cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee IPS - Import Snort Signatures onto the McAfee Network Security Platform (NSP)

Introduction

          The purpose of this document is to illustrate the process of importing Snort signatures onto the Network Security Platform (NSP).

Video

 

     

Assumptions   

          If you are interested in importing Snort signatures this document assumes you understand how to create and understand how signatures will behave.

               Note:  a poorly written signature can have a large negative impact on the performance of the appliance and effectiveness of existing signatures.  While there tools in place to prevent redundant signatures and reduce negative impact it is always best to understand all aspects of signatures being imported.

Procedure

          Log into your Network Security Manager (NSM) and navigate to the "Policy" tab.  On the left side under "Advanced", open the custom attacks page by clicking on the "Custom Attack Editor" button on the right side of the page. 

               Custom Attacks Page.JPG

 

          The "Custom Attack Editor" opens in a new window and may display previously imported signatures.

               Custom Attack Editor.JPG

 

          To access the Snort import tool navigate to "File > Import > Snort Rules"

               Snort Rules menu.jpg

 

          After clicking "Snort Rules" a new window will open that will allow you to navigate to your saved rules.  You may need to change the "file type" from the dropdown to "All Files" in order to see your files.

     Open Snort Rules.jpg

         

Selecting "Open" will open an "Import Status" window.

 
import status.JPG

         

The "Import Status" window merely gives you a brief report as to the results of your signature or rule import.  I will cover additional areas to get more information regarding your rules.

          Click "OK"

Clicking "OK" will bring you back to the Custom Attack Editor windows where you will see your new rules listed.  There are three things I'd like to draw your attention to.

               Rule Editor.JPG

          1.  There is a new tab that lists all the imported rules.

          2.  The Attack ID is all the same.  This will change once the rule has been saved (File > Save)

          3.  "State" is listed in the third column.  By double-clicking on any rule a new window will open allowing you to view and edit the rule.

               Edit Snort Attack.JPG

 

          Different fields are available on the editor page to change the signature or even the general properties.  For example, if you'd like to change the device type under "Signatures" select a rule then click "View".  A new window will open that will allow you to select your specific device.

          When you are done click "Validate" this will validate that the changes made will save properly.  After validating and closing out of the window you can also see that the selected rule has changed from "Exclude" to "Include"

               Validated Rule.JPG

 

          Another feature built-in to help the management of imported signatures is the de-dup option.  This is located in File > Preferences.

               Include Duplicates.JPG

 

          Once you are satisfied with your rules click "Save".  After clicking "Save" there are two indicators at the bottom of the page that illustrate progress.

               Saving rules.JPG

       

   When the rules have been saved and the policies updated.  The "Custom Attack Editor" window will remain open, however, the "NSP Attack ID" field will be updated so each rule gets a unique ID.

               Unique Attack ID.JPG

 

Deploy Pending Changes

          Close the "Attack Editor" by going to "File > Close".  You will now be back in your NSM dashboard on the Policy > Advanced > Custom Attacks page and a the "Attacks" and "Signatures" values should be updated to reflect your imported signatures and attacks.     

          We can also click on the "deploy changes" icon in the upper right-hand corner to push these new signatures into the existing policies on our sensors.

               deploy sigs.JPG

 

          Select the devices that you'd like to update and select "Update"

               Deploy to sensors.JPG

         

Once the update has completed all sensors will have the new Snort signature set included.  To Verify this go to your "Policy > Intrusion Prevention > IPS Policy" page and click any signature to which you have assignments.  In this example, all assignments are associated with the "default Inline IPS" policy.  Once you've selected the policy select "View/Edit".

               Assignments.JPG

 

          A Java window will open that lists all signatures associated with the "Default Inline IPS" policy.  We'd like to view just the Snort rules.  To do this Find the "Attack Name" field and type in "snort", then select "Apply".  Doing this will reduce the number of filters we see to just those including the word "snort".

               Default Inline IPS Policy.JPG

 

          At this point, we can double-click any of the Attack Names and edit the attributes of the attack/signature.

               Attack Editor.JPG

 

          In the Attack editor, it is possible to edit any attribute of the signature that you'd like.  Once you have completed making any changes select "OK".

          After selecting okay you will return to the "Attack Defenitions" tab of the policy window, only now a red "Save" will be in the lower right hand corner. Any changes made can be seen in the "Summary" window.

               Summary.JPG

 

          Clicking "Finish" will close the Java policy window and bring you back to the NSM Policy page.

               Note: Any changes made in "Attack Detail" page will need to be pushed out to the Sensor.  Return to the "Deploy Pending Changes" page to apply changes.

              menu.JPG

 

Additional Resources

          http://www.mcafee.com/us/products/network-security-platform.aspx

Comments

You forgot to mention you need to import the SNORT variables files if you want this to work

Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-29-2018 08:34 AM
Updated by: