Q: How should I set up the DC homepage and preferences?

A:

1. Click on Preferences. (Right end of top menubar.)
2. Set your home page to "Intrusion Events" or "Dashboard", whichever you prefer.
3. In Event View Settings, under "Default IPS workflow", set "Intrusion Events == Event-Specific". Under "Default time windows", set "Events time window == Current day - static/expanding" and do not check "use end time". (In fact, set this for all of the time windows.)
4. Now each time you log in, or when you click on the "Defense Center" logo in upper left corner of any screen, you'll be presented with a list of events, in decreasing order of occurrence (or the dashboard if that is what you chose).

Q: How do I test a new custom rule?

A:

You can and will write your own custon rules and "import" them into the DC. Once imported, the rules are stored in a database format and you won't be able to export them again. So it pays to write them and test them ahead of time. Fortunately, each IDS has all the tools you'll need to formulate and test rules: Snort, vi, and tcpdump.

1. Log into the IS as root and change to a subdir for use in creating and testing rules.
2. Use tcpdump (or Snort) to create a pcap file for use in testing your rule. It must contain at least one packet of the type your rule is intended to detect, and might also contain some similar packets that you don't want your rule to detect (false positives). We'll call this file test.pcap
3. Use vi to create a rules file containing the one rule you are working on. We'll call this file 'test.rule'. Start the rule with alert.
4. Make a log directory ./logs
5. Run Snort using the following command line to test your rule against the pcap file. (It does not seem to run properly without telling it where to log to with -l or -b.)

   snort -T -c test.rule  (to test syntax)
   snort -vd -c test.rule -r test.pcap -A console -l logs
   

Q: How do I enter a list of IPs to be excluded in the portscan detection preprocessor?

A:

Edit your policy, and choose "portscan detection". Int ehIP Adresses to Exclude field, enter the IPs in CIDR format, comma-delimited, no brackets, like this: 10.10.10.1/32,10.10.2.3/32,192.168.34.7/32

Q: How do I run tcpdump on the IDS boxes?

A:

All the Sourcefire IDS boxes include tcpdump; you can log in as root and use it. The one strange thing is the names of the interfaces. Interface names such as eth2 cannot be used. eth2 must be called fp2, so your tcpdump interface parameter would be -i fp2. For other interfaces, change the number to suit.

Q: How do I set up "per rule" alert emails?

A:

Per rule email alerts are configured in two places. Navigate to P&R > Intrusion Sensor > Email. Click on Per Rule alerting and select any rules for which you want an alert (sent to the general alerting email address). You'll get an email if this rule is triggered in any IDS policy. There's also a Per Rule alertting setup in each IDS policy config. I think if configured here (and not the above), you'll only get an alert when this rule triggers on this policy.