Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2438
Views
26
Helpful
1
Comments

Export Snort Intrusion SIDs (enabled) in CSV format from FTD CLI

Dinesh Verma
Cisco Employee
Cisco Employee

on ‎07-21-2020 07:43 AM - edited on ‎03-13-2021 11:16 PM by Cisco Employee

Problem:

 

For now FMC has generate report option available on UI which provides report in PDF format. CSV report is still a limitation.

 

Solution:

 

@Anupam Pavithran and I have created a script which let you for export the enabled intrusion SIDs from FTD CLI.

Script and Demo output are attached in zip file on this article.

snort.png

How to run script:

1. Go to /ngfw/var/sf/detection_engines/<Primary_DE_UUID>/intrusion/ on FTD 

2. Look for directory with UUID, like "5f592c64-a058-11e9-a0f4-f34028439746" and change to that directory.

Note: Each UUID directory corresponds to unique IPS policy. To verify UUID belongs to which IPS policy, open the file snort.conf.<uuid>-randomid available in same intrusion directory

3. Copy the python file here and run it #python list_rule.py

4. The output is stored under /var/tmp with filename "output_rule.csv"

 

Demo Output From Lab Device:

Step 1:  Go to intrusion Dir:

root@vFTD65: cd /ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# pwd
/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

Step 2: Available UUIDs of Intrusion Policy (Here I see only one on this device which is highlighted)

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# ls -lrth
total 20K
-rw-r--r-- 1 root root 5.2K Jun 19 12:55 snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0
drwxr-xr-x 3 root root 4.0K Jun 19 12:56 variables
drwxr-xr-x 2 root root 4.0K Jun 19 12:56 object_abba00a0-cf29-425c-9d75-49699aadc898
drwxr-xr-x 2 root root 4.0K Jun 22 16:23 abba00a0-cf29-425c-9d75-49699aadc898
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

To find out the name of this IPS policy, open snort.conf.<IPS-UUID>.randomid. From above output we have snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0.

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# cat snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0 | grep Name
# Name : Balanced Security and Connectivity
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

Go inside the UUID dir:

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# cd abba00a0-cf29-425c-9d75-49699aadc898/
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# pwd
/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898#

 

Step 3: Put python script in intrusion UUID Dir (either scp or vi a file and copy paste the content)

 

Check if python script is copied/created:

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# ls -lrth list_rule.py
-rwxrwxrwx 1 root root 1.9K Jun 22 16:23 list_rule.py

Give permission to execute: chmod 777 list_rule.py

Step 4: Execute list_rule.py which generates output.csv under /var/tmp/

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# python list_rule.py

Wait, we're exporting the rules into CSV

.
..
...

filename 'output_rule.csv' written at /var/tmp/
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898#

Verify if output_rule.csv is created:

root@vFTD65:~# ls -lrth /var/tmp/output_rule.csv
-rw-r--r-- 1 root root 706K Jun 22 16:39 /var/tmp/output_rule.csv
root@vFTD65:~#

 

Take the file /var/tmp/output_rule.csv out of the device via FMC/FTP/SCP and  open on desktop. it gives nice formatted output in 5 columns "GID,SID,Action,Protocol,Reference".

Please reach out to Anupam (anpavith) & I if you have face any issues accessing/executing the script.

Thank you.

 

Script & Output.zip
Comments
NetworkKingsXL
Level 1
Level 1
‎08-18-2023 05:54 AM

One thing I notice if there are 2 or more CSV associated with the signature it capture first data only. Can we add all the CSV info?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents