Q: On the IS, the NIC interfaces are not labeled. Which interfaces are which? How do you tell if an interface is seeing traffic?

A:

You'll have to physically label the interfaces yourself; there is no documentation. In the www console, Operations//Configuration//Detection Engines//Network Interface, you'll see the list on interface names. Make sure all interfaces are set to autonegotiate. Connect a spewing span cable to one of the physical interfaces. Log on as root in an SSH session, and use ifconfig -a to figure out which interface is seeing traffic based on the counters. Then label the physical port with ptouch and move the cable to the next port. Repeat until all ports are labeled. Then inform Sourcefire so they can update their documentation. If you find, as I did, that no ports are showing traffic even with a cable connected, you may need to reboot your system. I suspect that this is sometimes necessary after you change the speed or autoneg settings of a port (I don't know which).