Take
these steps and consider these Network IPS appliance
behaviors when you use SNORT.
Risks
If
you know how to use SNORT, the
system offers customized protection against a vast range of threats.
However, if not used properly, the SNORT system can burden the appliance
with errors and hinder its performance. Do not use the integrated
SNORT system if you are not familiar with SNORT. IBM® Support is not available to help write or
troubleshoot custom SNORT rules and configuration contents.
Use the information
to configure and manage the integrated SNORT system on the Network
IPS appliance.
For the latest information about SNORT, including rules, documentation,
and community forums, go to http://www.snort.org.
Considerations
SNORT rules- Use
an appropriate SNORT rule syntax checker to review the integrity
of your rules because the integrated system does not check rule syntax.
- Import no more than 9000 SNORT rules from a rules file. Importing
more rules at one time affects the Network IPS Local Management Interface
and the SiteProtector™ Console
performance.
- Import SNORT rules files no larger than 5 MB.
Importing large
SNORT rules files affects the Network IPS Local Management Interface
and the SiteProtector Console
performance.
- The Network
IPS appliance
does not support the use of dynamic rules for SNORT.
- The current integrated system supports quarantine rules for actively
responding to unwanted traffic. It also supports the use of SNORT
TCP reset rules for actively responding to unwanted traffic.
- The
current integrated system processes rules with duplicate SIDs
and revision numbers by inspecting traffic with the rule that was
last entered. The system ignores the previous rule.
- Use event
filters in the configuration file to manage SNORT rules
that cause an excessive number of alerts.
SNORT
configuration- The Network
IPS appliance
does not support the use of third-party preprocessors.
- Review and adjust the settings and directories in the configuration
file (either the default configuration file or an imported configuration
file) so that the file works for your environment.
- If you
import a SNORT.conf file, delete rule
path variables. Examples of rule path variables:
- var
PREPROC_RULE_PATH ../preproc_rules
- var
WHITE_LIST_PATH /etc/snort/rules
Performance- Use SNORT rule profiling
only when needed because it can affect SNORT engine performance.
- High SNORT rule activity can burden the appliance. Use the secured
and unanalyzed throughput statistics to determine the capacity of
your SNORT rule activity. Find these throughput statistics in the Network
Dashboard. Low secured traffic and high unanalyzed traffic
might indicate high SNORT rule activity.
General- The current integrated system does not support the block response
because the integrated SNORT system is not inline; it is in IDS mode.
- The SNORT system sends TCP resets in response to unwanted TCP
connections through the TCP reset port.
- The SNORT system
sends ICMP port unreachable messages in response
to unwanted UDP connections through the TCP reset port.