Showing results for 
Search instead for 
Did you mean: 

McAfee IPS - Import Snort Signatures onto the McAfee Network Security Platform (NSP)


          The purpose of this document is to illustrate the process of importing Snort signatures onto the Network Security Platform (NSP).





          If you are interested in importing Snort signatures this document assumes you understand how to create and understand how signatures will behave.

               Note:  a poorly written signature can have a large negative impact on the performance of the appliance and effectiveness of existing signatures.  While there tools in place to prevent redundant signatures and reduce negative impact it is always best to understand all aspects of signatures being imported.


          Log into your Network Security Manager (NSM) and navigate to the "Policy" tab.  On the left side under "Advanced", open the custom attacks page by clicking on the "Custom Attack Editor" button on the right side of the page. 

               Custom Attacks Page.JPG


          The "Custom Attack Editor" opens in a new window and may display previously imported signatures.

               Custom Attack Editor.JPG


          To access the Snort import tool navigate to "File > Import > Snort Rules"

               Snort Rules menu.jpg


          After clicking "Snort Rules" a new window will open that will allow you to navigate to your saved rules.  You may need to change the "file type" from the dropdown to "All Files" in order to see your files.

     Open Snort Rules.jpg


Selecting "Open" will open an "Import Status" window.

import status.JPG


The "Import Status" window merely gives you a brief report as to the results of your signature or rule import.  I will cover additional areas to get more information regarding your rules.

          Click "OK"

Clicking "OK" will bring you back to the Custom Attack Editor windows where you will see your new rules listed.  There are three things I'd like to draw your attention to.

               Rule Editor.JPG

          1.  There is a new tab that lists all the imported rules.

          2.  The Attack ID is all the same.  This will change once the rule has been saved (File > Save)

          3.  "State" is listed in the third column.  By double-clicking on any rule a new window will open allowing you to view and edit the rule.

               Edit Snort Attack.JPG


          Different fields are available on the editor page to change the signature or even the general properties.  For example, if you'd like to change the device type under "Signatures" select a rule then click "View".  A new window will open that will allow you to select your specific device.

          When you are done click "Validate" this will validate that the changes made will save properly.  After validating and closing out of the window you can also see that the selected rule has changed from "Exclude" to "Include"

               Validated Rule.JPG


          Another feature built-in to help the management of imported signatures is the de-dup option.  This is located in File > Preferences.

               Include Duplicates.JPG


          Once you are satisfied with your rules click "Save".  After clicking "Save" there are two indicators at the bottom of the page that illustrate progress.

               Saving rules.JPG


   When the rules have been saved and the policies updated.  The "Custom Attack Editor" window will remain open, however, the "NSP Attack ID" field will be updated so each rule gets a unique ID.

               Unique Attack ID.JPG


Deploy Pending Changes

          Close the "Attack Editor" by going to "File > Close".  You will now be back in your NSM dashboard on the Policy > Advanced > Custom Attacks page and a the "Attacks" and "Signatures" values should be updated to reflect your imported signatures and attacks.     

          We can also click on the "deploy changes" icon in the upper right-hand corner to push these new signatures into the existing policies on our sensors.

               deploy sigs.JPG


          Select the devices that you'd like to update and select "Update"

               Deploy to sensors.JPG


Once the update has completed all sensors will have the new Snort signature set included.  To Verify this go to your "Policy > Intrusion Prevention > IPS Policy" page and click any signature to which you have assignments.  In this example, all assignments are associated with the "default Inline IPS" policy.  Once you've selected the policy select "View/Edit".



          A Java window will open that lists all signatures associated with the "Default Inline IPS" policy.  We'd like to view just the Snort rules.  To do this Find the "Attack Name" field and type in "snort", then select "Apply".  Doing this will reduce the number of filters we see to just those including the word "snort".

               Default Inline IPS Policy.JPG


          At this point, we can double-click any of the Attack Names and edit the attributes of the attack/signature.

               Attack Editor.JPG


          In the Attack editor, it is possible to edit any attribute of the signature that you'd like.  Once you have completed making any changes select "OK".

          After selecting okay you will return to the "Attack Defenitions" tab of the policy window, only now a red "Save" will be in the lower right hand corner. Any changes made can be seen in the "Summary" window.



          Clicking "Finish" will close the Java policy window and bring you back to the NSM Policy page.

               Note: Any changes made in "Attack Detail" page will need to be pushed out to the Sensor.  Return to the "Deploy Pending Changes" page to apply changes.



Additional Resources


You forgot to mention you need to import the SNORT variables files if you want this to work

Version history
Revision #:
3 of 3
Last update:
‎03-29-2018 08:34 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community