How, Why & When you would use a pass rule in a Cisco Firepower Intrusion policy (IPS)
This TidBit of the day will provide cool features of Cisco Firepower/FTD in just a couple minutes!
So I received this questions from a reader:
What is the best easy way to exempt a host or network from a specific snort signature/rule? I want to prevent traffic from being dropped if the source IP is 10.1.1.10 even if it matches the Rule SID 38678 signature. All else still inspect and drop if the signature matched.
This is a great question, and one I receive a lot. I find that admins, in order to meet this business requirement, use the Suppression filter in the IPS policy, however, that just stops you from getting an alert and still drops all the traffic! You just would never know….This accomplishes nothing! You’d be better off disabling the rule.
Suppressing a rule is just this:
So let’s take a look at the How, Why & When you would use a pass rule in an Cisco Firepower Intrusion policy (IPS)
Caution: When an original rule that the pass rule is based on receives a revision, the pass rule is not automatically updated. Therefore, pass rules might be difficult to maintain.
Verify
You should monitor the new events for some time in order to make sure no events are generated for this specific rule for the defined source or destination IP address.
Nice, I have been doing this slightly differently by creating a custom IPS policy with the new IPS rule and then applying this new IPS policy to an access rule. Like you point out the number of changes can become difficult to track and depending on changes made in the future you could have to track back on the custom changes.
Yes, that is the other way to do it, but now you have to tune two IPS policies. That maybe okay fi you have the time to do it!
In a scenario with 5506-x/5508-x running in ASA+FPR module (paired with FMC), with ACL’s configured on the ASA and redirect-list configured to send “ip any any” to the SFR module. Would it be easier to just add a deny line on the redirect ACL for the source IP which is to be exempted from IPS inspection?
yes, that is correct. You’d just add an ACL in your SFR service policy
thank you for posting!
How would you do this for the SMTP_COMMAND_OVERFLOW rule? I get the message “This preprocessor rule cannot be modified from the rule editor”.
Just watching the video, the rule had the action set to “alert” shouldn’t the action be set to pass in order to be deemed a “pass” rule?
You can only set a rule to two actions in snort 2, Alert or Drop & Alert, so to enable a pass rule, you need to set it to alert as an action
In snort 3 there are more actions, but rarely are more then two still used. The “pass” in snort 3 does not do anything and needs to be removed as an action because all it does is confuse people.