Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
826
Views
5
Helpful
1
Replies

snort rule and rule state in Firepower

Go to solution
Knassi
Level 1
Level 1

‎01-04-2023 06:43 AM

Can anyone help me understand this better?

if i upload a snort rule that says alert like "alert tcp 192.168.1.0/24 any -> 131.171.127.1 25 (content: “hacking”; msg: ”malicious packet”; sid:2000001;)" in the FMC and set the rule state to Drop and generate events, what happens. Will the traffic be dropped? I am asking because the rule is set to alert and not to drop.

Same thing when the rule is set to drop like "drop tcp any any -> any any (sid: 1000005;)" then when uploaded, i set the rule state to only generate events, will the traffic be dropped? 

Thank you for the help. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Divya Jain
Cisco Employee
Cisco Employee

‎01-11-2023 11:59 PM

Hello,
For snort rules : 

Action

The state of this rule in the selected intrusion policy. For each rule, “(Default)” is added to the action that is the default action for the rule within this policy. To return a rule to its default setting, you select this action. Possible actions are:

Alert—Create an event when this rule matches traffic, but do not drop the connection.

Drop—Create an event when this rule matches traffic, and also drop the connection.

Disabled—Do not match traffic against this rule. No events are generated.


Ref link : 

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html


-----------------------------------------
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------


Regards
Divya Jain

View solution in original post

1 Reply 1

Go to solution
Divya Jain
Cisco Employee
Cisco Employee

‎01-11-2023 11:59 PM

Hello,
For snort rules : 

Action

The state of this rule in the selected intrusion policy. For each rule, “(Default)” is added to the action that is the default action for the rule within this policy. To return a rule to its default setting, you select this action. Possible actions are:

Alert—Create an event when this rule matches traffic, but do not drop the connection.

Drop—Create an event when this rule matches traffic, and also drop the connection.

Disabled—Do not match traffic against this rule. No events are generated.


Ref link : 

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html


-----------------------------------------
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------


Regards
Divya Jain

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card