https://community.cisco.com/t5/network-security/intrusion-event-not-occur/m-p/4671451#M1092775 <P>Sorry for Self-Reply.</P><P>I tried to change, Snort3(NG) to revert Snort2(OK), after return to Snort3, it changes OK.</P><P>This reason is still unknown.</P><P>Thank you.</P> Thu, 18 Aug 2022 07:33:50 GMT usako-san 2022-08-18T07:33:50Z https://community.cisco.com/t5/network-security/intrusion-event-not-occur/m-p/4668277#M1092610 <P>-------------------------------------<BR />Title:<BR />"Intrusion Event Not Occur"<BR />-------------------------------------<BR />Hello,</P><P>I'm having trouble with IPS intrusion events not occurring as expected.<BR />Test traffic that should be dropped by IPS(Snort 3),<BR />On the FMC, Not observed as an "Intrusion Event"<BR />(observed as Connection Event, pasted logging below).</P><P>When I did a similar test in the Snort2 environment(Firepower8120 and FMC2000) it was OK.</P><P>It is expected that,<BR />When security violation is detected, FMC catches as "Intrusion Event",<BR />then create "Correlation Event", finaly send from FMC to External Syslog Server.</P><P>Still, I think FTD-FMC(built in different segments) use 8305/tcp for alerting<BR />like any other communication channel,please point out if wrong.</P><P>Do you have any Idea to solve?<BR />Regards.</P><P>------------------------------------<BR />(Reference: Informations)</P><P>FTD: Firepower 2140 with FTD(7.0.1.1)<BR />FMC: Firepower Management Center 2600(7.0.1.1)<BR />Test Traffic Route:<BR />[PC]--(Internet)--&gt; External:G1/1[FTD]G1/2:Internal --&gt; [Test Server]<BR />G1/1 and G1/2 are configured as Inline Pair.<BR />Snort: version 3<BR />ACP(Security Intelligence): Black List is empty<BR />ACP(NAP): Not Configured(because of not using now)<BR />Syslog(Policies-Action-Alerts): Configured to send External Syslog Server<BR />Syslog(Others): Not Configured(because of not using now)</P><P>------------------------------------<BR />(Reference: Logging on FTD)</P><P><BR />&gt; system support trace</P><P>Enable firewall-engine-debug too? [n]:<BR />Please specify an IP protocol: tcp<BR />Please specify a client IP address:<BR />Please specify a client port:<BR />Please specify a server IP address: 10.68.254.159<BR />Please specify a server port: 80<BR />Monitoring packet tracer debug messages</P><P>MidRecovery data queried. Got session type 2 rule id: 268435459, rule_action:2, rev id:2934359906, ruleMatch flag:0x0<BR />MidRecovery data queried. Got session type 2 rule id: 268435459, rule_action:2, rev id:2934359906, ruleMatch flag:0x0</P><P>10.68.254.159 80 -&gt; 210.162.186.194 19376 6 AS=4 ID=12 Packet 23699: TCP ***A**S*, 08/10-07:19:30.577393, seq 2407507212, ack 1166866861, dsize 0<BR />10.68.254.159 80 -&gt; 210.162.186.194 19376 6 AS=4 ID=12 AppID: service: (0), client: (0), payload: (0), misc: (0)<BR />10.68.254.159 80 -&gt; 210.162.186.194 19376 6 AS=4 ID=12 Firewall: allow rule, 'twa_acr', allow<BR />10.68.254.159 80 -&gt; 210.162.186.194 19376 6 AS=4 ID=12 Policies: Network 0, Inspection 0, Detection 9<BR />10.68.254.159 80 -&gt; 210.162.186.194 19376 6 AS=4 ID=12 Verdict: pass</P><P>210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Packet 23700: TCP ***A****, 08/10-07:19:30.597396, seq 1166866861, ack 2407507213, dsize 0<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 AppID: service: (0), client: (0), payload: (0), misc: (0)<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Firewall: allow rule, 'twa_acr', allow<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Policies: Network 0, Inspection 0, Detection 9<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Verdict: pass</P><P>210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Packet 23701: TCP ***AP***, 08/10-07:19:30.597396, seq 1166866861, ack 2407507213, dsize 537<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Event: 1:1108:19, Action block<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Stream: pending block, drop<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Policies: Network 0, Inspection 0, Detection 9<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Verdict: blacklist<BR />210.162.186.194 19376 -&gt; 10.68.254.159 80 6 AS=4 ID=12 Verdict Reason: ips, block</P> Fri, 12 Aug 2022 06:54:24 GMT https://community.cisco.com/t5/network-security/intrusion-event-not-occur/m-p/4668277#M1092610 usako-san 2022-08-12T06:54:24Z https://community.cisco.com/t5/network-security/intrusion-event-not-occur/m-p/4671451#M1092775 <P>Sorry for Self-Reply.</P><P>I tried to change, Snort3(NG) to revert Snort2(OK), after return to Snort3, it changes OK.</P><P>This reason is still unknown.</P><P>Thank you.</P> Thu, 18 Aug 2022 07:33:50 GMT https://community.cisco.com/t5/network-security/intrusion-event-not-occur/m-p/4671451#M1092775 usako-san 2022-08-18T07:33:50Z https://community.cisco.com/t5/network-security/intrusion-event-not-occur/m-p/4722829#M1095109 <P>Hello Usako,</P> <P>Your understanding is correct</P> <P>When security violation is detected, FMC catches as "Intrusion Event",<BR />It then create "Correlation Event", finally send from FMC to External Syslog Server.</P> <P>You can refer following links for better understanding on External alerting, comparing Snort 2 &amp; Snort 3.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/external_alerting_for_intrusion_events.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/external_alerting_for_intrusion_events.pdf</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217617-comparing-snort-2-and-snort-3-on-firepow.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217617-comparing-snort-2-and-snort-3-on-firepow.html</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/migrating.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/migrating.html</A></P> <P><SPAN class="test-id__field-value slds-form-element__static slds-grow word-break-ie11">You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [<A href="https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493" target="_blank" rel="noopener">https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493</A>] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.<BR /><BR />Please do let me know if you have any question/feedback.</SPAN></P> Thu, 17 Nov 2022 01:58:59 GMT https://community.cisco.com/t5/network-security/intrusion-event-not-occur/m-p/4722829#M1095109 urathod 2022-11-17T01:58:59Z