Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Sourcefire 3D and Defense Center

Sourcefire 3D and Defense Center

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog

Event Types

In ADMIN > Device Support > Event, search for "sourcefire" in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Sourcefire Sourcefire3D IPS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Configuration

Syslog

FortiSIEM handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events are classified as Snort event types.

Simply configure SourceFire appliances or DefenseCenter to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

  • For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
  • For Port, enter 514.
  • Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Sample Syslog from SourceFire3D IPS

<188>Jul  4 15:07:01 Sourcefire3D Snort: [119:15:1] http_inspect: OVERSIZE REQUEST-URI DIRECTORY [Impact: Unknown] From DetectionEngine_IPS_DMZ2/SourcefireIPS at Thu Jul  4 15:07:01 2013 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 10.20.1.12:57689->1.1.1.1:80
Sample Syslog from SourceFire DefenseCenter

<46>Jul 17 16:01:54 DefenseCenter SFAppliance: [1:7070:14] "POLICY-OTHER script tag in URI - likely cross-site scripting attempt" [Impact: Potentially Vulnerable] From "10.134.96.172" at Wed Jul 17 16:01:52 2013 UTC [Classification: Web Application Attack] [Priority: 1] {tcp} 1.2.3.4:60537->2.3.4.5:80

Sourcefire 3D and Defense Center

Sourcefire 3D and Defense Center

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog

Event Types

In ADMIN > Device Support > Event, search for "sourcefire" in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Sourcefire Sourcefire3D IPS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Configuration

Syslog

FortiSIEM handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events are classified as Snort event types.

Simply configure SourceFire appliances or DefenseCenter to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

  • For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
  • For Port, enter 514.
  • Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Sample Syslog from SourceFire3D IPS

<188>Jul  4 15:07:01 Sourcefire3D Snort: [119:15:1] http_inspect: OVERSIZE REQUEST-URI DIRECTORY [Impact: Unknown] From DetectionEngine_IPS_DMZ2/SourcefireIPS at Thu Jul  4 15:07:01 2013 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 10.20.1.12:57689->1.1.1.1:80
Sample Syslog from SourceFire DefenseCenter

<46>Jul 17 16:01:54 DefenseCenter SFAppliance: [1:7070:14] "POLICY-OTHER script tag in URI - likely cross-site scripting attempt" [Impact: Potentially Vulnerable] From "10.134.96.172" at Wed Jul 17 16:01:52 2013 UTC [Classification: Web Application Attack] [Priority: 1] {tcp} 1.2.3.4:60537->2.3.4.5:80