Configure Additional Snort 3 Rule Actions on FMC

Available Languages

Download Options

  • PDF     (553.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (681.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (443.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:January 15, 2025
Document ID:222693

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the Firepower Management Center (FMC) support for additional Snort 3 rule actions feature added in 7.1 release.

    Background Information

    Although the Firepower Threat Defense (FTD) supports Seven Intrusion Policy rule actions Alert/Disable/Block/Reject/Rewrite/Pass/Drop in 7.0, FMC supported only three Snort 3 rule actions: ‘Alert’, ‘Disable’, and ‘Block’.

    From Firepower 7.1.0, FMC supports to configure new rule actions.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:
    • Knowledge of open-source Snort
    • Firepower Management Center (FMC) 7.1.0+
    • Firepower Threat Defense (FTD) 7.0.0+

    Components Used

    The information in this document is based on these software and hardware versions:

    • This document applies to all Firepower platforms running Snort 3
    • Cisco Firepower Threat Defense Virtual (FTD) which runs software version 7.4.2
    • Firepower Management Center Virtual (FMC) which runs software version 7.4.2


    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Feature Details

    The new Snort 3 rule actions added and their descriptions are as follows:

    Pass: No event generated, allows packet to pass without further evaluation by any subsequent Snort rules.

    Drop: Generates event, drops matching packet and does not block further traffic in this connection.

    Reject: Generates event, drops matching packet, blocks further traffic in this connection and sends TCP reset or ICMP port unreachable to source and destination hosts.

    Rewrite: Generates event and overwrites packet contents based on the replace option in the rule.

    FMC Walkthrough

    To view the Snort 3 rules in an intrusion policy, navigate to FMC Policies > Access Control > Intrusion,thereafter click Snort 3 Version option in the top right corner of the policy, as shown in the image:

    Snort 3 VersionSnort 3 Version

    Click Base Policy > All Rules, you can see the default actions of all the system defined Snort 3 rules.

    Base PolicyBase Policy

    To change the rule action to any of these new rule actions, navigate to Rule Overrides > All Rules and select the rule action from the drop-down for the selected rule.

    Additional Rule ActionsAdditional Rule Actions

    Changing the Rule ActionChanging the Rule Action

    The overridden rules can be found under Rule Overrides > Overridden Rules.

    Overridden RulesOverridden Rules

    Revision History

    Revision Publish Date Comments
    1.0
    15-Jan-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Mounika Devi Palisetti
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products