Cisco Firepower (Sourcefire IDS, Cisco FireSIGHT)
Previously known as Sourcefire 3D, Cisco Firepower is an intrusion detection response system that produces security data and enhances the InsightIDR analysis. You can also send Web Proxy events from Cisco Firepower. InsightIDR automatically separates and parses your IDS and Web proxy logs from this application.
Configuration Instructions work for Cisco Firepower, Sourcefire 3D, and Cisco FireSIGHT
The configuration instructions in this document work for Cisco Firepower, Sourcefire 3D, and Cisco FireSIGHT. Even if you have Cisco Firepower or Cisco FireSIGHT, you still must select Sourcefire 3D in the Event Source dropdown list when configuring in InsightIDR.
Learn more about Cisco Firepower here: https://supportforums.cisco.com/t5/intrusion-prevention-systems-ids/firepower-vs-ngips-vs-firesight-vs-firepower-management-center/td-p/2975375.
Configure Sourcefire 3D, Cisco Firepower, or Cisco FireSIGHT to Send Alerts to InsightIDR
- Go to the SourceFire admin panel.
- Select Policies > Actions > Alerts. A pop-up window appears.
- From the Create Alert drop-down menu, select Create Syslog Alert. A dialog box appears.
- In the Name field, type the name you want to use to identify the saved response.
- In the Host field, type the hostname or IP address of your syslog server.
- Note that the system does not warn you if you enter an invalid IPv4 address in this field (such as 192.168.1.456). Instead, the invalid address is treated as a hostname.
- In the Port field, enter the port that you will configure your InsightIDR collector to use for this event source.
- By default, this value is 514.
- Select ALERT for facility.
- Select ALERT severity.
- In the Tag field, type the tag name that you want to appear with the syslog message. Use only alphanumeric characters in tag names. You cannot use spaces or underscores.
- Click Save.
When you create an alert response, it is automatically enabled. Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations.
Use these resources for detailed configuration instructions:
- https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html
- https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Alerting.html
- https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Configuring_External_Alerting_for_Intrusion_Rules.html#ID-2212-000001bf
Syslog Example
1<41>May 1 13:56:07 DefenseCenter SFAppliance: [119:2:1] http_inspect: DOUBLE DECODING ATTACK [Impact: Currently Not Vulnerable] From \"10.111.1.11\" at Fri May 1 19:56:07 2015 UTC [Classification: Not Suspicious Traffic] [Priority: 3] {tcp} 10.11.55.33:61163->50.11.222.55:80
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Cisco Firepower in the event sources search bar.
- In the Product Type filter, select IDS.
- Select the Cisco Firepower event source tile.
- Choose your collector.
- In the Select Event Source Type field, choose the option that corresponds to your Cisco Security Solution as outlined in the following table:
Cisco Security Solution | InsightIDR Event Source Type |
---|---|
ASA | Cisco ASA event-source |
NGIPS | Cisco ASA event-source |
NGFW | Cisco ASA event-source |
Any other firepower service | Cisco ASA event-source |
Cisco ASA with FirePower services | Cisco ASA event-source |
Cisco FirePower Threat Defense (FTD) | Cisco FTD event-source |
Sourcefire 3D | Cisco FirePower (Sourcefire 3D) event-source |
You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Select an attribution source.
- Select Listen on Network Port and specify the port you used earlier along with a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Verify the Configuration
To see Cisco Firepower logs in InsightIDR: From the left menu, click Log Search to view your logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cisco Firepower” if you did not name the event source. Cisco Firepower logs flow into these Log Sets:
- Web Proxy
- Intrusion Detection System (IDS)
Logs take a minimum of 7 minutes to appear in Log Search
Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.
Example Input Logs
Your Cisco Firepower logs will look similar to the following:
log
1<113>Mar 18 11:38:39 Sourcefire3D sfdc1500avc: [Primary Detection Engine (11727814-7b90-11e2-6666-888888888888)][MHPSA] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: CatchAll-Scan_for_Malware, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Parked Domains, URL Reputation: Well known, URL: https://razor.com, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 4, Responder Packets: 4, Initiator Bytes: 608, Responder Bytes: 4368, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} 10.7.33.22:53431 -> 66.55.11.77:443
log
1<113>Mar 18 11:38:39 Razor: Protocol: TCP, SrcIP: 10.100.11.222, OriginalClientIP: ::, DstIP: 65.55.44.111, SrcPort: 63399, DstPort: 443, TCPFlags: 0x0, IngressInterface: insidepc, EgressInterface: outside, DE: Primary Detection Engine (ecfee06e-8a6f-11e7-6666-888888888888), Policy: MSSA-Access Control, ConnectType: Start, AccessControlRuleName: Allow-GoodApps, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 386, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://microsoft.com
log
1<113>Mar 18 11:38:39 Razor: Protocol: TCP, SrcIP: 10.100.11.222, OriginalClientIP: ::, DstIP: 65.55.44.111, SrcPort: 63399, DstPort: 443, TCPFlags: 0x0, IngressInterface: insidepc, EgressInterface: outside, DE: Primary Detection Engine (ecfee06e-8a6f-11e7-6666-888888888888), Policy: MSSA-Access Control, ConnectType: Start, AccessControlRuleName: Allow-GoodApps, AccessControlRuleAction: Block, Prefilter Policy: Unknown, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 386, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://microsoft.com
log
1<113>Mar 18 11:38:39 Sourcefire3D sfdc1500avc: [Primary Detection Engine (11727814-7b90-11e2-6666-888888888888)][MHPSA] Connection Type: Start, User: Unknown, Client: DNS client, Application Protocol: DNS, Web App: Unknown, Access Control Rule Name: CatchAll-Scan_for_Malware, Access Control Rule Action: Block, Access Control Rule Reasons: Unknown, URL Category: Unknown, URL Reputation: Risk unknown, URL: https://razor.com, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 1, Responder Packets: 1, Initiator Bytes: 91, Responder Bytes: 187, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: Nhttps://razor.com/, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {UDP} 192.168.44.88:58962 -> 8.8.8.8:53
log
1<113>Mar 18 11:38:39 tulsa-firesight SFIMS: [1:32123:2] "MALWARE-CNC Win.Trojan.Zbot variant outbound connection" [Impact: Vulnerable] From \"10.3.22.111\" at Tue Feb 16 20:12:48 2016 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} 208.111.222.222:59186 (united states)->10.3.22.11:9999 (unknown)
log
1<113>Mar 18 11:38:39 cde2b SFIMS: Protocol: TCP, SrcIP: 10.5.5.55, DstIP: 145.30.44.22, SrcPort: 27097, DstPort: 80, IngressZone: R7_Inside_SZ, EgressZone: R7_DMZ_SZ, Priority: 1, DE: Primary Detection Engine (42e15562-35e7-11e7-6666-888888888888), Policy: CWF R7, GID: 1, SID: 25976, Revision: 2, Message: "POLICY-OTHER Adobe ColdFusion admin API access attempt", Classification: Potential Corporate Policy Violation, Client: Web browser, ApplicationProtocol: HTTP, ACPolicy: Razor, NAPPolicy: Balanced Security and Connectivity