The purpose of this document is to illustrate the process of importing Snort signatures onto the Network Security Platform (NSP).
If you are interested in importing Snort signatures this document assumes you understand how to create and understand how signatures will behave.
Note: a poorly written signature can have a large negative impact on the performance of the appliance and effectiveness of existing signatures. While there tools in place to prevent redundant signatures and reduce negative impact it is always best to understand all aspects of signatures being imported.
Log into your Network Security Manager (NSM) and navigate to the "Policy" tab. On the left side under "Advanced", open the custom attacks page by clicking on the "Custom Attack Editor" button on the right side of the page.
The "Custom Attack Editor" opens in a new window and may display previously imported signatures.
To access the Snort import tool navigate to "File > Import > Snort Rules"
After clicking "Snort Rules" a new window will open that will allow you to navigate to your saved rules. You may need to change the "file type" from the dropdown to "All Files" in order to see your files.
Selecting "Open" will open an "Import Status" window.
The "Import Status" window merely gives you a brief report as to the results of your signature or rule import. I will cover additional areas to get more information regarding your rules.
Clicking "OK" will bring you back to the Custom Attack Editor windows where you will see your new rules listed. There are three things I'd like to draw your attention to.
1. There is a new tab that lists all the imported rules.
2. The Attack ID is all the same. This will change once the rule has been saved (File > Save)
3. "State" is listed in the third column. By double-clicking on any rule a new window will open allowing you to view and edit the rule.
Different fields are available on the editor page to change the signature or even the general properties. For example, if you'd like to change the device type under "Signatures" select a rule then click "View". A new window will open that will allow you to select your specific device.
When you are done click "Validate" this will validate that the changes made will save properly. After validating and closing out of the window you can also see that the selected rule has changed from "Exclude" to "Include"
Another feature built-in to help the management of imported signatures is the de-dup option. This is located in File > Preferences.
Once you are satisfied with your rules click "Save". After clicking "Save" there are two indicators at the bottom of the page that illustrate progress.
When the rules have been saved and the policies updated. The "Custom Attack Editor" window will remain open, however, the "NSP Attack ID" field will be updated so each rule gets a unique ID.
Deploy Pending Changes
Close the "Attack Editor" by going to "File > Close". You will now be back in your NSM dashboard on the Policy > Advanced > Custom Attacks page and a the "Attacks" and "Signatures" values should be updated to reflect your imported signatures and attacks.
We can also click on the "deploy changes" icon in the upper right-hand corner to push these new signatures into the existing policies on our sensors.
Select the devices that you'd like to update and select "Update"
Once the update has completed all sensors will have the new Snort signature set included. To Verify this go to your "Policy > Intrusion Prevention > IPS Policy" page and click any signature to which you have assignments. In this example, all assignments are associated with the "default Inline IPS" policy. Once you've selected the policy select "View/Edit".
A Java window will open that lists all signatures associated with the "Default Inline IPS" policy. We'd like to view just the Snort rules. To do this Find the "Attack Name" field and type in "snort", then select "Apply". Doing this will reduce the number of filters we see to just those including the word "snort".
At this point, we can double-click any of the Attack Names and edit the attributes of the attack/signature.
In the Attack editor, it is possible to edit any attribute of the signature that you'd like. Once you have completed making any changes select "OK".
After selecting okay you will return to the "Attack Defenitions" tab of the policy window, only now a red "Save" will be in the lower right hand corner. Any changes made can be seen in the "Summary" window.
Clicking "Finish" will close the Java policy window and bring you back to the NSM Policy page.
Note: Any changes made in "Attack Detail" page will need to be pushed out to the Sensor. Return to the "Deploy Pending Changes" page to apply changes.