Modifying impact level for custom Snort rule

reheindel · ‎12-07-2018

Firepower 6.2.3.7

I have a basic Snort rule that is functional, but when it fires the intrusion event comes in as an impact 3.

If I read the documentation correctly I should be able to customize the rule to force it to be reported as impact 1 using the metadata tag with the key/keyword: impact_flag red

Though the rule editor accepts the metadata info, the intrusion event remains an impact 3.

Has anybody had experience with this?

I talked to TAC but because it is a custom rule they are not able to help.

We only do email/alerting based upon impact 1 - thus the requirement.

As a workaround I built a correlation rule/event - but looks like a bug is causing old events to be alerted on every time the FMC pair performs a sync - so that's not so helpful

Thanks in advance for any assistance

phil.hydea · ‎12-07-2018

Hi reheindel

Can you paste the SNORT rule format here please?

You can find this in the individual Intrusion rule list or within the
Intrusion policy.

Cheers

reheindel · ‎12-07-2018

Sorry Phil, I should have already done that:

alert tcp $HOME_NET any -> any 80 (sid:1000728; gid:1; pcre:"/index\.php\?token=[a-zA-Z0-9]+&dc=1/"; metadata:impact_flag red, service http; msg:"IPCO - Incident Related Outbound Malicious Indicator"; classtype:bad-unknown; rev:23; )

Pretty basic, as I mentioned I do get the intrusion event firing - just the impact level comes in at 3 vs 1 (desired)