Introduction
This document describes how to filter snort rules based on the Cisco Secure Rule Update (SRU) and Link State Packet (LSP) version of firepower devices managed by the Firepower Management Centre (FMC).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Knowledge of open-source Snort
- Firepower Management Center (FMC)
- Firepower Threat Defense (FTD)
Components Used
The information in this document is based on these software and hardware versions:
- This article is applicable to all Firepower platforms
- Cisco Firepower Threat Defense (FTD) which runs software version 7.0.0
- Firepower Management Center Virtual (FMC) which runs software version 7.0.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
In the context of intrusion detection systems (IDS) and intrusion prevention systems (IPS), "SID" stands for "Signature ID" or "Snort Signature ID."
A Snort Signature ID (SID) is a unique identifier assigned to each rule or signature within its rule set. These rules are used to detect specific patterns or behaviors in network traffic that can indicate malicious activity or security threats. Each rule is associated with a SID to allow for easy reference and management.
For information on open-source Snort, please visit the SNORT website.
Procedure to filter Snort rules
To view the Snort 2 rule SIDs, navigate to FMC Policies > Access Control > Intrusion
,
thereafter click the SNORT2 option in the top right corner, as shown in the image:
Snort 2
Navigate to Rules > Rule Update
and select the latest date to filter the SID.
Rule update
Available Sid’s under snort rules
Select a required option under Rule State
as shown in the image.
Selecting Rule states
To view the Snort 3 rule SIDs, navigate to FMC Policies > Access Control > Intrusion
, thereafter click the SNORT3 option in the top right corner, as shown in the image:
Snort 3
Navigate to Advanced Filters
and select the latest date to filter the SID as shown in the image.
Snort 3 filters
LSP under advanced filter
LSP version
Pre-set filter for Sid’s
Select a required option under Rule state
as shown in the image.
Rule action