Sourcefire 3D Sensor
To integrate IBM® QRadar® Risk Manager with your network devices, ensure that you review the requirements for the Sourcefire 3D Sensor adapter.
- IPS
- SSH connection protocol
- Intrusion policies attached to individual access control rules are not used by QRadar Risk Manager. Only the default intrusion policy is supported.
- NAT and VPN are not supported.
The following table describes the integration requirements for the Sourcefire 3D Sensor adapter.
Integration requirement |
Description |
---|---|
Versions |
5.2 |
Supported 3D sensors (Series 2 devices) |
3D500 3D1000 3D2000 3D2100 3D2500 3D3500 3D4500 3D6500 3D9900 |
SNMP discovery |
No |
Required credential parameters To add credentials in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab. |
Username Password |
Supported connection protocols To add protocols in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab. |
SSH |
Commands that the adapter requires to log in and collect data |
show version
|
Commands that the adapter uses to read configuration information: | |
To get hardware information. | sudo su df |
To get the system host name. | sudo su hostname |
To get routing information. | sudo su route -n |
Use the cat or head command to read files and get configurations. | /etc/sf/ims.conf |
Read to get the base directory for the SNORT instance, which is referenced as $DE_DIR in the following three examples: | $SNORT_DIR/fwcfg/affinity.conf |
Read the IPS rules and objects. | $DE_DIR/policyText_full.yaml |
Read the SNORT configuration. | $DE_DIR/snort.conf |
Files are read in dynamically when they are referenced in the policyText_full.yaml file. | $DE_DIR/* |
The adapter uses the find command is to search for IP reputation files in this directory. | $SNORT_DIR/iprep_download |
File that is read to get the database connection credentials. | /etc/sf/ims-data.conf |