topic Re: How to verify enabled snort rules in FTD in Network Security

How to verify enabled snort rules in FTD

Chess Norris — Tue, 14 Dec 2021 19:27:40 GMT

Hi,

I have an IPS policy based on Balanced Security and Connectivity and according to that policy 473 rules are set to generate events and 8657 rules are set to drop and generate events. I have downloaded the latest ruleset and want to verify that all signatures related to the log4j vulnerability are enabled and set to drop and generate events. However if I select "View rules" from the Balanced Security and Connectivity policy layer, it will display 46237 rules, which I assume is every available snort signatures. So my question is how I can see only the 8657 signature that I'm currently using? I am assuming all log4j signatures are enabled in the Balanced Security and Connectivity policy, but I just want to make sure this is the case.

Thanks

/Chess

Re: How to verify enabled snort rules in FTD

shahzad_ahmed — Tue, 14 Dec 2021 19:35:15 GMT

You should be able to search for the snort rule ID associated with this and see what the action is set to which might well be “set to drop”. But you would need to confirm.

https://www.snort.org/advisories/talos-rules-2021-12-10

Re: How to verify enabled snort rules in FTD

Chess Norris — Tue, 14 Dec 2021 19:43:43 GMT

Thanks, it looks like even the "Connectivity Over Security" base policy have all the log4j signatures enabled.

/Chess