How to tell if sourcefire is blocking without the use of the Defense Cetner

equinox198 · ‎05-21-2015

Is there a way to tell if a source fire device is blocking without the use of defense center?

We have run into a few issues where the device will stop passing traffic or is blocking traffic, but there are no logs (eventhough they are set to log).

Is there another way to verify it is blocking, maybe via packet capture, cli log, or something?

clementlarrous · ‎05-25-2015

Hello,

Which version of Sourcefire are you using ?

In what situations you notice dropped traffic ?

You can see limited informations directly throught your sensor. Connect into your device with SSH as admin user.

use the following command :

show perfstats

then choose your primary detection engine.

You should see multiple files like this :

 46 - /var/sf/detection_engines/b27eaed6-70ac-11e4-ba23-6e20fa5e01f0/2015-05-23
 47 - /var/sf/detection_engines/b27eaed6-70ac-11e4-ba23-6e20fa5e01f0/2015-05-24
 48 - /var/sf/detection_engines/b27eaed6-70ac-11e4-ba23-6e20fa5e01f0/instance-1/now
 49 - /var/sf/detection_engines/b27eaed6-70ac-11e4-ba23-6e20fa5e01f0/instance-2/now
 50 - /var/sf/detection_engines/b27eaed6-70ac-11e4-ba23-6e20fa5e01f0/instance-3/now
 51 - /var/sf/detection_engines/b27eaed6-70ac-11e4-ba23-6e20fa5e01f0/instance-4/now

Files ending with the word "now" represent data(statistics) of the day collected by each instance of your detection engine. Once you read those data, you would notice interesting informations like :

- Pkts Drop:

- Drop Rate:

Best regards,

zaferberber · ‎02-04-2016

Hi

why this output does not show current day ?

48 - /var/sf/detection_engines/b27eaed6-70ac-11e4-ba23-6e20fa5e01f0/instance-1/now