User guide
Integrating Intrusion Detection
User Guide 147
and either allow or deny packets. Little extra bandwidth is available to
conduct sophisticated analysis of traffic patterns.
LiveSecurity Service subscribers can download a command-line utility
called the Firebox System Intrusion Detection System Mate (fbidsmate)
that integrates the Firebox with most commercial and shareware IDS
applications. You use the fbidsmate utility to configure your IDS to run
scripts that query the Firebox for information. Because versions are
available for Win32 (Windows NT, Windows 2000, and Windows XP),
SunOS, and Linux operating systems, you can select whatever IDS
application best suits your security policy and network environments.
Working with an external IDS application, the Firebox can automatically
add sites to the Blocked Sites list. Timeouts and blocked site exceptions
work exactly as they do for sites blocked using default packet handling
options. Sites added to the Blocked Sites list appear in the Firebox
Monitors Blocked Sites tab. In addition, you can use the utility to add
explanatory log messages to the log file which can subsequently be used
for reports.
Because the fbidsmate utility is external to the Firebox, no changes in the
configuration file are required, nor is there anything additional to
configure using Policy Manager.
To obtain a copy of the fbidsmate command-line utility that matches the
operating system on which your IDS application is running, log in to your
LiveSecurity Service account at:
https://www.watchguard.com/support
Using the fbidsmate command-line utility
The fbidsmate utility works from the command line. Although you can
execute the commands directly against the Firebox, the tool is used most
frequently in the context of an IDS application script. The command
syntax is:
fbidsmate
firebox_address
[
rwpassphrase
| -f
rwpassphrase_file
]
[add_hostile
hostile_address
] | [add_log_message
priority(0-7)
"
mes-
sage
"]
fbidsmate
import_passphrase
rwpassphrase rwpassphrase_filename