Showing results for 
Search instead for 
Did you mean: 

Export Snort Intrusion SIDs (enabled) in CSV format from FTD CLI




For now FMC has generate report option available on UI which provides report in PDF format. CSV report is still a limitation.




Anupam and I have created a script which let you for export the enabled intrusion SIDs from FTD CLI.

Script and Demo output are attached in zip file on this article.


How to run script:

1. Go to /ngfw/var/sf/detection_engines/<Primary_DE_UUID>/intrusion/ on FTD 

2. Look for directory with UUID, like "5f592c64-a058-11e9-a0f4-f34028439746" and change to that directory.

Note: Each UUID directory corresponds to unique IPS policy. To verify UUID belongs to which IPS policy, open the file snort.conf.<uuid>-randomid available in same intrusion directory

3. Copy the python file here and run it #python

4. The output is stored under /var/tmp with filename "output_rule.csv"


Demo Output From Lab Device:

Step 1:  Go to intrusion Dir:

root@vFTD65: cd /ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# pwd


Step 2: Available UUIDs of Intrusion Policy (Here I see only one on this device which is highlighted)


root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# ls -lrth
total 20K
-rw-r--r-- 1 root root 5.2K Jun 19 12:55 snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0
drwxr-xr-x 3 root root 4.0K Jun 19 12:56 variables
drwxr-xr-x 2 root root 4.0K Jun 19 12:56 object_abba00a0-cf29-425c-9d75-49699aadc898
drwxr-xr-x 2 root root 4.0K Jun 22 16:23 abba00a0-cf29-425c-9d75-49699aadc898


To find out the name of this IPS policy, open snort.conf.<IPS-UUID>.randomid. From above output we have snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0.


root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# cat snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0 | grep Name
# Name : Balanced Security and Connectivity


Go inside the UUID dir:


root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# cd abba00a0-cf29-425c-9d75-49699aadc898/
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# pwd


Step 3: Put python script in intrusion UUID Dir (either scp or vi a file and copy paste the content)


Check if python script is copied/created:

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# ls -lrth
-rwxrwxrwx 1 root root 1.9K Jun 22 16:23

Give permission to execute: chmod 777

Step 4: Execute which generates output.csv under /var/tmp/


root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# python

Wait, we're exporting the rules into CSV


filename 'output_rule.csv' written at /var/tmp/

Verify if output_rule.csv is created:

root@vFTD65:~# ls -lrth /var/tmp/output_rule.csv
-rw-r--r-- 1 root root 706K Jun 22 16:39 /var/tmp/output_rule.csv


Take the file /var/tmp/output_rule.csv out of the device via FMC/FTP/SCP and  open on desktop. it gives nice formatted output in 5 columns "GID,SID,Action,Protocol,Reference".

Please reach out to Anupam (anpavith) & I if you have face any issues accessing/executing the script.

Thank you.