Enabling or Disabling an Intrusion Rule – Cisco Network Analysis and Intrusion Policies

Enabling or Disabling an Intrusion Rule
Secure Firewall is equipped with thousands of intrusion rules, but not all of them are enabled at the same time. You learned about it in the “System-Provided Base Policies” section. To enable or disable an additional Snort rule in an intrusion policy, edit the policy with your desired Snort version, and follow the steps shown here. For demonstration purposes, this exercise shows how to enable Snort rule 1:718 (SID:718) to drop packets.
If you selected Snort 3 Version of the intrusion policy editor, follow these steps:
Step 1. Enter the Snort rule ID (such as SID:718) to retrieve the desired rule directly from the database, as shown in Figure 15-26. Alternatively, you can use the left panel to find a rule from its relevant rule groups.
Step 2. Use the Rule Action drop-down to set the desired action.
Step 3. Finally, click the Intrusion Policy to save the changes to the policy.
If you selected Snort 2 Version of the intrusion policy editor, follow these steps:
Step 1. Select Rules in the left panel. This displays a glimpse of the available rules.
Step 2. Rules are organized in a variety of ways. You can use the category panel to find your desired rule, as shown in Figure 15-27. Alternatively, if you know the Snort rule ID, you can enter it directly in the Filter field.

Figure 15-27 Enabling a Snort Rule on the Snort 2 Version of the Intrusion Policy Editor
Step 3. When you find the desired rule, select its check box and set the Rule State to Drop and Generate Events. It enables a Snort rule to block matching packets and to trigger an alert.
Figure 15-27 illustrates the steps to find a Telnet-specific rule using the Snort 2 version of the intrusion policy editor and then enable the rule to drop and generate events.
Step 4. Go to the Policy Information page. Make sure to save any changes to the intrusion policy by clicking the Commit Changes button.

Setting Up a Variable Set
One of the important steps to enable intrusion prevention functionality is to associate the intrusion policy with a variable set that precisely reflects your network environment. Because Secure Firewall does not force an administrator to customize the values of the default variables, this essential step is often overlooked. At a minimum, you must define the $HOME_NET variable to include the network that you wish to protect with your intrusion policy.
Generally speaking, if a threat defense is deployed to inspect the northbound and southbound traffic, you may assume $EXTERNAL_NET=!$HOME_NET for that environment. However, if you deploy your threat defense to inspect eastbound and westbound traffic, you should define the variables precisely. If the default value of any server-specific variables are set to any or $HOME_NET, you must replace them with the original network addresses. Doing so makes a Snort rule more effective and reduces the probability of false positive alerts. Thus, a proper variable setting can improve overall system performance.
To add a new variable set and modify the default values, follow these steps:
Step 1. Navigate to Objects > Object Management.
Step 2. Select Variable Set from the menu on the left. The list of available variable sets appears.
Step 3. Here, you can edit an existing variable set or choose to create a new one. To create a new variable set, click the Add Variable Set button. The New Variable Set configuration window appears.
Step 4. Find the default variables that need to be updated. Use the pencil icon to modify their default values with predefined network objects. The management center also allows you to create a new network object on the fly. When the variables are customized, they are listed under the Customized Variables category, as shown in Figure 15-28.

Figure 15-28 Creating a Custom Variable Set
Step 5. When the variable values are updated based on your own network environment, save the configurations.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *