Sourcefire 3D Sensor

To integrate IBM® QRadar® Risk Manager with your network devices, ensure that you review the requirements for the Sourcefire 3D Sensor adapter.

The following features are available with the Sourcefire 3D Sensor adapter:
  • IPS
  • SSH connection protocol
Limitations:
  • Intrusion policies attached to individual access control rules are not used by QRadar Risk Manager. Only the default intrusion policy is supported.
  • NAT and VPN are not supported.

The following table describes the integration requirements for the Sourcefire 3D Sensor adapter.

Table 1. Integration requirements for the Sourcefire 3D Sensor adapter

Integration requirement

Description

Versions

5.2

Supported 3D sensors (Series 2 devices)

3D500

3D1000

3D2000

3D2100

3D2500

3D3500

3D4500

3D6500

3D9900

SNMP discovery

No

Required credential parameters

To add credentials in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab.

Username

Password

Supported connection protocols

To add protocols in QRadar, log in as an administrator and use Configuration Monitor on the Risks tab.

SSH

Commands that the adapter requires to log in and collect data

show version

show memory

show network

show interfaces

expert

sudo

su

df

hostname

ip addr

route

cat

find

head

mysql

Commands that the adapter uses to read configuration information:

To get hardware information. sudo su df
To get the system host name. sudo su hostname
To get routing information. sudo su route -n
Use the cat or head command to read files and get configurations. /etc/sf/ims.conf
Read to get the base directory for the SNORT instance, which is referenced as $DE_DIR in the following three examples: $SNORT_DIR/fwcfg/affinity.conf
Read the IPS rules and objects. $DE_DIR/policyText_full.yaml
Read the SNORT configuration. $DE_DIR/snort.conf
Files are read in dynamically when they are referenced in the policyText_full.yaml file. $DE_DIR/*
The adapter uses the find command is to search for IP reputation files in this directory. $SNORT_DIR/iprep_download
File that is read to get the database connection credentials. /etc/sf/ims-data.conf