Solved: High number of Security-Related Events

willb1 · ‎08-09-2023

We have very few WAN-facing devices and, for the ones which are accessible from the WAN, traffic to and from those IP's is restricted to specific IP ranges and ports within the access control policy.

However, under 'Security-Related Events' we consistently see a large number of connection attempts to those IP's being blocked.

I assume that this is because the traffic is inspected by Snort before it hits the access control policy. Is this expected or there a better way to configure the FTD policies?

M02@rt37 · ‎08-09-2023

Hello @willb1,

Snort operates at a lower level (deep packet inspection) in the network stack compared to the access control policy in Cisco FTD. This means that Snort inspects incoming traffic before it is subject to any rules defined in the access control policy. If Snort detects traffic that matches patterns of known attacks or malicious behavior, it can block or log that traffic regardless of whether it matches any rules in the access control policy.

This behavior is generally expected in a security-focused network setup. Snort's primary purpose is to detect and prevent known threats and vulnerabilities, which it does by analyzing traffic patterns and signatures associated with malicious activities. The access control policy, on the other hand, provides additional security by allowing you to define rules that specify which traffic is allowed or denied based on criteria such as source/destination IP addresses, ports, applications, and more.

If you're seeing legitimate traffic being blocked by Snort and it's causing issues, you might consider reviewing the Snort rules that are triggering these blocks. You could fine-tune the Snort rules to reduce false positives, and if needed, you can create custom rules to allow specific types of traffic that you know are legitimate.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎08-09-2023

Hello @willb1,

Snort operates at a lower level (deep packet inspection) in the network stack compared to the access control policy in Cisco FTD. This means that Snort inspects incoming traffic before it is subject to any rules defined in the access control policy. If Snort detects traffic that matches patterns of known attacks or malicious behavior, it can block or log that traffic regardless of whether it matches any rules in the access control policy.

This behavior is generally expected in a security-focused network setup. Snort's primary purpose is to detect and prevent known threats and vulnerabilities, which it does by analyzing traffic patterns and signatures associated with malicious activities. The access control policy, on the other hand, provides additional security by allowing you to define rules that specify which traffic is allowed or denied based on criteria such as source/destination IP addresses, ports, applications, and more.

If you're seeing legitimate traffic being blocked by Snort and it's causing issues, you might consider reviewing the Snort rules that are triggering these blocks. You could fine-tune the Snort rules to reduce false positives, and if needed, you can create custom rules to allow specific types of traffic that you know are legitimate.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

willb1 · ‎08-09-2023

Thank you, that answered my question. In this instance, Snort isn't blocking legitimate traffic.

M02@rt37 · ‎08-09-2023

You're welcome @willb1

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.