SNORT and quarantine functions

For Network IPS appliances, configure quarantine rules and send quarantine responses for events that are generated from suspicious activity that is identified by the integrated SNORT system.

Quarantine responses

Set quarantine responses for SNORT events in Secure Protection Settings > Response Tuning > Responses and in Secure Protection Settings > Advanced IPS > SNORT Configuration and Rules > SNORT Rules.

Important:
  • Quarantine responses work only when you configure the appliance to run in inline protection mode.
  • The Issue ID option in predefined and custom quarantine responses works for security events only. This option does not identify traffic for other events.
  • You cannot change the settings of, rename, or remove predefined quarantine responses. Define custom quarantine responses to meet specific needs.
  • Quarantine responses generate quarantine rules to block a single IP protocol (the protocol of the offending traffic) and not all traffic.
  • Quarantine rules that are generated by quarantine responses have a default duration of one hour. You can set or change the duration for these rules when you set up responses for events.

For information about quarantine intruder, Trojan, Worm, and DDOS responses, see Predefined quarantine responses for descriptions.

Quarantine rules

The appliance displays SNORT significant events in Review Analysis and Diagnostics > Logs > Security Alerts. Use the single-click feature on the Security Alerts page to create quarantine rules for SNORT events. To generate a quarantine rule, click the event and select Block Intruder. This action does not generate a block response. Edit quarantine rules in Secure Protection Settings > Response Tuning > Quarantine Rules.
Tip: If you do not see SNORT events on the Security Alerts page, check whether the setting Send alert messages to syslog is enabled on the SNORT Execution tab. When this setting is enabled, the SNORT system does not send events to the Security Alerts page.