瞭解使用Snort功能設定的Lina規則的處理方式

下載選項

  • PDF     (429.1 KB)
    在多種裝置上使用 Adobe Reader 檢視
  • ePub     (143.6 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
  • Mobi (Kindle)     (115.9 KB)
    在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視
已更新: 2022 年 9 月 27 日
文件 ID:218196

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本檔案介紹Lina規則如何部署到FTD以及Lina和Snort的處理。此資訊對機內(FDM)和機外(FMC)管理都很有用。

    必要條件

    需求

    思科建議瞭解以下主題:

    • Firepower Management Center (FMC)
    • Firepower裝置管理器(FDM)
    • Firepower威脅防禦虛擬(FTDv) 

    採用元件

    本文中的資訊係根據以下軟體和硬體版本:

    • FTDv 7.0.4

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    背景資訊 

    FMC是威脅防禦裝置的機箱管理程式。

    FDM是威脅防禦裝置的機箱管理器。

    具有Snort功能的規則部署為Permit Any

    當您使用由Snort端執行的功能(例如地理定位、URL(通用資源定位器)過濾器、應用檢測等)建立規則時,它們將作為允許任何規則部署在Lina端。

    乍一看,這會使您感到困惑,並使您認為FTD允許該規則上的所有流量,並停止對後續規則的規則匹配驗證。

    在本示例中,有應用檢測器、URL過濾器和地理位置塊規則:

    rules2

    在這裡,您可以看到在GUI上配置的引數的正確規則語句,如Snort所示:

    access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
    access-list NGFW_ONBOX_ACL remark rule-id 268435458: L7 RULE: testappid
    access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc outside any ifc inside any rule-id 268435458 
    access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
    access-list NGFW_ONBOX_ACL remark rule-id 268435459: L7 RULE: testurl
    access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 any any rule-id 268435459 
    access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
    access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: testgeo
    access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 any any rule-id 268435461

    在Snort端看到規則的方式如下:

    268435458 deny 1 any any 2 any any any any (appid 948:5, 1079:5) (ip_protos 6)
    # End rule 268435458
    268435459 deny any any any any any any any any (urlcat 2027) (urlrep le 0) (urlrep_unknown 1)
    268435459 deny any any any any any any any any (urlcat 2006) (urlrep le 0) (urlrep_unknown 1)
    # End rule 268435459
    268435461 deny 1 any any any any any any any (dstgeo 643)
    # End rule 268435461

    驗證Lina和Snort端如何處理規則

    由於Packet Tracer命令不能正確處理此類規則,因此需要使用system support tracesystem support firewall-engine-debug測試此大量即時流量。

    以下是按地理位置阻止規則的示例:

    > system support trace

    Enable firewall-engine-debug too? [n]: y
    Please specify an IP protocol: 
    Please specify a client IP address: 
     
     
    Please specify a client port: 
    Please specify a server IP address: 
    Please specify a server port: 
    Monitoring packet tracer and firewall debug messages

    10.130.65.192 52459 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 Packet 7: TCP 12****S*, 09/21-17:17:13.483709, seq 957225459, dsize 0
    10.130.65.192 52459 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 Session: new snort session
    10.130.65.192 52459 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 AppID: service: (0), client: (0), payload: (0), misc: (0)
    10.130.65.192 52459 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 Firewall: starting rule matching, zone 1 -> 1, geo 0(0) -> 643, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
    10.130.65.192 52459 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 Firewall: block rule, 'testgeo', force_block
    10.130.65.192 52459 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 Stream: pending block, drop
    10.130.65.192 52459 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 Policies: Network 0, Inspection 0, Detection 3
    10.130.65.192 52459 -> <Geolocation block IP address>
    10.130.65.192 52460 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 New firewall session
    10.130.65.192 52460 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 app event with app id no change, url no change, tls host no change, bits 0x1
    10.130.65.192 52460 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 Starting with minimum 3, 'testurl', and SrcZone first with zones 1 -> 1, geo 0 -> 643, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 0, payload 0, client 0, misc 0, user 9999997
    10.130.65.192 52460 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 pending rule order 3, 'testurl', AppID for URL
    10.130.65.192 52460 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 rule order 3, 'testurl', action Block continue eval of pending deny
    10.130.65.192 52460 -> 
     
     
       443 6 AS=0 ID=1 GR=1-1 match rule order 4, 'testgeo', action Block 
     
    10.130.65.192 52460 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268435461, rule_action:4, rev id:1095042657, rule_match flag:0x0
    10.130.65.192 52460 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 deny action
    10.130.65.192 52460 -> <Geolocation block IP address> 443 6 AS=0 ID=1 GR=1-1 Deleting Firewall session

    正如您在以上輸出中所看到的,Snort根據規則檢查資料包引數並與地理定位塊規則匹配,然後拒絕該流,並刪除該流的會話。

    在Lina擷取追蹤軌跡上,您可以在ACCESS-LIST階段看到您抵達第一個允許任何規則,而不是您預期要抵達的地理定位規則,但是在SNORT階段上,我們看到判定是Snort到達規則268435461,這是地理定位封鎖規則:

    testftd# show cap test trace packet 1

    9 packets captured

    1: 17:36:52.082011 10.130.65.192.53336 > <Geolocation block IP address>.443: SWE 316839441:316839441(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
    Phase: 1
    Type: CAPTURE
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    MAC Access list

    Phase: 2
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list

    Phase: 3
    Type: INPUT-ROUTE-LOOKUP
    Subtype: Resolve Egress Interface
    Result: ALLOW 
    Config:
    Additional Information:
    Found next-hop 10.130.65.188 using egress ifc outside(vrfid:0)

    Phase: 4
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group NGFW_ONBOX_ACL global
    access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 any any rule-id 268435459 
    access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
    access-list NGFW_ONBOX_ACL remark rule-id 268435459: L7 RULE: testurl
    object-group service |acSvcg-268435459
    service-object ip 
    Additional Information:
    This packet will be sent to snort for additional processing where a verdict will be reached

    Phase: 5
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config: 
    Additional Information:

    Phase: 6
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:

    Phase: 7
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:

    Phase: 8
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:

    Phase: 9
    Type: FLOW-CREATION
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 6902, packet dispatched to next module

    Phase: 10
    Type: EXTERNAL-INSPECT
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    Application: 'SNORT Inspect'

    Phase: 11
    Type: SNORT
    Subtype: 
    Result: DROP
    Config:
    Additional Information:
    Snort Trace: 
    00:50:56:96:D0:48 -> 00:50:56:B3:8C:E3 0800
    10.130.65.192:53336 -> <Geolocation block IP address>:443 proto 6 AS=0 ID=1 GR=1-1
    Packet 22: TCP 12****S*, 09/21-17:36:52.073696, seq 316839441, dsize 0
    Session: new snort session
    AppID: service: (0), client: (0), payload: (0), misc: (0)
    Firewall: starting rule matching, zone 1 -> 1, geo 0(0) -> 643, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
    Firewall: block rule, id 268435461, force_block
    Stream: pending block, drop
    Policies: Network 0, Inspection 0, Detection 3
    Verdict: blacklist
    Snort Verdict: (black-list) black list this flow

    Result:
    input-interface: outside(vrfid:0)
    input-status: up
    input-line-status: up
    output-interface: outside(vrfid:0)
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor, Drop-location: frame 0x000055b8a176d7b2 flow (NA)/NA

    結論

    如配置和即時流量日誌所示,即使Lina將這些規則顯示為Permit any any,且我們在Lina端達到該規則,資料包也會傳送到Snort進行深入檢查。

    然後,您可以驗證Snort是否繼續通過規則,直到其流量與預期規則相匹配。

    相關資訊

    Firepower管理中心配置指南,訪問控制規則

    適用於Firepower裝置管理器、訪問控制的思科Firepower威脅防禦配置指南

    思科錯誤ID CSCwd00446 — 增強型:Packet Tracer不會在ACL階段顯示實際的規則命中,而不是地理定位規則

    修訂記錄

    修訂 發佈日期 意見
    1.0
    27-Sep-2022
    初始版本
    TAC Authored

    由思科工程師貢獻

    • Oscar Santino Lopez Cervantes
      技術諮詢工程師

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品