topic Re: Snort 3.0 Pass Rules in Network Security

Snort 3.0 Pass Rules

jarose0010 — Thu, 25 Aug 2022 19:34:12 GMT

Is there a way to implement pass rules in Snort 3.0 in FTD?

It appears the action of pass is available in Snort 3.0 but I am not able to find any Cisco documentation on how to implement it.

Creating a pass rule and then setting it to Action = Alert in the gui seems counterintuitive to me.

Thank you in advance,

Jimmy

Re: Snort 3.0 Pass Rules

Divya Jain — Mon, 05 Sep 2022 07:26:54 GMT

Hello Jimmy,
You can refer to this guide to understand rule actions : https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/tuning-intrusion-policies.html#ID-2237-0000063d_snort3
to edit poilcy : https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/getting-started-intrusion.html#ID-2231-0000011a

Just to explain actions :

Available Snort 3 rule actions depend on the software release. Release 7.1 introduced additional rule actions. Snort 3 rule actions

Block: Generates event, drops matching packet and also blocks further traffic in this connection
Alert: Generates only event for matching packet, does not drop packet or connection.
Disable: Rule is not active in this policy.
Reject: Generates event, drops matching packet, blocks further traffic in this connection and sends TCP reset or ICMP port unreachable to source and destination hosts
Rewrite: Generates event and overwrites packet contents based on the replace option in the rule.
Pass: No event generated, allows packet to pass without further evaluation by any subsequent Snort rules.
Drop: Generates event, drops matching packet and does not block further traffic in this connection.

Now if you are creating a pass rule, your actions has to be pass to and this means you are trusting the traffic and do not want it be evaluated.

Sample attached :

Hope this helps.

-----------------------------------------
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Re: Snort 3.0 Pass Rules

ivanradevradev_ — Tue, 21 Nov 2023 17:23:22 GMT

Hi,

After Firepower 7.2 thinks had changed and now are more confusing then ever, because different versions are having different dictionary.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/snort/720/snort3-configuration-guide-v72/getting-started-intrusion.html

Re: Snort 3.0 Pass Rules

ivanradevradev_ — Wed, 22 Nov 2023 10:47:20 GMT

Anyway, use the official snort guide and import your rules as .txt to the FMC.
And yes, pass rules to be activated should be in "alert" state , but they would not alert because are pass rules. "Clear" somehow?
https://docs.snort.org/rules/headers/actions