はじめに
本ドキュメントでは、Snort バージョン 2 と Snort バージョン 3 を利用時の Syslog フォーマットの出力の違いを紹介します。FMC/FTDバージョン 6.x系の場合は Snort 2のみ利用可能ですが、FMC/FTDバージョン 7.xからは、Snort 3 の利用、もしくは 併用も可能です。Snort 3 は、パフォーマンスやメモリ利用効率があがり、より高度な制御に対応してます。
結論から申し上げますと、Snrot 2 と Snort 3 で出力の違いはありません。
本ドキュメントでは、FMC/FTD バージョン 7.2.0 を利用して検証、確認をしております。
Snort 2を利用時
[Snort 2 - Intrusion Policy - Syslog Alert] ※FTDから出力
08-25-2022 13:20:19 System4.Emerg 170.72.0.45 2022-08-25T04:20:18Z %FTD-0-430001: DeviceUUID: e23a2fb2-8f33-11ec-89b3-a8f72aabfa0d, InstanceID: 1, FirstPacketSecond: 2022-08-25T04:20:17Z, ConnectionID: 16, SrcIP: 170.72.0.221, DstIP: 192.168.0.16, SrcPort: 8887, DstPort: 62164, Protocol: tcp, IngressInterface: dmz, EgressInterface: inside, IngressZone: DMZ, EgressZone: INSIDE, Priority: 3, GID: 1, SID: 37732, Revision: 6, Message: POLICY-OTHER eicar test string download attempt, Classification: Misc Activity, Client: Chrome, ApplicationProtocol: HTTP, IntrusionPolicy: IPS-TEST, ACPolicy: FTDv-IPS, AccessControlRuleName: IPS-AMP-check, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, InlineResult: Dropped, IngressVRF: Global, EgressVRF: Global, HTTP_Hostname: 170.72.0.221:8887, HTTP_URI: /MALWARE-EICAR-TEST.txt
[Snort 2 - Impact Flag Alerts] ※FMCから出力
08-25-2022 18:10:12 System4.Alert 170.72.0.101 Aug 25 09:10:12 FMC SFIMS: [1:37732:6] POLICY-OTHER eicar test string download attempt [Impact: Currently Not Vulnerable] From "FTD Primary" at Thu Aug 25 09:10:11 2022 UTC [Classification: Misc Activity] [Priority: 3] {tcp} 170.72.0.221:8887 (united states)->192.168.0.16:62382 (unknown)
[Snort 2 - Correlation Event] ※FMCから出力
08-25-2022 18:10:12 System4.Alert 170.72.0.101 Aug 25 09:10:12 FMC SFIMS: Correlation Event: Intrusion Event/Intrusion Event at Thu Aug 25 09:10:12 2022 UTC: [1:37732:6] POLICY-OTHER eicar test string download attempt [Impact: Currently Not Vulnerable] From "FTD Primary" at Thu Aug 25 09:10:11 2022 UTC [Classification: Misc Activity] [Priority: 3] {tcp} 170.72.0.221:8887 (united states)->192.168.0.16:62382 (unknown)
Snort 3 を利用時
[Snort 3 - ACP Logging - IPS events] ※FTDから出力
08-25-2022 16:56:56 System4.Alert 170.72.0.45 2022-08-25T07:56:56Z %FTD-1-430001: DeviceUUID: e23a2fb2-8f33-11ec-89b3-a8f72aabfa0d, InstanceID: 1, FirstPacketSecond: 2022-08-25T07:56:54Z, ConnectionID: 291, SrcIP: 170.72.0.221, DstIP: 192.168.0.16, SrcPort: 8887, DstPort: 62328, Protocol: tcp, IngressInterface: dmz, EgressInterface: inside, IngressZone: DMZ, EgressZone: INSIDE, Priority: 3, GID: 1, SID: 37732, Revision: 6, Message: POLICY-OTHER eicar test string download attempt, Classification: Misc Activity, WebApplication: Web Browsing, Client: Chrome, ApplicationProtocol: HTTP, IntrusionPolicy: IPS-TEST, ACPolicy: FTDv-IPS, AccessControlRuleName: IPS-AMP-check, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, InlineResult: Block, IngressVRF: Global, EgressVRF: Global, HTTP_Hostname: 170.72.0.221:8887, HTTP_URI: /MALWARE-EICAR-TEST.txt
[Snort 3 - Impact Flag Alerts] ※FMCから出力
08-25-2022 16:56:56 System4.Alert 170.72.0.101 Aug 25 07:56:56 FMC SFIMS: [1:37732:6] POLICY-OTHER eicar test string download attempt [Impact: Currently Not Vulnerable] From "FTD Primary" at Thu Aug 25 07:56:56 2022 UTC [Classification: Misc Activity] [Priority: 3] {tcp} 170.72.0.221:8887 (united states)->192.168.0.16:62328 (unknown)
[Snort 3 - Correlation Event] ※FMCから出力
08-25-2022 16:56:56 System4.Alert 170.72.0.101 Aug 25 07:56:56 FMC SFIMS: Correlation Event: Intrusion Event/Intrusion Event at Thu Aug 25 07:56:56 2022 UTC: [1:37732:6] POLICY-OTHER eicar test string download attempt [Impact: Currently Not Vulnerable] From "FTD Primary" at Thu Aug 25 07:56:56 2022 UTC [Classification: Misc Activity] [Priority: 3] {tcp} 170.72.0.221:8887 (united states)->192.168.0.16:62328 (unknown)
Snort 3 では「Intrusion Policy」内の Syslog Alert 設定の代わりに、ACPの "Logging Tab" > "IPS Settings" > "Send Syslog messages for IPS events" で代用可能
参考情報
Firepower System and FTDトラブルシューティング
https://community.cisco.com/t5/-/-/ta-p/3161733
