topic Re: Cisco FTD send RST when dropped by Snort / IPS in Network Security

Cisco FTD send RST when dropped by Snort / IPS

brettp — Mon, 30 Jan 2023 14:47:28 GMT

Hello,

I understand that in Access Control rules on the FTD, there are "block" and "block with reset" actions, but how does one configure Snort / IPS to send a RST if it's dropping something (traffic that was set to "allow" in the ACP?) Furthermore, if possible, is it or can it be so granular as to allow for the specifying interfaces, zones, or the like?

Long story short, without all of the details, we are doing some testing... When moving a test malware file from zone to another, that is allowed by the ACP, the IPS is dropping the traffic as expected. The lack of a RST is causing the internal process that is moving the file to hang until it times out. I would like to send a RST in this case, but not for something being inspected from the internet. Is it possible?

Thanks!

Re: Cisco FTD send RST when dropped by Snort / IPS

brettp — Wed, 01 Feb 2023 20:07:27 GMT

Does anyone have any insight on this? I can find no documentation. Obviously, if it was an access rule dropping the traffic, one could use "Drop with reset" but this is being dropped by IPS. I can find no information or documentation online about sending a RST. I would imagine is has to be possible somehow? Thanks!

Re: Cisco FTD send RST when dropped by Snort / IPS

MHM Cisco World — Wed, 01 Feb 2023 20:10:31 GMT

the Snort not drop traffic is send verdict to Lina, Lina will drop the traffic.

Re: Cisco FTD send RST when dropped by Snort / IPS

brettp — Wed, 01 Feb 2023 20:31:24 GMT

Thanks for the reply. I understand that LINA ultimately drops the packet , but how can I configure the FTD to send a RST when traffic is getting dropped due to a IPS / intrusion policy rule… and not an access control rule?

Re: Cisco FTD send RST when dropped by Snort / IPS

MHM Cisco World — Wed, 01 Feb 2023 20:40:37 GMT

https://rayka-co.com/lesson/firepower-malware-and-file-policy/
check the reset connection in this above link

Re: Cisco FTD send RST when dropped by Snort / IPS

Marius Gunnerud — Wed, 01 Feb 2023 22:13:49 GMT

If you create a Malware & File policy you can select drop with an option to reset. The Intrusion policy however does not have an option to reset when traffic is blocked.

This is a screenshot from the Malware & File policy when adding a rule:

Re: Cisco FTD send RST when dropped by Snort / IPS

brettp — Thu, 02 Feb 2023 13:21:24 GMT

Thank you both for the information. Wow, that is interesting that a RST can not be sent if something is dropped due to intrusion rules. Correct me if I am wrong, but with the File & Malware Policy, I can only block filetypes with the Threat license. In order for me to do any type of dynamic file/malware inspection, I would need a Malware license, correct?

For instance… I am doing tests with a simple EICAR text file. If I were using a File & Malware policy, with the threat license only, I would only be able to block .txt for instance. It is unaware that the file is “malicious.” In order for me to scan the .txt and have the FTD determine it is malicious (not taking into account the IPS rules… strictly File & Malware policy,) I would need the Malware license?

Thanks!

Re: Cisco FTD send RST when dropped by Snort / IPS

MHM Cisco World — Thu, 02 Feb 2023 14:48:22 GMT

I think your are correct
https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/Licensing_the_Firepower_System.html

Re: Cisco FTD send RST when dropped by Snort / IPS

Marius Gunnerud — Thu, 02 Feb 2023 15:33:27 GMT

Your understanding is correct.