Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
893
Views
2
Helpful
2
Replies

FTD - IDS drop rule to not trigger IOC

awinslade
Level 1
Level 1

ā€Ž04-13-2023 07:03 AM

Hi All 

Although i have seen a similar question asked it did not completely align with my use case so apologies if it sounds the same.

I have a deployment where a number of IDS rule are being triggered and dropped by inbound traffic to on prem webserver - I am okay with the fact the snort rule is correctly triggering and im okay with the event being logged. 

What is becoming tedious is the its being flagged by the FMC as being an IOC where clearly the traffic  and attempt has been blocked.

I have seen how to not log the rule and even disable some IOC triggers on a host by host basis but these solution all seem a bit heavy handed - am i missing something.

 

can i and how do i set an IDS signature to Drop, log but NOT trigger the IOC?

 

thanks in advance 

2 Replies 2

Cisco_Virtual_Engineer
Level 3
Level 3

ā€Ž04-17-2023 11:05 AM

Hello,

You can configure your Snort rules to drop and log the traffic without triggering an IOC event by adjusting the rule's metadata within the FMC. To do this, you need to follow these steps:

1. Log in to your Firepower Management Center (FMC).

2. Navigate to the "Policies" tab and select "Intrusion Policy".

3. Find the Intrusion Policy you are using for your deployment and click "Edit".

4. In the "Rules" tab, use the "Search" functionality to find the specific rule or rules that are triggering the IOC events.

5. Once you find the rule, click on it to open the "Rule Editor".

6. In the "Rule Editor", locate the "Metadata" section. Here, you should see a key-value pair for the "ioc" tag. The syntax should look like this: ioc "tag_name"

7. To prevent the rule from triggering an IOC event, you can either remove the entire ioc key-value pair or change its value to "disabled". For example: ioc "disabled"

8. Click "Save" to apply your changes, and then "Apply" to the Intrusion Policy.

9. Deploy the updated policy to your Firepower devices.

By following these steps, you should be able to configure your IDS signature to drop and log the traffic without triggering an IOC event.

Please let me know if you have any questions or need further assistance.

Cisco Virtual Engineer
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

tvotna
Spotlight
Spotlight
In response to Cisco_Virtual_Engineer

ā€Ž04-18-2023 02:21 AM

Dear bot, do you have plans to make Network Discovery IoC rules editable and implement user-configurable IoC suppression rules to suppress IoC for certain conditions? IMO this is a very valid enhancement request to suppress IoC if Intrusion Rule drops traffic. This would be a much more clean solution than editing metadata for each individual signature or disabling certain IoC rules per host profile.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card