Fortinet black logo

External Systems Configuration Guide

Sourcefire 3D and Defense Center

Sourcefire 3D and Defense Center

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog

Event Types

In ADMIN > Device Support > Event Types, search for "sourcefire" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

FortiSIEM handles SourceFire alerts via syslog either from IPS appliances themselves or from Defense Center. Events are classified as Snort event types.

Simply configure SourceFire appliances or Defense Center to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

  • For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
  • For Port, enter 514.
  • Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Sample Syslog from SourceFire3D IPS

<188>Jul  4 15:07:01 Sourcefire3D Snort: [119:15:1] http_inspect: OVERSIZE REQUEST-URI DIRECTORY [Impact: Unknown] From DetectionEngine_IPS_DMZ2/SourcefireIPS at Thu Jul  4 15:07:01 2013 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 10.20.1.12:57689->1.1.1.1:80
Sample Syslog from SourceFire Defense Center

<46>Jul 17 16:01:54 DefenseCenter SFAppliance: [1:7070:14] "POLICY-OTHER script tag in URI - likely cross-site scripting attempt" [Impact: Potentially Vulnerable] From "10.134.96.172" at Wed Jul 17 16:01:52 2013 UTC [Classification: Web Application Attack] [Priority: 1] {tcp} 1.2.3.4:60537->2.3.4.5:80
 

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Sourcefire Sourcefire3D IPS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Sourcefire 3D and Defense Center

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog

Event Types

In ADMIN > Device Support > Event Types, search for "sourcefire" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

FortiSIEM handles SourceFire alerts via syslog either from IPS appliances themselves or from Defense Center. Events are classified as Snort event types.

Simply configure SourceFire appliances or Defense Center to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

  • For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
  • For Port, enter 514.
  • Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Sample Syslog from SourceFire3D IPS

<188>Jul  4 15:07:01 Sourcefire3D Snort: [119:15:1] http_inspect: OVERSIZE REQUEST-URI DIRECTORY [Impact: Unknown] From DetectionEngine_IPS_DMZ2/SourcefireIPS at Thu Jul  4 15:07:01 2013 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 10.20.1.12:57689->1.1.1.1:80
Sample Syslog from SourceFire Defense Center

<46>Jul 17 16:01:54 DefenseCenter SFAppliance: [1:7070:14] "POLICY-OTHER script tag in URI - likely cross-site scripting attempt" [Impact: Potentially Vulnerable] From "10.134.96.172" at Wed Jul 17 16:01:52 2013 UTC [Classification: Web Application Attack] [Priority: 1] {tcp} 1.2.3.4:60537->2.3.4.5:80
 

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Sourcefire Sourcefire3D IPS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration