Sourcefire has recently released version 4.9 of their Sourcefire 3D System. I’m really happy with the changes and improvements they have included in this release. Some of the changes were ones I was looking forward to, as I already had seen some of these smart changes in Snort.
The first improvement that I was eager to try out was the support for Multi Policies/Policy by VLAN or Network/Filtered Policy (I cant seem to find a consistent name in the 3D documentation or GUI) on one Detection Engine (DE). With the previous 4.8 version, I was unable to sufficiently segment my inspection. This meant that I was generating a few more alerts than i needed, and also using up my sensors resources in handling this traffic.
One network hosting 8 web services, and another network hosting 2 web service, both on the same DE. All the web-rules that I enabled for the Policy for the DE, would default be potentially firing for all 10 web services.
When two of the web services are on appliances that are running the legacy Windows NT 4 Embedded, RNA recommended rules suggest enabling lots of rules that will fire off too many false positives on the other Linux Apache web servers etc. A good tuning was needed for my setup, so that web-iis.rules would not fire on Apache services and vice versa if you get my point. Not a big problem, it just took some time.
With the new multi-policies I can now make a policy for each of the two networks, and RNA recommended rules will give me a better default set to start with (different RNA recommendation for each network) and a lot less false positives, which makes the work of tuning less. It also means fewer false negatives. It is much easier now to tune the rules, as I don’t have to take into account other parts of the network when I’m tuning and the effect on those if I disabled or enabled a rule in a policy. The use of suppression is now done in a better way, as I now don’t need to spend time on suppressing rules for one host which is firing false positives, but the rule is needed for other hosts.
There is of course a limitation here, if the amount and variety of services and hosts is the same in one policy as it was in 4.8, you’re back where you started. Also, there is a limit at this point on 8 policies in total on one DE. I wish there where more, so I could split stuff up more, but hey! Thanks for the 8 I got 🙂
Now the second new feature I love is the Policy Layers. This basically allows you to create reusable modules of policy configuration, rules, etc, which you can share among different policies. I can now have different sets of “rule” policies that I can maintain inside an Intrusion Policy. An example is my set of “strange rules I cant live without” or “Standard rules that should be enabled in all policies” in one template now, that I can reuse easy!
Also i like consulting Sourcefire’s RNA (Real-time Network Awareness) recommended rules, but I also like adding more custom rules from the VRT/SEU repo. Now its easier to have things organized like for RNA recommended rules in one rule policy, and my custom “strange rules” in another, more Sourcefire VRT rules in yet another, and finally some Emerging Threats in yet another…
Now back to reviewing events…