Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
2
Replies

Intrusion Event Not Occur

usako-san
Level 1
Level 1

‎08-11-2022 11:38 PM - edited ‎08-11-2022 11:54 PM

-------------------------------------
Title:
"Intrusion Event Not Occur"
-------------------------------------
Hello,

I'm having trouble with IPS intrusion events not occurring as expected.
Test traffic that should be dropped by IPS(Snort 3),
On the FMC, Not observed as an "Intrusion Event"
(observed as Connection Event, pasted logging below).

When I did a similar test in the Snort2 environment(Firepower8120 and FMC2000) it was OK.

It is expected that,
When security violation is detected, FMC catches as "Intrusion Event",
then create "Correlation Event", finaly send from FMC to External Syslog Server.

Still, I think FTD-FMC(built in different segments) use 8305/tcp for alerting
like any other communication channel,please point out if wrong.

Do you have any Idea to solve?
Regards.

------------------------------------
(Reference: Informations)

FTD: Firepower 2140 with FTD(7.0.1.1)
FMC: Firepower Management Center 2600(7.0.1.1)
Test Traffic Route:
[PC]--(Internet)--> External:G1/1[FTD]G1/2:Internal --> [Test Server]
G1/1 and G1/2 are configured as Inline Pair.
Snort: version 3
ACP(Security Intelligence): Black List is empty
ACP(NAP): Not Configured(because of not using now)
Syslog(Policies-Action-Alerts): Configured to send External Syslog Server
Syslog(Others): Not Configured(because of not using now)

------------------------------------
(Reference: Logging on FTD)


> system support trace

Enable firewall-engine-debug too? [n]:
Please specify an IP protocol: tcp
Please specify a client IP address:
Please specify a client port:
Please specify a server IP address: 10.68.254.159
Please specify a server port: 80
Monitoring packet tracer debug messages

MidRecovery data queried. Got session type 2 rule id: 268435459, rule_action:2, rev id:2934359906, ruleMatch flag:0x0
MidRecovery data queried. Got session type 2 rule id: 268435459, rule_action:2, rev id:2934359906, ruleMatch flag:0x0

10.68.254.159 80 -> 210.162.186.194 19376 6 AS=4 ID=12 Packet 23699: TCP ***A**S*, 08/10-07:19:30.577393, seq 2407507212, ack 1166866861, dsize 0
10.68.254.159 80 -> 210.162.186.194 19376 6 AS=4 ID=12 AppID: service: (0), client: (0), payload: (0), misc: (0)
10.68.254.159 80 -> 210.162.186.194 19376 6 AS=4 ID=12 Firewall: allow rule, 'twa_acr', allow
10.68.254.159 80 -> 210.162.186.194 19376 6 AS=4 ID=12 Policies: Network 0, Inspection 0, Detection 9
10.68.254.159 80 -> 210.162.186.194 19376 6 AS=4 ID=12 Verdict: pass

210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Packet 23700: TCP ***A****, 08/10-07:19:30.597396, seq 1166866861, ack 2407507213, dsize 0
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 AppID: service: (0), client: (0), payload: (0), misc: (0)
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Firewall: allow rule, 'twa_acr', allow
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Policies: Network 0, Inspection 0, Detection 9
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Verdict: pass

210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Packet 23701: TCP ***AP***, 08/10-07:19:30.597396, seq 1166866861, ack 2407507213, dsize 537
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Event: 1:1108:19, Action block
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Stream: pending block, drop
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Policies: Network 0, Inspection 0, Detection 9
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Verdict: blacklist
210.162.186.194 19376 -> 10.68.254.159 80 6 AS=4 ID=12 Verdict Reason: ips, block

0 Helpful
2 Replies 2

usako-san
Level 1
Level 1

‎08-18-2022 12:33 AM

Sorry for Self-Reply.

I tried to change, Snort3(NG) to revert Snort2(OK), after return to Snort3, it changes OK.

This reason is still unknown.

Thank you.

0 Helpful

urathod
Cisco Employee
Cisco Employee

‎11-16-2022 05:58 PM

Hello Usako,

Your understanding is correct

When security violation is detected, FMC catches as "Intrusion Event",
It then create "Correlation Event", finally send from FMC to External Syslog Server.

You can refer following links for better understanding on External alerting, comparing Snort 2 & Snort 3.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/external_alerting_for_intrusion_events.pdf

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217617-comparing-snort-2-and-snort-3-on-firepow.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/migrating.html

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

Please do let me know if you have any question/feedback.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card