08-25-2022 12:34 PM
Is there a way to implement pass rules in Snort 3.0 in FTD?
It appears the action of pass is available in Snort 3.0 but I am not able to find any Cisco documentation on how to implement it.
Creating a pass rule and then setting it to Action = Alert in the gui seems counterintuitive to me.
Thank you in advance,
Jimmy
09-05-2022 12:26 AM
Hello Jimmy,
You can refer to this guide to understand rule actions : https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/tuning-intrusion-policies.html#ID-2237-0000063d_snort3
to edit poilcy : https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/getting-started-intrusion.html#ID-2231-0000011a
Just to explain actions :
Available Snort 3 rule actions depend on the software release. Release 7.1 introduced additional rule actions. Snort 3 rule actions
Block: Generates event, drops matching packet and also blocks further traffic in this connection
Alert: Generates only event for matching packet, does not drop packet or connection.
Disable: Rule is not active in this policy.
Reject: Generates event, drops matching packet, blocks further traffic in this connection and sends TCP reset or ICMP port unreachable to source and destination hosts
Rewrite: Generates event and overwrites packet contents based on the replace option in the rule.
Pass: No event generated, allows packet to pass without further evaluation by any subsequent Snort rules.
Drop: Generates event, drops matching packet and does not block further traffic in this connection.
Now if you are creating a pass rule, your actions has to be pass to and this means you are trusting the traffic and do not want it be evaluated.
Sample attached :
Hope this helps.
-----------------------------------------
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------
11-21-2023 09:23 AM
Hi,
After Firepower 7.2 thinks had changed and now are more confusing then ever, because different versions are having different dictionary.
11-22-2023 02:47 AM
Anyway, use the official snort guide and import your rules as .txt to the FMC.
And yes, pass rules to be activated should be in "alert" state , but they would not alert because are pass rules. "Clear" somehow?
https://docs.snort.org/rules/headers/actions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide