Edit Snort 3 Intrusion Policies

While editing a Snort 3 policy, all the changes are saved instantaneously. No additional action is required to save the changes.

Procedure

Step 1

Choose Policies > Intrusion.

Step 2

Ensure the Intrusion Policies tab is selected.

Step 3

Click Snort 3 Version next to the intrusion policy you want to configure.

Step 4

Edit your policy:

  • Change the mode—Click the Mode drop-down to change the inspection mode.

Caution

The inspection mode is changed only for the Snort 3 version of the policy. The existing inspection mode is retained in the Snort 2 version as is, which means that your Snort 2 and Snort 3 versions of the policy will have different inspection modes. We recommend you to use this option with caution.

  • Prevention—Triggered Block rules create an event (alert) and drop the connection.

  • Detection—Triggered Block rules create an alert.

    You can choose the detection mode before going for prevention. For example, before choosing the prevention mode, you might want block rules to alert only, so that you can identify rules that cause a lot of false positives.

Step 5

Click the Base Policy layer that defines the intrusion policy’s default settings.

  • Search rules—Use the search field to filter the display. You can enter the GID, SID, rule message, or reference info. For example, GID:1; SID:9621—to display only rule 1:962, SID:9621,9622,9623—to display multiple rules with different SIDs. You can also click inside the Search text box to choose any of the following options:

    • apply the filters Action = Alert, or Action: Block

    • apply the Disabled Rules filter

    • show Custom/User Defined Rules

    • filter by GID, SID, or GID:SID

    • filter by CVE

    • filter by comment

  • View filtered rules—Click any of the Presets to view rules that are set to alert, block, disabled, and so on.

    Overridden rules indicate the rules where the rule action has been changed from the default action to a different action. Note that, once changed, the rule action status is Overridden even if you change it back to its original default action. However, if you select Revert to default from the Rule Action drop-down list, the Overridden status is removed.

    Advanced Filters provides filter options based on the Lightweight Security Package (LSP) releases, Classifications of intrusions, and Microsoft Vulnerabilities.

  • View rule documentation—Click the rule ID or the Rule Documentation icon to display Talos documentation for the rule.

  • View a rule details—Click the Expand Arrow (expand arrow icon) icon in a rule row to view the rule details.

  • Add rule comments—Click Comment (comment icon) under the Comments column to add comments for a rule.

Step 6

Group Overrides—Click the Group Overrides layer that lists all the categories of rule groups. The top level parent rule groups with Description, Overrides and Enabled Groups, and so on is displayed. Parent rule groups cannot be updated and are read-only. Only the leaf rule groups can be updated. In each rule group, you can traverse up to the last leaf group. Across each group, you can override, include, and exclude rule groups. In the leaf rule groups, you can:

  • Search rule groups—Use the search field to enter keywords and search for rule groups.

  • In the left panel, you can choose any of the preset filter options to search for rule groups:

    • All—For displaying all rule groups.

    • Excluded—For excluded groups.

    • Included—For included groups.

    • Overridden—For rule group configuration that is overridden.

  • Set the security level for a rule group—Navigate to the required rule group on the left pane and click it. Click Edit next to the Security Level of the rule group to increase or decrease the security level based on system-defined rule settings.

    In the Edit Security Level dialog box, you have the option to click Revert to Default, which reverts the changes you made.

    The management center automatically changes the action for the rules of the rule group for the configured security level. In the Rule Overrides layer, notice the count of Block Rules and Disabled Rules in the Presets every time you change the security level.

  • You can make bulk changes to the security level to change the security level of all rule groups within a particular rule category. Bulk security level applies to rule groups that have more than one rule group. After a bulk update of rule groups, you can still update the security level of any of the associated rule groups within it.

    There can be mixed security levels within rule groups; mixed indicates that the child groups contain a mix of security levels within the parent rule group.

  • Include or exclude rule groups—The rule groups displayed are the default rule groups associated with the system-provided base intrusion policy. You can include and exclude rule groups from the intrusion policy. An excluded rule group is removed from the intrusion policy and its rules are not applied on the traffic. For information on uploading custom rules in management center, see Add Custom Rules to Rule Groups.

    To exclude a rule group:

    1. Navigate the Rule Groups pane and choose the rule group that you want to exclude.

    2. Click the Exclude hyperlink on the right-pane.

    3. Click Exclude.

    To include a new rule group or multiple rule groups with the uploaded custom rules or a previously excluded rule group:

    1. Click Add (add icon) next to the rule group filter dropdown list.

    2. Choose all the rule groups you want to add by checking the check box next to it.

    3. Click Save.

  • For a leaf rule group, click the icon under the Override column header to see the rule action trail, which describes the sequence of overridden rule actions that can be assigned due to the base policy and group overrides for an intrusion rule. Rule actions can be obtained from either the base policy configurations or the user group override. The user group override takes the priority between the two; priority refers to the final overridden action that is assigned to the rule group.

  • Click the rule count (number) under the Rule Count column header to see a summary of rules that are part of the rule group.

Step 7

Recommendations—Click the Recommendations layer if you want to generate and apply Cisco recommended rules. Recommendations use the host database to enable or disable rules, based on known vulnerabilities.

Step 8

Rule Overrides—Click the Rule Overrides layer to choose any of the presets to view rules, which are set to alert, block, disabled, overridden, rewrite, pass, drop, or reject.

  • The Set By column shows the default set by state (Base Policy) or modified rule state by Group Overrides, Rule Overrides, or Recommendations. The Set By column in All Rules (in the left pane) shows the trail of rule action override actions based on priority order. The priority order of rule actions is Rule Override > Recommendations > Group Override > Base Policy.

  • Modify Rule Action—To modify rule actions, choose either of the following:

    • Bulk edit—Choose one or more rules, then choose the required action from the Rule Action drop-down list; and click Save.

      Note

      Bulk rule action changes are supported only for the first 500 rules.

    • Single rule edit—Choose the action for the rule from the drop-down list in the Rule Action column.

    Rule actions are:

    • Block— Generates event, blocks current matching packet and all the subsequent packets in this connection.

    • Alert— Generates only events for matching packet and does not drop packet or connection.

    • Disable—Does not match traffic against this rule. No events are generated.

    • Revert to default—Reverts to the system default action.

    • Pass— No events are generated, allows packet to pass without further evaluation by any subsequent Snort rules.

      Note

      The Pass action is available only for custom rules and not for system-provided rules.

    • Drop— Generates event, drops matching packet and does not block further traffic in this connection.

    • Reject— Generates event, drops matching packet, blocks further traffic in this connection and sends TCP reset if it is a TCP protocol to source and destination hosts.

      Behavior of reject in different firewall modes and IP address or source or destination in relation to Client or Server: Snort sends RST packets to both client and server in cases of routed, inline, and bridged interfaces. Snort sends two RST packets. RST packet in clients directions will have source set to server’s IP and destination set to client’s IP. RST packet in servers direction will have source set to client’s IP and destination set to server’s IP.

    • Rewrite— Generates event and overwrites packet contents based on the replace option in the rule.

    For IPS rule action logging, see Rule Action Logging.

    If there is a React rule, it is converted to an alert action.

Step 9

Click the Summary layer for a holistic view of the current changes to the policy. The policy summary page contains the following information:

  • Rule distribution of the policy, that is, active rules, disabled rules, and so on.

  • Option to export policy and generate report of the intrusion policy.

  • Base policy details.

  • Option to generate recommendations.

  • Group overrides that shows the list of groups that you have overridden.

  • Rule overrides that shows the list of rules that you have overridden.

  • In the Summary layer, click the ? icon to open a popup window of the Snort helper guide that explains the Snort layering concepts.

To change the base policy, see Change the Base Policy of an Intrusion Policy.

Note

You can navigate to Objects > Intrusion Rules and click the Snort 3 All Rules tab and traverse through all the intrusion rule groups. The parent rule group lists the associated child groups and rule count.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.