Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
215
Views
1
Helpful
3
Replies

SNORT GID 2: Tagged Packets

cpaquet
Level 1
Level 1

‎05-05-2024 05:13 AM

I came across a configuration guide which mentions, in the Intrusion Policies chapter, GID 2 as " Tagged Packets.  (Rules for the Tag generator, which generates packets from a tagged session. )" 

https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-intrusion.html

1. What is the Tag Generator?  I wasn't able to find any other reference about this. I supposed they are not talking about VLAN or TrustSec tag.  Is it about tags added by the prefilters to Tunnels?   or possibly Tags added in the ACP rules under Applications?

2. Any example of GID 2: ? I did a search on Objects > Intrusion Rules > SNORT 3  for GID =2 and one result came up - I have attached the screen shot.  Since it mentions 'pre-processor' my above theory that the tag might come from ACP Applications doesn't stand.

Or maybe it's a retired process.

Don't waste too much time trying on this very pointed question (I'm talking to Marvin here ) but if you know the answer, thanks for sharing it.

CP

Preview file
59 KB
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎05-05-2024 05:26 AM

Tag is for SGT
and also I think you need to use 

GID:SID 
GID alone not enough for snort process detect 

MHM

0 Helpful

cpaquet
Level 1
Level 1

‎05-05-2024 07:48 AM - edited ‎05-05-2024 07:49 AM

MHM are you sure of your answer?  Here why I have doubt on its validity:

1. FTD has many types of tags, not just SGT.  FTD uses tags for tunneled traffic - configured in prefilters.  FTD uses tags for applications - configured in ACP > Applications.  And yes, FTD uses tags, in a TrustSec environment, configured under ACP > Dynamic Attributes.

2. Sourcefire has been using GID 2 - Tag generated rules, as mentioned in the documentation - for a long time, before I think, it was aware of TrustSec. 

The question again was and still is:  the documentation referenced mentions 'Tag Generator' - what is the Tag Generator which has been mentioned since 6.2.3?

And, of course, I know that an intrusion rule is made more than just a GID. It needs

0 Helpful

tvotna
Spotlight
Spotlight

‎05-06-2024 03:04 AM

This is not for SGT. I'm not sure if "tag" Snort rule option is really used on Firepower. Refer to Snort manual for some more details:

https://docs.snort.org/rules/options/post/tag.html

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card