About imported SNORT rules

The Network IPS appliance imports and manages SNORT rules from a rules file that uses customized settings and programmed behavior.

Customizing attributes to imported rules

When you import SNORT rules from a rules file, the appliance groups those rules by file name. You can customize these attributes of the imported rules:
  • Enabled
  • Rule String
    Note: You can edit the rule string attribute. However, if you import an updated version of the rule file, the appliance does not reapply the changes. Changes to this attribute are lost.
  • Comment
  • Display
  • Severity
  • Responses (Email, Quarantine, SNMP, User Specified)
The Network IPS appliance stores these customized attributes so that it can reapply them all (except the rule string) after you import an updated file.

Reimporting updated or changed rules files

The appliance stores customized attributes because, in certain situations, it is necessary to reimport rules files that contain updates and changes. The appliance processes rules in reimported files in the following ways:
  • If a rule is new to the updated file, the appliance adds the rule to the group.
  • If a rule is deleted from the updated file, the appliance deletes that rule from the group. You must add the rule by using the Add icon if you still need the rule.
  • If a rule continues to exist in the updated file, the appliance applies the customized attributes to the updated version of the rule.
Note: The current integrated system processes rules with duplicate SIDs and revision numbers by inspecting traffic with the rule that was last entered. The system ignores the previous rule.