Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1916
Views
5
Helpful
8
Replies

Switching over to Firepower from McAfee Network Security - McAfee rules to Snort

EverythingBagel62093
Level 1
Level 1

‎07-22-2021 02:16 PM

We are switching over a section of our environment from McAfee Network Security to Firepower. We have several different policies for different customers. McAfee uses a combination of NSP rules, CVEs, and other ways to identify and categorize intrustion signatures. It wouldn't be feasible for us to go through each the thousands of rules that have been tuned over time for each customer nor the tens of thousands of rules in Firepower. Is there a way to download the rules from Firepower in a spreadsheet, and compare it against the rules in McAfee? Has anyone converted from McAfee Network Security to Firepower? Trying to work smarter here, not harder.

1 person had this problem
0 Helpful
8 Replies 8

Marius Gunnerud
VIP
VIP

‎07-23-2021 11:57 AM

Just had a look through the supported APIs and it does not look like we can "GET" the individual rules that are within the Intrusion policy on the FTD yet (as of version 6.7). With that in mind, I do not think it is possible it is currently possible to do what you are looking for.

Are there many custom rules that have been created or tuned?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

miculp
Cisco Employee
Cisco Employee

‎07-23-2021 09:22 PM

Out of the box, there is no way to export your policy to a csv/xls off of the FMC. 

 

Generally speaking, we don't migrate intrusion policies from one vendor to another. This is for a whole host of reasons, but mainly the way various IPS technologies detect things don't lend themselves to migration. In the past there have been scripts developed that would gather CVE's of rules from the source and enable the equivalent rules in a policy or layer in Firepower. This worked to varying degrees but ultimately a Talos base policy was chosen. Nine times out of ten that would be a balanced base policy. In the intrusion policy editor, you do have the ability to search for rules that address CVE's by the number and enable those as you wish. 

Version 7 now has the the intrusion policy exposed in the API. you could potentially script out searching for CVE's and enabling them in that way. 

Speaking as someone that has implemented/administered/monitored Proventia, Tippingpoint, McAfee (and Snort/Sourcefire) in previous lives before my current position, your best bet is to rip and replace. The level of inspection out of the box with a Talos base policy will put you in an extremely good position to begin with. Even more so when coupled with the built-in security intelligence feeds. 


Hopefully the following links will be helpful for you. 

https://blog.talosintelligence.com/2010/01/vrt-guide-to-ids-ruleset-tuning.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214405-what-are-the-metrics-used-to-determine-t.html

 

EverythingBagel62093
Level 1
Level 1
In response to miculp

‎07-29-2021 09:09 AM

Hi,

 

Are there any guidance documents on how to search for CVEs or McAfee ID (since that is something that can be filtered for in the intrusion ruleset in the policy) and enabling/disabling them? That would be a huge help.

 

We absolutely plan on using a base policy, but we want to (as much as possible) carry over any tuned rules or modifications from McAfee to Cisco.

 

Thank you!

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to EverythingBagel62093

‎07-29-2021 10:04 AM

You can search for CVEs in your Firepower intrusion policy by following this blog post:

http://ciscoshizzle.blogspot.com/2018/01/firepower-ips-search-for-certain-cve.html

0 Helpful

EverythingBagel62093
Level 1
Level 1
In response to Marvin Rhoads

‎07-29-2021 10:16 AM

Hi Marvin,
Thanks for that, but that would be more for looking up rules one at a time. I'm looking for something that we could use to look up rules via CVE or McAfee ID by the hundreds/thousands.
0 Helpful

Marius Gunnerud
VIP
VIP
In response to EverythingBagel62093

‎08-02-2021 01:09 PM

As mentioned in my previous post, I was unable to find a way to do this programmatically using APIs.  You might want to try exporting the rule-set that you setup and then see if you can find an app that you can use to open and edit that exported file.  Short of that, it is not possible.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

EverythingBagel62093
Level 1
Level 1
In response to Marius Gunnerud

‎08-03-2021 07:00 AM

Hi Marius,

 

Would the method of exporting the rule-set be along the lines of using the API and GET /policy/intrusion/{parentId}/intrusionrules? I'm pretty new to this, so apologies if I'm asking something with an obvious answer. Thank you.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to EverythingBagel62093

‎08-03-2021 11:38 PM

No, there is no way to retrieve the intrusionrules using API as of yet (as mentioned earlier).  If this was possible, what you want to do would be quite simple.

In the GUI you have an export option.  You can use this to export the rules, but you would need to find an app or program that can read that file or parse it to an excel file.  

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card