Q: I'm getting a lot of false positives on a rule from particular systems. How do I eliminate these without disabling the rule entirely?

A:

Use rule suppression to eliminate known false positives from particular hosts. Go to Policy & Response // Intrusion Sensor // Detection & Prevention and edit your policy. Choose the "suppression" as the thing to edit. In the suppression dialog, you can select any rule using a radio button. When you do this, the suppression settings that you have already set for that rule are shown in the textarea at the top. You can suppress alerts from that rule based on either source IP address or destination IP address. This will result in no alerts from that rule for that policy, as long as the source or destination IP matches what you have put in the suppression dialog.

Q: I rebooted the Defense Center and now it's off the network. What happened?

A:

You may find, as I did, that after rebooting your Defense Center there is no longer a link between the DC and the switch. I had the switch and DC both hardcoded at 1000/full. I called Sourcefire tech support and they had me try everything: patching to a different switchport, a different switch, etc. I had to hook up a console and keyboard to the DC and checked ifconfig, ethtool, etc. Sourcefire even sent IBM in to swap out the motherboard (which contains the ethernet adapter). After at least six hours of work time, and a week's clock time, the ethernet was still not linking up, regardless of the speed setting at the switch. Tech support could not think of a fix. It started working when at the command line I set eth0 to autonegotiate speed and duplex: ethtool -s eth0 autoneg on (btw, after the motherboard swap I had to redo the license file, and when I finally got the licensing donw I was greeted with lots of "correlator not running" in the DC log. I started the correlator manually and am hoping for the best.) Saving grace during all this was that I was still able to log into each IS separately over the www interface and check for events. Make sure you have an account on each IS ready to go in case you too lose your DC.