The Network
IPS appliance
includes design elements that enable it to run the integrated SNORT
system along with its other detection and prevention features.
The integrated
SNORT system design includes these elements:
PAM and SNORT: The Protocol Analysis Module (PAM) and the integrated
SNORT system analyze the same packets independently. One system does
not command the other. See SNORT and PAM for
more information.
SnEP: The appliance contains a SNORT event processor (SnEP) that processes SNORT events, processes
responses for SNORT events, and manages and reports SNORT errors.
High Availability (HA) mode: The SNORT systems on appliances in an HA pair
do not inspect packets from mirrored ports. This behavior applies
to pairs running in inline protection or inline simulation modes.
This design feature minimizes the possibility of duplicate global
responses and SiteProtector alerts.
Note: The quarantine rules generated from SNORT events might be
out of sync on the appliances in the HA pair.
TCP resets: The SNORT system sends TCP resets in
response to unwanted TCP connections through the TCP Reset Port.
ICMP port unreachable: The SNORT system sends ICMP port
unreachable messages in response to unwanted
UDP connections through the TCP Reset Port.