Solved: How to verify enabled snort rules in FTD

Chess Norris · ‎12-14-2021

Hi,

I have an IPS policy based on Balanced Security and Connectivity and according to that policy 473 rules are set to generate events and 8657 rules are set to drop and generate events. I have downloaded the latest ruleset and want to verify that all signatures related to the log4j vulnerability are enabled and set to drop and generate events. However if I select "View rules" from the Balanced Security and Connectivity policy layer, it will display 46237 rules, which I assume is every available snort signatures. So my question is how I can see only the 8657 signature that I'm currently using? I am assuming all log4j signatures are enabled in the Balanced Security and Connectivity policy, but I just want to make sure this is the case.

Thanks

/Chess

shahzad_ahmed · ‎12-14-2021

You should be able to search for the snort rule ID associated with this and see what the action is set to which might well be “set to drop”. But you would need to confirm.

https://www.snort.org/advisories/talos-rules-2021-12-10

View solution in original post

shahzad_ahmed · ‎12-14-2021

You should be able to search for the snort rule ID associated with this and see what the action is set to which might well be “set to drop”. But you would need to confirm.

https://www.snort.org/advisories/talos-rules-2021-12-10

Chess Norris · ‎12-14-2021

Thanks, it looks like even the "Connectivity Over Security" base policy have all the log4j signatures enabled.

/Chess