12-04-2023 09:26 PM
Hi,
I have deployed Security Onion using snort2 system. I am getting alerts for some ET rules how to find the equivalent rule to block it on FMC/FTD.
suppose I have below . how to find snort3 equivalant and block it as its passed by fmc/ftd and our ids is detecting it.
ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (frightysever .org)- 2048997
alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS TA569 Keitaro TDS Domain in DNS Lookup (frightysever .org)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0c|frightysever|03|org|00|"; fast_pattern; nocase; distance:1; within:18; classtype:trojan-activity; sid:2048997; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2023_10_30, deployment Perimeter, performance_impact Low, confidence High, signature_severity Minor, tag Exploit_Kit, tag ta569, tag TDS, updated_at 2023_10_30, reviewed_at 2023_10_30;)
|
12-04-2023 10:39 PM
Can you more elaborate
MHM
12-04-2023 10:45 PM
Hi MHM,
I have CISCO FMC/FTD with snort 3. In parallel to it we also have security onion 16 installed and some times i see alerts on security onion which are not present on the FMC. So if i see them to be of concern i go and block in our fmc snort 3 rules. For that i need to find the snort3 equivalent of the alerts being generated by snort2 on security onion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide