Sourcefire sells IDS appliances based on Snort. The sensors or probes are called Intrusion Sensors and the optional central mgt box is called the Defense Center (DC). I have purchased a few of these and will be tracking some of the issues and oddities here. (Note: I have no relationship with Sourcefire beyond that of satisfied customer.)
Q: How do I know of my IS has enough processing power to process all the packets it hears?
On the DC, go into operations / monitoring / performance / IPS.
Choose the IS you want to look at, choose the '% packets dropped' graph, and choose a suitable time period. The resulting graph will show you if and when packets got dropped because Snort couldn't handle them.
Q: Why do I get two identical syslog messages from some alerts, one from the DC, and the other from the IS?
It is possible to configure the syslog settings separately for the DC and the IS. The IS alerts are produced according to each detection engine policy, where the DC alerts are produced according to compliance events or to "responses".
To set the policy for the IS, set it on the detection engine. Edit the detection engine (D.E.) and choose "alerting". The syslog settings for the D.E. control where every alert for that D.E. is syslogged. In my case I wanted all alerting to come from the DC, so I turned it off on every D.E. so it would not come from the IS too.
For the DC, see Policy & Responses/Alerts. You can create one or more syslog-type alerting mechanisms there, and activate or deactivate each one.
Then, go to Policy & Responses/Impact Flag Alerts. Here you can select one of the syslog-type mechanisms you defined above, and choose whether to receive a syslog message according to the impact flag on the alert.
You can do the same for RNA Event Alerts too. There are other features on the DC which can be configured to generate a syslog event, such as in Policy & Response/Compliance/Policy Management.
