McAfee IPS - Import Snort Signatures onto the McAfee Network Security Platform



              The purpose of this document is to illustrate the process of importing Snort signatures onto the Network Security Platform (NSP).








              If you are interested in importing Snort signatures this document assumes you understand how to create and understand how signatures will behave.

                   Note:  a poorly written signature can have a large negative impact on the performance of the appliance and affectiveness of

                             existing signatures.  While there tools in place to prevent rundant signatures and reduce negative impact it is always

                             best to understand all aspects of signatures being imported.




              Log into your Network Security Manager (NSM) and navigate to the "Policy" tab.  On the left side under "Advanced", open the custom attacks

              page by clicking on the "Custom Attack Editor" button on the right side of the page. 


                   Custom Attacks Page.JPG




              The "Custom Attack Editor" opens in a new window and may display previously imported signatures.


                   Custom Attack Editor.JPG




              To access the Snort import tool navigate to "File > Import > Snort Rules"


                   Snort Rules menu.jpg



              After clicking "Snort Rules" a new window will open that will allow you to navigate to your saved rules.  You may need to change the

              "file type" from the dropdown to "All Files" in order to see your files.


                   Open Snort Rules.jpg



              Selecting "Open" will open an "Import Status" window.


                   import status.JPG



              The "Import Status" window merely gives you a brief report as to the results of your signature or rule import.  I will cover additional areas to

              get more information regarding your rules.


              Click "OK"


              Clicking "OK" will bring you back to the Custom Attack Editor windows where you will see your new rules listed.  There are three things I'd like to draw your attention to.


                   Rule Editor.JPG




              1.  There is a new tab that lists all the imported rules.


              2.  The Attack ID is all the same.  This will change once the rule has been saved (File > Save)


              3.  "State" is listed in the third column.  By double-clicking on any rule a new window will open allowing you to view and edit the rule.


                   Edit Snort Attack.JPG



              Different fields are availbe on the editor page to change the signature or even the general properties.  For example if you'd like to change

              the device type under "Signatures" select a rule then click "View".  A new window will open that will allow you to select your specific device.


              When you are done click "Validate" this will validate that the changes made will save properly.  After validating and closing out of the window you can also see that the

              selected rule has changed from "Exclude" to "Include"


                   Validated Rule.JPG



              Another feature built-in to help the management of imported signatures is the de-dup option.  This is located in File > Preferences.


                   Include Duplicates.JPG



              Once you are satisfied with your rules click "Save".  After clicking "Save" there are two indicators at the bottom of the page that illustrate progress.


                   Saving rules.JPG



              When the rules have been saved and the policies updated.  The "Custom Attack Editor" window will remain open, however the

              "NSP Attack ID" field will be updated so each rule gets a unique ID.


                   Unique Attack ID.JPG



    Deploy Pending Changes


              Close the "Attack Editor" by going to "File > Close".  You will now be back in your NSM dashboard on the Policy > Advanced > Custom Attacks page and a

              the "Attacks" and "Signatures" values should be updated to reflect your imported signatures and attacks.     


              We can also click on the "deploy changes" icon in the upper right hand corner to push these new signatures into the existing polices on our sensors.


                   deploy sigs.JPG



              Select the devices that you'd like to update and select "Update"


                   Deploy to sensors.JPG



              Once the update has completed all sensors will have the new Snort signature set included.  To Verify this

              go to your "Policy > Intrusion Prevention > IPS Policy" page and click any signature to which you have

              assignments.  In this example all assigments are associated with the "default Inline IPS" policy.  Once you've

              selected the policy select "View/Edit".





              A Java window will open that lists all signatures associated with the "Default Inline IPS" policy.  We'd like to view just the Snort rules.  To do

              do this Find the "Attack Name" field and type in "snort", then select "Apply".  Doing this will reduce the number of filters we see to just those

              including the word "snort".


                   Default Inline IPS Policy.JPG



              At this point we can double-click any of the Attack Names and edit the attributes of the attack/signature.


                   Attack Editor.JPG



              In the Attack editor it is possible to edit any attribute of the signature that you'd like.  Once you have completed making any changes select "OK".

              After selecting okay you will return to the "Attack Defenitions" tab of the policy window, only now a red "Save" will be in the lower right hand corner.

              Any changes made can be seen in the "Summary" window.





              Clicking "Finish" will close the Java policy window and bring you back to the NSM Policy page.


                   Note: Any changes made in "Attack Detail" page will need to be pushed out to the Sensor.  Return to the "Deploy Pending Changes"

                            page to apply changes.







    Additional Resources