cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Export Snort Intrusion SIDs (enabled) in CSV format from FTD CLI

637
Views
25
Helpful
0
Comments

Problem:

 

For now FMC has generate report option available on UI which provides report in PDF format. CSV report is still a limitation.

 

Solution:

 

Anupam and I have created a script which let you for export the enabled intrusion SIDs from FTD CLI.

Script and Demo output are attached in zip file on this article.

 

How to run script:

1. Go to /ngfw/var/sf/detection_engines/<Primary_DE_UUID>/intrusion/ on FTD 

2. Look for directory with UUID, like "5f592c64-a058-11e9-a0f4-f34028439746" and change to that directory.

Note: Each UUID directory corresponds to unique IPS policy. To verify UUID belongs to which IPS policy, open the file snort.conf.<uuid>-randomid available in same intrusion directory

3. Copy the python file here and run it #python list_rule.py

4. The output is stored under /var/tmp with filename "output_rule.csv"

 

Demo Output From Lab Device:

Step 1:  Go to intrusion Dir:

root@vFTD65: cd /ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# pwd
/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

Step 2: Available UUIDs of Intrusion Policy (Here I see only one on this device which is highlighted)

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# ls -lrth
total 20K
-rw-r--r-- 1 root root 5.2K Jun 19 12:55 snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0
drwxr-xr-x 3 root root 4.0K Jun 19 12:56 variables
drwxr-xr-x 2 root root 4.0K Jun 19 12:56 object_abba00a0-cf29-425c-9d75-49699aadc898
drwxr-xr-x 2 root root 4.0K Jun 22 16:23 abba00a0-cf29-425c-9d75-49699aadc898
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

To find out the name of this IPS policy, open snort.conf.<IPS-UUID>.randomid. From above output we have snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0.

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# cat snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0 | grep Name
# Name : Balanced Security and Connectivity
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

Go inside the UUID dir:

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# cd abba00a0-cf29-425c-9d75-49699aadc898/
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# pwd
/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898#

 

Step 3: Put python script in intrusion UUID Dir (either scp or vi a file and copy paste the content)

 

Check if python script is copied/created:

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# ls -lrth list_rule.py
-rwxrwxrwx 1 root root 1.9K Jun 22 16:23 list_rule.py

Give permission to execute: chmod 777 list_rule.py

Step 4: Execute list_rule.py which generates output.csv under /var/tmp/

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# python list_rule.py

Wait, we're exporting the rules into CSV

.
..
...

filename 'output_rule.csv' written at /var/tmp/
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898#

Verify if output_rule.csv is created:

root@vFTD65:~# ls -lrth /var/tmp/output_rule.csv
-rw-r--r-- 1 root root 706K Jun 22 16:39 /var/tmp/output_rule.csv
root@vFTD65:~#

 

Take the file /var/tmp/output_rule.csv out of the device via FMC/FTP/SCP and  open on desktop. it gives nice formatted output in 5 columns "GID,SID,Action,Protocol,Reference".

Please reach out to Anupam (anpavith) & I if you have face any issues accessing/executing the script.

Thank you.