Risks and considerations with SNORT

Take these steps and consider these Network IPS appliance behaviors when you use SNORT.

Risks

If you know how to use SNORT, the system offers customized protection against a vast range of threats. However, if not used properly, the SNORT system can burden the appliance with errors and hinder its performance. Do not use the integrated SNORT system if you are not familiar with SNORT. IBM® Support is not available to help write or troubleshoot custom SNORT rules and configuration contents.

Use the information to configure and manage the integrated SNORT system on the Network IPS appliance. For the latest information about SNORT, including rules, documentation, and community forums, go to http://www.snort.org.

Considerations

SNORT rules
  • Use an appropriate SNORT rule syntax checker to review the integrity of your rules because the integrated system does not check rule syntax.
  • Import no more than 9000 SNORT rules from a rules file. Importing more rules at one time affects the Network IPS Local Management Interface and the SiteProtector™ Console performance.
  • Import SNORT rules files no larger than 5 MB. Importing large SNORT rules files affects the Network IPS Local Management Interface and the SiteProtector Console performance.
  • The Network IPS appliance does not support the use of dynamic rules for SNORT.
  • The current integrated system supports quarantine rules for actively responding to unwanted traffic. It also supports the use of SNORT TCP reset rules for actively responding to unwanted traffic.
  • The current integrated system processes rules with duplicate SIDs and revision numbers by inspecting traffic with the rule that was last entered. The system ignores the previous rule.
  • Use event filters in the configuration file to manage SNORT rules that cause an excessive number of alerts.
SNORT configuration
  • The Network IPS appliance does not support the use of third-party preprocessors.
  • Review and adjust the settings and directories in the configuration file (either the default configuration file or an imported configuration file) so that the file works for your environment.
  • If you import a SNORT.conf file, delete rule path variables. Examples of rule path variables:
    • var PREPROC_RULE_PATH ../preproc_rules
    • var WHITE_LIST_PATH /etc/snort/rules
Performance
  • Use SNORT rule profiling only when needed because it can affect SNORT engine performance.
  • High SNORT rule activity can burden the appliance. Use the secured and unanalyzed throughput statistics to determine the capacity of your SNORT rule activity. Find these throughput statistics in the Network Dashboard. Low secured traffic and high unanalyzed traffic might indicate high SNORT rule activity.
General
  • The current integrated system does not support the block response because the integrated SNORT system is not inline; it is in IDS mode.
  • The SNORT system sends TCP resets in response to unwanted TCP connections through the TCP reset port.
  • The SNORT system sends ICMP port unreachable messages in response to unwanted UDP connections through the TCP reset port.