Sourcefire Intrusion Sensors

Sourcefire Intrusion Sensors offer an industry leading intrusion detection and prevention (IDP) solution that provides defence in depth by analyzing network traffic and either blocking, replacing or alerting when suspicious activity is detected. Sourcefire Intrusion Sensors can be deployed both passively as an IDS or inline as an IPS ­ providing the most effective intrusion detection and prevention available today.

With performance options from 5Mbps to 8 Gigabit and extreme flexibility, Sourcefire Intrusion Sensors can be deployed in an array of configurations to suit nearly any network requirement and combination of mission-critical applications, including latency sensitive applications like Voice Over IP (VoIP).

Sourcefire Intrusion Sensors offer Plug-n-Protect™ architecture, with hardware, software and operating system optimized for peak performance. Each sensor can be installed in minutes and provides an easy to use web-based interface for all aspects of sensor management.


You can’t prevent what you can’t detect

Intrusion detection and security monitoring technologies provide critical insight into attacks occurring on the network. To achieve the industry’s highest rate of attack detection and prevention, Sourcefire Intrusion Sensors leverage the award-winning Snort® rules based decision engine. With almost 2,000,000 downloads to date, Snort® is the most widely deployed intrusion management technology worldwide and has become the de facto standard for intrusion detection/prevention.

Snort utilizes a rules-based language, which combines the benefits of signature, protocol and anomaly based inspection methods. Rules are used to examine packets at both the IP protocol level and at the application level and can be set to look for specific occurrences of attacks against a protocol or set to look for the conditions of an attack. (read more about Sourcefire precise attack detection here)


With Knowledge Comes Prevention

By understanding that good prevention begins with precise detection, Sourcefire Intrusion Sensors go beyond simple intrusion detection to actually prevent attacks before they can harm the network. Sourcefire offers users the ability to deploy Intrusion Sensors both passively or inline. When deployed inline, each rule can be set to not only alert on events, but to drop the packet or replace malicious payloads with benign content. By leveraging the flexibility of the Snort rules language, critical threats can not only be blocked but also contained or quarantined via techniques such as dropping traffic, disrupting sessions between devices, and integrating with access control devices such as firewalls, routers and switches.

In addition, the Sourcefire Defense Center combines the accuracy of the award-winning Snort®-based Intrusion Sensors with the persistent, real-time network intelligence provided by RNA Sensors. This allows users to set and enforce policies based on the correlation of a detected threat with network vulnerability and asset data. This added context also enables Intrusion Sensors to be tuned so they apply only relevant policies to individual threats.

Precise Attack Detection

Sourcefire achieves the industry's highest rate of attack detection and prevention by leveraging the award-winning Snort through an advanced combination of signature and protocol detection capabilities. By utilising a rules based engine, allowing users to write new and edit existing rules as well as employing advanced methods of protocol normalisation, Sourcefire IS ensures the detection both known and unknown attacks.


Rules-based Detection

Sourcefire utilises a rules based decision engine that can be configured to detect both signature-based events for known exploits and anomalous behaviour for yet unknown threats. Rules are used to examine packets at both the IP protocol level and the at the application level and can be set to look for specific occurrences of attacks against a protocol or set to look for the conditions of an attack. For example, a specific buffer overflow attack can be detected by looking for "/bin/sh" in a packet's payload or by looking for the overflow condition by looking for a number of bytes in a payload greater than some threshold.


Extendable Rules Language

Sourcefire provides users with the ability to easily create new and modify existing rules, easily eliminating false positives and detecting organization specific threats. The easy to use interface allows new rules to be quickly validated and added to the ruleset, either on individual sensors or groups of sensors using the Sourcefire Defense Center.


Stateful Protocol Analysis and Normalisation

Sourcefire IS utilises several "preprocessors" to perform complex stateful protocol analysis and normalization, detecting protocol anomalies through a variety of methods.
 

	▪	The stateful inspection system detects portscans, IP stack fingerprinting, TCP protocol anomalies and TCP evasion attacks.
	▪	The IP defragmenter detects Denial of Service attacks and fragmentation evasion techniques.
	▪	The application layer protocol normalisers detect a variety of anomalies, including Unicode and other HTTP-based attacks, RPC anomalies, telnet negotiation code anomalies, ARP spoofing, polymorphic shellcode and ASN.1 encoding irregularities.

Advanced Port Scan Detection

Sourcefire Intrusion Sensors detect a variety of port scan techniques including portscan, portsweep, decoy portscan and a distributed portscan. Administrators can control the sensitivity of this detection with low, medium and high settings. Protocols that can be analysed include TCP, UDP, ICMP and IP.


Ahead of the Threats

The robustness of the Snort rules language enables the Sourcefire VRT to write complex rules capable of detecting worm variants with a single rule. This means Sourcefire customers can detect new variants of known worms without the need to update their system. When a variant of Blaster, known as Nachi was released, customers were confident they had detection capabilities already in place. Thanks to the foresight of the Sourcefire VRT, the rule was written to detect attempts to exploit vulnerabilities in a robust portable way, providing superior coverage for customers and proving essential to effectively responding to a rapidly evolving and increasing threat.