I'm having an issue where local (custom) rules on the Firepower Management Center are getting the incorrect Snort ID (SID) number associated with them when Splunk pulls events via eStreamer.
Apparently this is a known issue specifically with local rules. The suggested fix according to the troubleshooting guide ( http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118071-troubleshoot-firesight-00.html#anc15 ) is to enable Extended Header:
> **Client Shows Incorrect Snort Rule ID (SID)**
>
> This usually happens due to an SID
> conflict when a rule is imported into
> the system, the SID is re-mapped
> internally.
>
> To use the SID you entered, rather
> than the re-mapped SID, you have to
> enable extended header. Bit 23
> requests extended event headers. If
> this field is set to 0, events are
> sent with a standard event header that
> only includes the record type and
> record length.
I have a mysql command I'm trying to run to validate that the issue is what I think it is, but I can't get the syntax right. What i'm trying it below:
mysql> select sid, gid, local_sid from ids_event_msg_map where sid=ID;
The FMC CLI returns "ERROR 1046 (3D000) : No database selected"
ID is of course the ID I expect to see in Splunk. Apparently the Rendered_Signature_ID is the field that gets added in an extended request type message to Splunk, which should report the local_sid.
If anyone else has run into this issue before, or has any insight please let me know. Thanks
... View more
