cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2926
Views
26
Helpful
2
Comments
Dinesh Verma
Cisco Employee
Cisco Employee

Problem:

 

For now FMC has generate report option available on UI which provides report in PDF format. CSV report is still a limitation.

 

Solution:

 

@Anupam Pavithran and I have created a script which let you for export the enabled intrusion SIDs from FTD CLI.

Script and Demo output are attached in zip file on this article.

snort.png

How to run script:

1. Go to /ngfw/var/sf/detection_engines/<Primary_DE_UUID>/intrusion/ on FTD 

2. Look for directory with UUID, like "5f592c64-a058-11e9-a0f4-f34028439746" and change to that directory.

Note: Each UUID directory corresponds to unique IPS policy. To verify UUID belongs to which IPS policy, open the file snort.conf.<uuid>-randomid available in same intrusion directory

3. Copy the python file here and run it #python list_rule.py

4. The output is stored under /var/tmp with filename "output_rule.csv"

 

Demo Output From Lab Device:

Step 1:  Go to intrusion Dir:

root@vFTD65: cd /ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# pwd
/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

Step 2: Available UUIDs of Intrusion Policy (Here I see only one on this device which is highlighted)

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# ls -lrth
total 20K
-rw-r--r-- 1 root root 5.2K Jun 19 12:55 snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0
drwxr-xr-x 3 root root 4.0K Jun 19 12:56 variables
drwxr-xr-x 2 root root 4.0K Jun 19 12:56 object_abba00a0-cf29-425c-9d75-49699aadc898
drwxr-xr-x 2 root root 4.0K Jun 22 16:23 abba00a0-cf29-425c-9d75-49699aadc898
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

To find out the name of this IPS policy, open snort.conf.<IPS-UUID>.randomid. From above output we have snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0.

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# cat snort.conf.abba00a0-cf29-425c-9d75-49699aadc898.76fa83ea-c972-11e2-8be8-8e45bb1343c0 | grep Name
# Name : Balanced Security and Connectivity
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion#

 

Go inside the UUID dir:

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion# cd abba00a0-cf29-425c-9d75-49699aadc898/
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# pwd
/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898#

 

Step 3: Put python script in intrusion UUID Dir (either scp or vi a file and copy paste the content)

 

Check if python script is copied/created:

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# ls -lrth list_rule.py
-rwxrwxrwx 1 root root 1.9K Jun 22 16:23 list_rule.py

Give permission to execute: chmod 777 list_rule.py

Step 4: Execute list_rule.py which generates output.csv under /var/tmp/

 

root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898# python list_rule.py

Wait, we're exporting the rules into CSV

.
..
...

filename 'output_rule.csv' written at /var/tmp/
root@vFTD65:/ngfw/var/sf/detection_engines/50068a4c-7afd-11ea-b993-13f54eb8d4ea/intrusion/abba00a0-cf29-425c-9d75-49699aadc898#

Verify if output_rule.csv is created:

root@vFTD65:~# ls -lrth /var/tmp/output_rule.csv
-rw-r--r-- 1 root root 706K Jun 22 16:39 /var/tmp/output_rule.csv
root@vFTD65:~#

 

Take the file /var/tmp/output_rule.csv out of the device via FMC/FTP/SCP and  open on desktop. it gives nice formatted output in 5 columns "GID,SID,Action,Protocol,Reference".

Please reach out to Anupam (anpavith) & I if you have face any issues accessing/executing the script.

Thank you.

 

Comments
NetworkKingsXL
Level 1
Level 1

One thing I notice if there are 2 or more CSV associated with the signature it capture first data only. Can we add all the CSV info?

raghchan
Cisco Employee
Cisco Employee

Hi Team,

Can we get the CSV output for all rules for a specific IPS Policy instead of only enabled rules ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: