Showing results for 
Search instead for 
Did you mean: 

FTD - IDS drop rule to not trigger IOC


Hi All 

Although i have seen a similar question asked it did not completely align with my use case so apologies if it sounds the same.

I have a deployment where a number of IDS rule are being triggered and dropped by inbound traffic to on prem webserver - I am okay with the fact the snort rule is correctly triggering and im okay with the event being logged. 

What is becoming tedious is the its being flagged by the FMC as being an IOC where clearly the traffic  and attempt has been blocked.

I have seen how to not log the rule and even disable some IOC triggers on a host by host basis but these solution all seem a bit heavy handed - am i missing something.


can i and how do i set an IDS signature to Drop, log but NOT trigger the IOC?


thanks in advance 

2 Replies 2


You can configure your Snort rules to drop and log the traffic without triggering an IOC event by adjusting the rule's metadata within the FMC. To do this, you need to follow these steps:

1. Log in to your Firepower Management Center (FMC).

2. Navigate to the "Policies" tab and select "Intrusion Policy".

3. Find the Intrusion Policy you are using for your deployment and click "Edit".

4. In the "Rules" tab, use the "Search" functionality to find the specific rule or rules that are triggering the IOC events.

5. Once you find the rule, click on it to open the "Rule Editor".

6. In the "Rule Editor", locate the "Metadata" section. Here, you should see a key-value pair for the "ioc" tag. The syntax should look like this: ioc "tag_name"

7. To prevent the rule from triggering an IOC event, you can either remove the entire ioc key-value pair or change its value to "disabled". For example: ioc "disabled"

8. Click "Save" to apply your changes, and then "Apply" to the Intrusion Policy.

9. Deploy the updated policy to your Firepower devices.

By following these steps, you should be able to configure your IDS signature to drop and log the traffic without triggering an IOC event.

Please let me know if you have any questions or need further assistance.

Cisco Virtual Engineer

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

Dear bot, do you have plans to make Network Discovery IoC rules editable and implement user-configurable IoC suppression rules to suppress IoC for certain conditions? IMO this is a very valid enhancement request to suppress IoC if Intrusion Rule drops traffic. This would be a much more clean solution than editing metadata for each individual signature or disabling certain IoC rules per host profile.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers