API For Adding/Removing Snort Signatures and Indicators

BlindSquirrel · ‎05-06-2019

Hello,

Is there a REST API (e.g. for Firepower Managment Console, etc) that will allow you to add/remove custom Snort signatures/IDS Rules on a Firepower IDS? What about IPs to detect/block on? The closest I found was "PUT Inidicator" for the Firepower Managment Center REST API: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/api/REST/Firepower_Management_Center_REST_API_Quick_Start_Guide_640/Objects_In_The_REST_API.html#reference_lmt_2xf_bcb

I wasn't sure though what exactly that did, and I could not find anything like that related to Snort.

Thanks in advance!

babd00n · ‎05-30-2019

I have been looking to solve for this as well. I found that if you know the UUID of the signature, you can perform a GET and you receive some info.

GET successful. Response data -->
{
"description": "GID: 1, SID: 978",
"id": "e7e162f5-aee8-4ec1-93a1-4ec5483f15d3",
"links": {
"self": "https://x.x.x.x/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/intrusionpolicies/e7e162f5-aee8-4ec1-93a1-4ec5483f15d3"
},
"metadata": {
"domain": {
"id": "e276abec-e0f2-11e3-8169-6d9ed49b625f",
"name": "Global",
"type": "domain"
},
"lastUser": {
"id": "68d03c42-d9bd-11dc-89f2-b7961d42c462",
"name": "admin",
"type": "user"
},
"readOnly": {
"state": false
},
"timestamp": 1557266680
},
"name": "\"SERVER-IIS ASP contents view\"",
"type": "idsrule"

I plan to explore this further when time allows. Please share any progress you may have made on this matter.