 1 -没有VLAN的配置方法5. Defense Center Operations DC access Sensor creationBy navigation: OperationsSensors: Interface-Set creationBy navigation: Operations In

12、terface Sets: Detection Engine creationBy navigation: Operations Detection Engines: Sensor updateBy navigation: Operations Update: Rules creation/modificationBy navigation: Policy & ResponseIPS Instrusion Policy: Policy creation/push LogsBy navigation: Analysis & ReportingIPS Instrusion Events:6. Te

13、st stepsInstall XOSSet basic configuration (vap-group,mgmt,ip route,bridge or TAP)Copy the SF installation cbi package to /crossbeam/apps/archiveInstall SF by CLI command “application .” each parameter and reload vap-groupWeb access to DCCreate sensor per VAPCreate Interface-Set per VAPCreate Detect

14、ion EngineUpdate sensor from 4.10.0 to required version (4.10.22)Create specfic rulesCreate policy and add rulesSend traffic and verify7. Debug methods and Known issues7.1 Capture the package in the VAP7.1.1 rootx82 admin# rsh sf410_17.1.2 run the command “source /opt/sf/profile” sf410_1 (x82): # so

15、urce /opt/sf/profile7.1.3 Capture the package on the interface tapcir） sf410_1 (x82): # /opt/sf/usr/sbin/tcpdump -i %Xtapcir7.2 Since the Log about the SF is very slowly, we can use the tool “sflib.sh” to checkout the log immediately. 7.2.1 Copy the script sflib.sh to the /tmp(CPM) 7.2.2 Change the attribute of this file 7.2.3 Run the script source sflib.sh 7.2.4 Run the command “setlog” 7.2.5 Restart the service about SF 7.2.6 Run the command “chklog” 7.2.7 Finally, run the command “outlog” to checkout the log