Up
Previous Next

Sheriff CSMâ„¢

Configuring Sheriff NIDS

Sheriff CSM comes with Sheriff NIDS already enabled, but you need to perform the steps below in order to monitor network traffic.
  1. Enable one or more interfaces for monitoring

  2. Add monitored networks
  3. Using SPAN or mirror ports, configure your network devices to send traffic to the monitoring interface.

    Important: AT&T Cybersecurity recommends that you send packets untagged through the SPAN/mirror port. This is because VLAN trunking is currently not supported. Therefore, Bridge Protocol Data Units (BPDUs) or packets sent through the other Layer 2 protocols are dropped. The Layer 2 protocols include, but are not limited to, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Link Aggregation Control Protocol (LACP), Port Aggregation Protocol (PAgP), Spanning Tree Protocol (STP), and VLAN Trunk Protocol (VTP).

Enable a Network Interface for Monitoring

If you have a Sheriff CSM All-in-One and you have not completed the initial configuration, you can enable the interface for NIDS monitoring by using the Getting Started Wizard. See Configuring Network Interfaces.

Otherwise, you can configure the network interface by using the web UI (recommended) or the Sheriff Setup menu.

  1. Go to Configuration > Deployment > Components > Sheriff Center.

  2. Double-click the instance you want to configure.
  3. Click Sensor (Deputy) Configuration.

    Sensor Configuration menu

  4. Click Detection.

  5. In the Listening Interfaces area, click the plus (+) sign next to the interface you want to add.

    AlienVault Center page for configuring NIDS monitioring.

  6. Click Apply Changes.

  1. Connect to the Sheriff Console through SSH and use your credentials to log in.

    The Sheriff Setup menu displays.

  2. Select Configure Sensor.

  3. Select Configure Network Monitoring.
  4. Use the keyboard arrow keys to move to the interface, select the interface by pressing the spacebar, and then press Enter (<OK>).

    Continue Network Monitoring console for enabling an interface for NIDS.

  5. Press <Back> until you are on the Sheriff Setup menu again. Select Apply all Changes.
  6. Press <Yes> to confirm.

    Sheriff CSM applies the changes and restarts all the services, which may take several minutes.

Add Monitored Networks

By default, Sheriff CSM monitors all RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). Therefore, you do not need to take any further actions if your network uses private IP addresses. However, if you want to monitor a network with public IP addresses, you have to add the network to the list of monitored networks. You can add a network for NIDS monitoring by using the web UI (recommended) or the Sheriff Setup menu.

  1. Go to Configuration > Deployment > Components > Sheriff Center.

  2. Double-click the appliance you want to configure.

  3. Click Sensor Configuration.

  4. Click Detection.
  5. In Monitored Networks, type the network address and click Add.

  6. Click Apply Changes.

  1. Connect to the Sheriff Console through SSH and use your credentials to log in.
  2. The Sheriff Setup menu displays.

  3. Select Configure Sensor.

  4. Select Network CIDRs.
  5. Type the network addresses you want to monitor, separating with a comma, and then press Enter (<OK>).

    Network <a href="/docs/Sheriff/CIDR">CIDRs</a> console that adds a network for monitoring NIDS.

  6. Press <Back> until you are on the Sheriff Setup menu again. Select Apply all Changes.
  7. Press <Yes> to confirm.

    Sheriff CSM applies the changes and restarts all the services, which may take several minutes.

Sheriff Vigilante Limitations: Both Sheriff Vigilante and the Sheriff CSM HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that Sheriff CSM and Sheriff Vigilante provide. However, Sheriff Vigilante lacks the depth of NIDS information that is provided to Sheriff CSM through the Threat Intelligence Updates.
Topic revision: r17 - 05 Oct 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.