Sourcefire 3D (Cisco FirePower)

Overview

Previously known as Sourcefire IDS, Cisco FirePower is an intrusion detection response system that produces security data and enhances the analysis by InsightOps.

When configuring this event source in InsightOps, it appears as SourceFire IDS in the dropdown.

For additional information on FirePower, click here.

Logging Types

SourceFire IDS can only produce IDS logs, which InsightOps does not support. In order for this event source to properly ingest data, you must convert the IDS logs to syslog.

To enable this:

  1. Go to the SouceFire admin panel.
  2. Select: Policies > Actions > Alerts.
  3. A pop-up window will appear; name the alert, and provide a port for to which it can forward syslog (usually the host of the collector and the event-source's port).

You can read detailed instructions on how to do so here.

Syslog Example:

text
1
<41>May 1 13:56:07 DefenseCenter SFAppliance: [119:2:1] http_inspect: DOUBLE DECODING ATTACK [Impact: Currently Not Vulnerable] From \"10.106.5.11\" at Fri May 1 19:56:07 2015 UTC [Classification: Not Suspicious Traffic] [Priority: 3] {tcp} 10.10.50.34:61163->50.16.218.55:80

Before You Begin

InsightOps will only accept alerts from this event source in the form of syslog; therefore, you must configure FirePower alert responses to be sent as syslog.

You can read detailed information about this process in FirePower's User Guide or in their Configuration Guide.

Create a Syslog Alert in FirePower

To create a syslog alert:

  1. Select Policies > Actions > Alerts
  2. From the Create Alert drop-down menu, select Create Syslog Alert
  3. A dialog box will appear; in the Name field, type the name you want to use to identify the saved response
  4. In the Host field, type the hostname or IP address of your syslog server.
    • Note that the system does not warn you if you enter an invalid IPv4 address in this field (such as 192.168.1.456). Instead, the invalid address is treated as a hostname.
  5. In the Port field, type the port the server uses for syslog messages.
    • By default, this value is 514
  6. From the Facility list, select a facility. InsightOps will work with the Facility set to ALERT.
  7. From the Severity list, select a severity. InsightOps will work with the severity set to ALERT.
  8. In the Tag field, type the tag name that you want to appear with the syslog message. Use only alphanumeric characters in tag names. You cannot use spaces or underscores.
  9. Click Save. The alert response is saved and is automatically enabled.

When you create an alert response, it is automatically enabled. Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations.

Before You Send Syslog Alerts

Make sure that the syslog server can accept remote messages by adding the event source in InsightOps

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the IDS icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose Sourcefire 3D
  6. Choose a timezone, or optionally choose a US timezone
  7. Optionally choose to send unfiltered logs
  8. Configure inactivity timeout threshold in minutes.
  9. Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
  10. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Sourcefire 3D to "trust" each other during log forwarding.