cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

995
Views
5
Helpful
8
Replies

Switching over to Firepower from McAfee Network Security - McAfee rules to Snort

We are switching over a section of our environment from McAfee Network Security to Firepower. We have several different policies for different customers. McAfee uses a combination of NSP rules, CVEs, and other ways to identify and categorize intrustion signatures. It wouldn't be feasible for us to go through each the thousands of rules that have been tuned over time for each customer nor the tens of thousands of rules in Firepower. Is there a way to download the rules from Firepower in a spreadsheet, and compare it against the rules in McAfee? Has anyone converted from McAfee Network Security to Firepower? Trying to work smarter here, not harder.

8 REPLIES 8
Marius Gunnerud
VIP Advisor

Just had a look through the supported APIs and it does not look like we can "GET" the individual rules that are within the Intrusion policy on the FTD yet (as of version 6.7). With that in mind, I do not think it is possible it is currently possible to do what you are looking for.

Are there many custom rules that have been created or tuned?

--
Please remember to select a correct answer and rate helpful posts
miculp
Cisco Employee

Out of the box, there is no way to export your policy to a csv/xls off of the FMC. 

 

Generally speaking, we don't migrate intrusion policies from one vendor to another. This is for a whole host of reasons, but mainly the way various IPS technologies detect things don't lend themselves to migration. In the past there have been scripts developed that would gather CVE's of rules from the source and enable the equivalent rules in a policy or layer in Firepower. This worked to varying degrees but ultimately a Talos base policy was chosen. Nine times out of ten that would be a balanced base policy. In the intrusion policy editor, you do have the ability to search for rules that address CVE's by the number and enable those as you wish. 

Version 7 now has the the intrusion policy exposed in the API. you could potentially script out searching for CVE's and enabling them in that way. 

Speaking as someone that has implemented/administered/monitored Proventia, Tippingpoint, McAfee (and Snort/Sourcefire) in previous lives before my current position, your best bet is to rip and replace. The level of inspection out of the box with a Talos base policy will put you in an extremely good position to begin with. Even more so when coupled with the built-in security intelligence feeds. 


Hopefully the following links will be helpful for you. 

https://blog.talosintelligence.com/2010/01/vrt-guide-to-ids-ruleset-tuning.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214405-what-are-the-metrics-used-to-determine-t.html

 

Hi,

 

Are there any guidance documents on how to search for CVEs or McAfee ID (since that is something that can be filtered for in the intrusion ruleset in the policy) and enabling/disabling them? That would be a huge help.

 

We absolutely plan on using a base policy, but we want to (as much as possible) carry over any tuned rules or modifications from McAfee to Cisco.

 

Thank you!

You can search for CVEs in your Firepower intrusion policy by following this blog post:

http://ciscoshizzle.blogspot.com/2018/01/firepower-ips-search-for-certain-cve.html

Hi Marvin,
Thanks for that, but that would be more for looking up rules one at a time. I'm looking for something that we could use to look up rules via CVE or McAfee ID by the hundreds/thousands.

As mentioned in my previous post, I was unable to find a way to do this programmatically using APIs.  You might want to try exporting the rule-set that you setup and then see if you can find an app that you can use to open and edit that exported file.  Short of that, it is not possible.

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

 

Would the method of exporting the rule-set be along the lines of using the API and GET /policy/intrusion/{parentId}/intrusionrules? I'm pretty new to this, so apologies if I'm asking something with an obvious answer. Thank you.

No, there is no way to retrieve the intrusionrules using API as of yet (as mentioned earlier).  If this was possible, what you want to do would be quite simple.

In the GUI you have an export option.  You can use this to export the rules, but you would need to find an app or program that can read that file or parse it to an excel file.  

--
Please remember to select a correct answer and rate helpful posts