Introduction
This document describes how to filter snort rules based on the Cisco Secure Rule Update (SRU) and Lightweight Security Package (LSP) version of firepower devices managed by the FMC.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Knowledge of open-source Snort
- Firepower Management Center (FMC)
- Firepower Threat Defense (FTD)
Components Used
The information in this document is based on these software and hardware versions:
- This article applies to all Firepower platforms
- Cisco FTD which runs software version 7.0.0
- FMC Virtual which runs software version 7.0.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
In the context of intrusion detection systems (IDS) and intrusion prevention systems (IPS), 'SID' stands for 'Signature ID' or 'Snort Signature ID'.
A Snort Signature ID (SID) is a unique identifier assigned to each rule or signature within its rule set. These rules are used to detect specific patterns or behaviors in network traffic that can indicate malicious activity or security threats. Each rule is associated with a SID in order to allow for easy reference and management.
For information on open-source Snort, visit the SNORT website.
Procedure to Filter Snort Rules
In order to view the Snort 2 rule SIDs, navigate to FMC Policies > Access Control > Intrusion
,
thereafter click the Snort 2 Version option in the top right corner, as shown in the image:
Snort 2
Navigate to Rules > Rule Update
and choose the latest date to filter the SID.
Rule update
Available Sid’s under snort rules
Choose a required option under Rule State
as shown in the image.
Selecting Rule states
In order to view the Snort 3 rule SIDs, navigate to FMC Policies > Access Control > Intrusion
and click the Snort 3 Version option in the top right corner, as shown in the image:
Snort 3
Navigate to Advanced Filters
and choose the latest date to filter the SID as shown in the image.
Snort 3 filters
LSP under advanced filter
LSP version
Pre-set filter for Sid’s
Choose a required option under Rule state
as shown in the image.
Rule action