Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3664
Views
0
Helpful
3
Replies

Difference between Signatures and Rules

Sean_mercer
Level 1
Level 1

‎06-09-2017 06:22 AM - edited ‎03-12-2019 06:25 AM

Hello Cisco Peeps

We have just deployed Firepower in our Network using vFMC and various software based and hardware based sensors.  Im reading cisco documentaion about 'Rules' and looking at Intrusion rules on the FMC. Are rules like IPS signatures ? and if so what is the Differnece between a Rule in Firepower and an ips Signature?

Cheers

Sean :)

Labels:
0 Helpful
3 Replies 3

Veronika Klauzova
Cisco Employee
Cisco Employee

‎06-10-2017 09:43 AM

Dear Sean,

Firepower/IPS rules are in other words signatures or patterns based on which we try to match known attacks against traffic flows that are traversing through the sensors. Each rule has it's own signature unique identifier aka SID.

Whenever Cisco publish a new rules that can protect networks against new attacks they are being provided in signatures updates which we call also SRU's/Sourcefire Rule Updates. So make sure that you are always up to date, it is good idea to consider to schedule SRU updates on periodic basis.

Rules in Firepower 'world' are based on Snort syntax, in order for you to learn about rules syntax you can refer to any of Snort/Sourcefire user manual: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/ 

IPS rules on old Cisco platforms were using custom Cisco proprietary engine, but it was also using signature based patterns, they were just having different syntax.

Let me know if more questions comes to your mind on this topic.

Best regards,

Veronika

0 Helpful

Veronika Klauzova
Cisco Employee
Cisco Employee
In response to Veronika Klauzova

‎06-10-2017 11:56 AM

Adding some additional resource of signature explanation: https://www.snort.org/faq/what-is-a-signature 

0 Helpful

prashant dwivedi
Level 1
Level 1
In response to Veronika Klauzova

‎07-04-2017 09:47 PM

Hello Veronika,

I have a question around ACL counter on FTDs,

I Was told by one of the TAC engineers that whenever you deploy the policies from FMC ACLs count get cleared , the reasoning behind it was the SNORT process  that restarts when a new policy get deployed.

I have IPS base policy as ( balanced security and connectivity ) and its running in IPS mode.

I want your thought on this please.

also, is there any way to clear a specific ACL rule ( like we used to do in Cisco ASA) ,, clear access-list ( ACL name ) counters,, is there any similar command in FTD  , FTD is having only one ACLs in background and that is CSM_FW_ACL_ so if we clear this that will clear the counter of all the rules.

Thanks for your response..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card