Use the SNORT Rules tab
on the SNORT
Configuration and Rules page for the Network IPS appliance
to import a SNORT rules file, to add SNORT rules, and to configure
these rules for the network.
About this task
Navigating in the Network IPS Local
Management Interface:
Navigating in the SiteProtector™ system: select the SNORT
Configuration and Rules policy
Procedure
- Click the SNORT Rules tab.
- Complete one or both of the following tasks:
- In the Import SNORT Rule File area, click Select
*.rules file(s) to import, navigate to the applicable
rules file on the system, and open it.
- In the Rules area,
click the Add icon
to add unique SNORT rules and to configure the following options:
Notes: - The appliance groups all the
rules that you add by using the Add icon
together.
- The Network
IPS appliance
does not support the use of dynamic rules for SNORT.
Option |
Description |
Enabled |
Enables the SNORT
rule. |
SID |
Displays
the SNORT-assigned identification of the rule. Note: A
SNORT rule must have a SID or the appliance identifies the rule as
invalid.
|
File |
Displays the SNORT rules file from which the SNORT rule was
imported. |
Message |
Displays
the SNORT-assigned description of the rule. |
Rule String |
Lists the string version of
the SNORT rule. |
Comment |
Specifies an optional description of the SNORT rule. |
Severity |
Specifies a severity
level for the rule: low, medium, or
high. Note: This setting is useful for statistical and filtering purposes.
Use it to manipulate data on log pages (such as the Security
Alerts page) and in graphs (such as the Attacks
by Severity graph).
|
Display |
Specifies how to display the SNORT
event in the SiteProtector Console:- None: Does not display the detected event.
- Without
Raw: Logs a summary of the event.
- With Raw: Logs
a summary of the event and logs the associated
packet capture.
|
Log Evidence |
Determines the type of packet to capture
when suspicious traffic triggers events. The appliance logs files
to the /var/iss/ directory. You can retrieve
log evidence files from . - None: The appliance captures no traffic.
- Offending Packet: The appliance captures
the suspicious traffic.
- Connection: The appliance captures all
traffic that matches the event protocol, source and destination address,
source and destination port, or VLAN ID.
- Interface: The appliance captures all traffic
that passes through the specified interfaces.
- All Interfaces: The appliance captures
all traffic that passes through all interfaces.
Note: Connection, Interface,
and All Interfaces are not available for the
SNORT feature.
|
User Overridden |
Identifies
modified imported rules and rules that were created
on the appliance. This setting is read-only and is useful for grouping. |
Responses |
- Email:
Specifies the email address that
receives alerts about SNORT activity. For more information, see Supported agent parameters.
- Quarantine:
Specifies responses that block
intruders, including worms and Trojan horses, when the appliance detects
SNORT activity.
- SNMP:
Sends an SNMP trap that includes
pertinent information about the SNORT traffic.
- User
Specified: Specifies a custom response
to SNORT traffic.
Tip: If you do not receive
responses for SNORT activity,
check whether the setting Send alert messages to syslog is
enabled on the SNORT Execution tab. When this
setting is enabled, the SNORT system does not send responses for SNORT
activity.
If a response is not in the drop-down lists, you
can configure the responses in .
|
What to do next
Apply policy settings after you configure
settings for
this tab. Apply is at the bottom of the page.
When you apply settings, you set the system to check for errors. See Troubleshooting SNORT errors for information
about system behavior when it encounters an error.