Up
Previous Next

Sheriff CSM™

Sheriff NIDS

Sheriff NIDS plays an important role in the Sheriff CSM. By detecting malicious network events, it provides vital information for correlation directives and cross-correlation rules. Combining this information with the events collected from other devices, Sheriff CSM presents a complete picture of the malicious activity.

The Sheriff NIDS functionality, including monitoring network traffic and detecting malicious events, takes place on the Sheriff CSM Sensor (Deputy). You should configure at least two network interfaces on a Sheriff CSM Sensor or Sheriff CSM All-in-One:

• Management interface — Configure the interface with an IP address, which you can reach from the network. Use this interface for administrative purposes and communication with other Sheriff CSM components. See Set Up the Management Interface.

• Network monitoring interface — Do not configure an IP address on the interface. Instead, connect the interface to a spanned or mirrored port on a network switch, so that Sheriff CSM can examine the throughput. You can use more than one network monitoring interface to observe several networks from a single Sheriff CSM Sensor. See Configuring Sheriff NIDS.

The Sheriff CSM Server consumes the NIDS signatures through plugins, which generates the Sheriff NIDS events. The correlation engine processes and correlates the normalized events, then stores them in the SIEM database.

Sheriff Vigilante Limitations: Both Sheriff Vigilante and the Sheriff CSM HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that Sheriff CSM and Sheriff Vigilante provide. However, Sheriff Vigilante lacks the depth of NIDS information that is provided to Sheriff CSM through the Threat Intelligence Updates.