Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
1
Replies

Snort 2 to Snort 3 Migration - Rules migration skipped for xx rules

MS-JK
Level 1
Level 1

‎10-06-2022 04:46 PM

Hello,

Recent upgrade to new FTD 7.x and with that snort 2 to snort 3. I noticed that there are over 100 rules that have not been migrated. The message i'm seeing is: Rule Overrides Rules migration skipped for 100 rule/s with missing Snort2-Snort3 rule-mapping. When I download the migration summary report here is what it shows:

{
"id": "133:49",
"type": "Overridden",
"status": "ERROR",
"description": "DCE2_EVENT__SMB_DCNT_MISMATCH"
},
{
"id": "3:8351",
"type": "Overridden",
"status": "ERROR",
"description": "OS-WINDOWS PGM nak list overflow attempt"
}

Any explanation behind this and best to fix this synchronization issue?

Thanks

 

0 Helpful
1 Reply 1

Divya Jain
Cisco Employee
Cisco Employee

‎10-19-2022 02:59 AM

Hello,
Usually this is expected behavior. There were a number of SO rules and builtin alerts (called preprocessor alerts in snort 2) that were not ported to snort 3 because they were no longer needed. This log alert is just telling the user that the old rules are no longer available. It is safe to ignore the warning message. Snort 3 is a better engine, and sometimes we can achieve more, better coverage with less rules. The warning you saw is a warning, not an error, it is a one-time thing, and can be safely ignored.

In case you are facing any traffic drop issue or some other errors related to IPS/snort, maybe get it troubleshooted further by TAC. As far as i know it shouldnt be of any concern.

Hope this clarifies.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card