10-06-2022 04:46 PM
Hello,
Recent upgrade to new FTD 7.x and with that snort 2 to snort 3. I noticed that there are over 100 rules that have not been migrated. The message i'm seeing is: Rule Overrides Rules migration skipped for 100 rule/s with missing Snort2-Snort3 rule-mapping. When I download the migration summary report here is what it shows:
{
"id": "133:49",
"type": "Overridden",
"status": "ERROR",
"description": "DCE2_EVENT__SMB_DCNT_MISMATCH"
},
{
"id": "3:8351",
"type": "Overridden",
"status": "ERROR",
"description": "OS-WINDOWS PGM nak list overflow attempt"
}
Any explanation behind this and best to fix this synchronization issue?
Thanks
10-19-2022 02:59 AM
Hello,
Usually this is expected behavior. There were a number of SO rules and builtin alerts (called preprocessor alerts in snort 2) that were not ported to snort 3 because they were no longer needed. This log alert is just telling the user that the old rules are no longer available. It is safe to ignore the warning message. Snort 3 is a better engine, and sometimes we can achieve more, better coverage with less rules. The warning you saw is a warning, not an error, it is a one-time thing, and can be safely ignored.
In case you are facing any traffic drop issue or some other errors related to IPS/snort, maybe get it troubleshooted further by TAC. As far as i know it shouldnt be of any concern.
Hope this clarifies.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide