About the Design

The Network IPS appliance includes design elements that enable it to run the integrated SNORT system along with its other detection and prevention features.

The integrated SNORT system design includes these elements:
  • PAM and SNORT: The Protocol Analysis Module (PAM) and the integrated SNORT system analyze the same packets independently. One system does not command the other. See SNORT and PAM for more information.
  • SnEP: The appliance contains a SNORT event processor (SnEP) that processes SNORT events, processes responses for SNORT events, and manages and reports SNORT errors.
  • High Availability (HA) mode: The SNORT systems on appliances in an HA pair do not inspect packets from mirrored ports. This behavior applies to pairs running in inline protection or inline simulation modes. This design feature minimizes the possibility of duplicate global responses and SiteProtector alerts.
    Note: The quarantine rules generated from SNORT events might be out of sync on the appliances in the HA pair.
  • TCP resets: The SNORT system sends TCP resets in response to unwanted TCP connections through the TCP Reset Port.
  • ICMP port unreachable: The SNORT system sends ICMP port unreachable messages in response to unwanted UDP connections through the TCP Reset Port.
Parent topic: Configuring SNORT Configuration and Rules