Filter Snort Rules Based on SRU and LSP Version of Firepower Devices Managed by FMC

Available Languages

Download Options

  • PDF     (741.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (836.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (642.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 8, 2023
Document ID:221186

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to filter snort rules based on the Cisco Secure Rule Update (SRU) and Lightweight Security Package (LSP) version of firepower devices managed by the FMC.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Knowledge of open-source Snort
    • Firepower Management Center (FMC)
    • Firepower Threat Defense (FTD)

    Components Used

    The information in this document is based on these software and hardware versions:

    • This article applies to all Firepower platforms
    • Cisco FTD which runs software version 7.0.0
    • FMC Virtual which runs software version 7.0.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    In the context of intrusion detection systems (IDS) and intrusion prevention systems (IPS), 'SID' stands for 'Signature ID' or 'Snort Signature ID'. 

    A Snort Signature ID (SID) is a unique identifier assigned to each rule or signature within its rule set. These rules are used to detect specific patterns or behaviors in network traffic that can indicate malicious activity or security threats. Each rule is associated with a SID in order to allow for easy reference and management.

    For information on open-source Snort, visit the SNORT website.

    Procedure to Filter Snort Rules

    In order to view the Snort 2 rule SIDs, navigate to FMC Policies > Access Control > Intrusion, thereafter click the Snort 2 Version option in the top right corner, as shown in the image:

    Snort 2Snort 2

    Navigate to  Rules > Rule Update  and choose the latest date to filter the SID.

    Rule UpdateRule update

    Available SIds under Snort RulesAvailable Sid’s under snort rules

    Choose a required option under  Rule State  as shown in the image.

    Selecting Rule StatesSelecting Rule states

    In order to view the Snort 3 rule SIDs, navigate to  FMC Policies > Access Control > Intrusion and click the Snort 3 Version option in the top right corner, as shown in the image:

    Snort 3Snort 3

    Navigate to  Advanced Filters  and choose the latest date to filter the SID as shown in the image.

    Snort 3 FiltersSnort 3 filters

    LSP under Advanced FilterLSP under advanced filter

    LSP VersionLSP version

    Pre-set Filter for SIdsPre-set filter for Sid’s

    Choose a required option under  Rule state  as shown in the image.

    Rule ActionRule action

    Revision History

    Revision Publish Date Comments
    1.0
    09-Nov-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Sakthivel Thirupathy
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco