Setting SNORT configuration

Use the SNORT Configuration tab on the SNORT Configuration and Rules page for the Network IPS appliance to review the default SNORT configuration file or to add configuration contents. Apply the file to specific appliance interfaces and to configure SNORT rule profiling.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Advanced IPS > SNORT Configuration and Rules

Navigating in the SiteProtector™ system: select the SNORT Configuration and Rules policy

Important: Use the SNORT rule profiling feature only when needed because it can affect SNORT engine performance.

Unsupported SNORT configuration options

Procedure

  1. Click the SNORT Configuration tab.
  2. In the Import SNORT Configuration File area, use the default configuration file, import a SNORT.conf file, or add supported configuration contents.
    Notes:
    • If you import a SNORT.conf file, it replaces the default one.
    • If you import a SNORT.conf file, delete variable rule paths. Examples of variable rule paths are as follows:
      • var PREPROC_RULE_PATH ../preproc_rules
      • var WHITE_LIST_PATH /etc/snort/rules
    • If you use the default configuration file, review and adjust its network settings so that it works for your environment.
    • The Network IPS appliance does not support the use of third-party preprocessors.
  3. In the Interfaces area, configure the following options:
    1. Select the appropriate interfaces to apply the configuration file.
    2. Select the Inspect HA mirrored ports check box to enable the SNORT systems on appliances in a high availability (HA) pair to analyze packets on mirrored ports. See SNORT and HA mode for information about the behavior of the SNORT system when this check box is enabled or disabled.
  4. In the Rule Profiling area, configure the options for gathering performance metrics about SNORT rules.
    1. Select the Enable rule profiling check box to record SNORT performance statistics.
      Note: You must also enable the SNORT Execution check box on the SNORT Execution tab for this feature to work.
    2. Select Number of rules to display from the list. The appliance displays the rules with the worst statistics.
    3. Select the Sort option, which is a list of statistics that the system uses to order the rule profile. The statistics are as follows:
      Statistic Description
      Checks The number of times that the SNORT engine checks for rule options after the SNORT engine completes an initial analysis to group and pre-screen traffic.
      Matches The number of times that the SNORT engine finds traffic that matches all rule options.
      No Matches The number of times that the SNORT engine finds no traffic that matches all rule options.
      Average Ticks (Avg/Check) The average time that the SNORT engine takes to check each packet against the listed rule.
      Average Ticks Per Match (Avg/Match) The average time that the SNORT engine takes to check each packet that matches all rule options.
      Average Ticks Per No Match (Avg/Nonmatch) The average time that the SNORT engine takes to check each packet that did not generate an event.
      Note: This statistic represents wasted time spent checking clean traffic.
      Total Ticks The rules that are responsible for consuming the most processing time.

    To view and download SNORT performance statistics, go to Review Analysis and Diagnostics > Diagnostics > SNORT Rule Profiling. See Using SNORT rule profiling for information.

What to do next

Apply policy settings after you configure settings for this tab. Apply is at the bottom of the page. When you apply settings, you set the system to check for errors. See Troubleshooting SNORT errors for information about system behavior when it encounters an error.

This tab enables SNORT configuration options. However, the system is not analyzing traffic until you add rules. Go to the SNORT Rules tab to add SNORT rules.