Use the SNORT Configuration tab
on the SNORT Configuration and Rules page for
the Network IPS appliance to review the default SNORT configuration
file or to add configuration contents. Apply the file to specific
appliance interfaces and to configure SNORT rule profiling.
About this task
Navigating
in the Network IPS Local Management Interface:
Navigating in the SiteProtector™ system: select the SNORT
Configuration and Rules policy
Important: Use
the SNORT rule profiling feature only when needed because it can affect
SNORT engine performance.
Unsupported SNORT configuration options
Procedure
- Click the SNORT Configuration tab.
- In the Import SNORT Configuration File area,
use the default configuration file, import a SNORT.conf file,
or add supported configuration contents.
Notes: - If you import a SNORT.conf file,
it replaces
the default one.
- If you import a SNORT.conf file,
delete variable
rule paths. Examples of variable rule paths are as follows:
- var
PREPROC_RULE_PATH ../preproc_rules
- var
WHITE_LIST_PATH /etc/snort/rules
- If you
use the default configuration file, review and adjust its
network settings so that it works for your environment.
- The Network
IPS appliance
does not support the use of third-party preprocessors.
- In the Interfaces area,
configure
the following options:
- Select the appropriate
interfaces to apply the configuration
file.
- Select the Inspect HA
mirrored ports check
box to enable the SNORT systems on appliances in a high availability
(HA) pair to analyze packets on mirrored ports. See SNORT and HA mode for information about
the behavior of the SNORT system when this check box is enabled or
disabled.
- In the Rule
Profiling area, configure
the options for gathering performance metrics about SNORT rules.
- Select the Enable rule profiling check
box to record SNORT performance statistics.
Note: You
must also enable the SNORT Execution check
box on the SNORT Execution tab for this feature
to work.
- Select Number
of rules to display from
the list. The appliance displays the rules with the worst statistics.
- Select the Sort option,
which
is a list of statistics that the system uses to order the rule profile. The statistics are as follows:
Statistic |
Description |
Checks |
The number
of times that the SNORT engine checks
for rule options after the SNORT engine completes an initial analysis
to group and pre-screen traffic. |
Matches |
The number of times that the SNORT engine finds
traffic that matches all rule options. |
No Matches |
The number
of times that the SNORT engine finds
no traffic that matches all rule options. |
Average Ticks (Avg/Check) |
The
average time that the SNORT engine takes
to check each packet against the listed rule. |
Average Ticks Per Match (Avg/Match) |
The average time that the SNORT engine takes
to check each packet that matches all rule options. |
Average Ticks Per No Match (Avg/Nonmatch) |
The average time that the SNORT engine takes
to check each packet that did not generate an event. Note: This statistic
represents wasted time spent checking clean traffic.
|
Total Ticks |
The rules that are responsible for consuming
the most processing time. |
To view and download SNORT performance
statistics, go to . See Using SNORT rule profiling for
information.
What to do next
Apply policy settings
after you configure settings for
this tab. Apply is at the bottom of the page.
When you apply settings, you set the system to check for errors. See Troubleshooting SNORT errors for information
about system behavior when it encounters an error.
This tab
enables SNORT configuration options. However, the system is not analyzing
traffic until you add rules. Go to the SNORT Rules tab
to add SNORT rules.