Firepower Snort

on

Snort 3

Snort includes a set of configurable plugins called inspectors. A Snort inspector can detect and analyze traffic for a certain type of network protocol or probe, normalize messages to enhance packet analysis, and inspect specific types of files embedded in a message. You configure the Snort inspectors in a Network Analysis Policy (NAP) and enable intrusion rules in an Intrusion policy.

Network analysis policies enable you to configure Snort 3 inspectors to determine the traffic protocol and extract and normalize data. You can configure multiple network analysis policies, each using a uniquely configured collection of Snort 3 inspectors to normalize the data. Inspectors can alert when they detect irregularities in the data stream, but their main purpose is to prepare the data for the intrusion rules. The intrusion policies apply their configured intrusion rules to examine the data for signs of evasions, intrusions, or attacks.

Cisco periodically issues intrusion rule updates in the form of Lightweight Security Packages (LSPs). These updates may change the default values of a Snort 3 inspector's configuration parameters and intrusion rule options.









SRU is cumulative 


Note.

Content  !!search for bytes in payload, payload starts after L4 header.
                can be text or binary within the pipe ("|") character

Depth:    !!how many bytes need be searched in the payload for the content.

Offset:     !!Search starting point (from the beginning of the payload) for the content.

Within:    !!After match 1st content, only search # bytes for 2nd content.

Distance:  !!After the previous pattern match, ignore # bytes then search another pattern match



 

Reference:

https://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm#depth

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00457000000000000000


=======Create Firepower Custom IPS Rule==========

# Copy from the existing rule
# Import a rule
# Create a new rule

Add a content can match http info, for example

match HTTP Method, HTTP header, HTTP URI


=====================

https://www.rapid7.com/blog/post/2016/12/09/understanding-and-configuring-snort-rules/

Snort 3

https://dependencyhell.net/2021/snort-3-deep-dive-the-future-of-cisco-firepower

Comments

Post a Comment