Use the SNORT Configuration tab to
review the default SNORT configuration file or to add configuration
contents. Apply the file to specific appliance interfaces and configure
SNORT rule profiling.
About this task
Navigating in IPS Local Management Interface:
Navigating in SiteProtector™ Management: select the SNORT
Configuration and Rules policy
Important: Use
the SNORT rule profiling feature only when needed because it can impact
SNORT engine performance.
Unsupported SNORT configuration options
Procedure
- Click the SNORT Configuration tab.
- In the Import SNORT Configuration File area,
use the default configuration file, import a SNORT.conf file, or add
supported configuration contents.
Notes: - If you import a SNORT.conf file, it replaces the default one.
- If you import a SNORT.conf file, delete variable rule paths. Examples
of variable rule paths:
- var PREPROC_RULE_PATH ../preproc_rules
- var WHITE_LIST_PATH /etc/snort/rules
- If you use the default configuration file, review and adjust its
network settings so that it works for your environment.
- The Network
IPS appliance
does not support the use of third party preprocessors.
- In the Interfaces area, set the following
options:
- Select the appropriate interfaces to apply the configuration
file to.
- Select the Inspect HA mirrored ports check
box to enable the SNORT systems on appliances in a high availability
(HA) pair to analyze packets on mirrored ports. See SNORT and HA mode for information about
the behavior of the SNORT system when this check box is enabled or
disabled.
- In the Rule Profiling area, configure
the options for gathering performance metrics about SNORT rules.
- Select the Enable rule profiling check
box to record SNORT performance statistics.
Note: You
must also enable the SNORT Execution check
box on the SNORT Execution tab for this feature
to work.
- Select Number of rules to display from
the list. The appliance displays the rules with the worst statistics.
- Select the Sort option, which
is a list of statistics the system uses to order the rule profile. The statistics are:
Statistic |
Description |
Checks |
The number of times the SNORT engine checks
for rule options after the SNORT engine completes an initial analysis
to group and pre-screen traffic. |
Matches |
The number of times the SNORT engine finds traffic
matching all rule options. |
No Matches |
The number of times the SNORT engine finds no
traffic matching all rule options. |
Average Ticks (Avg/Check) |
The average time the SNORT engine takes to check
each packet against the listed rule. |
Average Ticks Per Match (Avg/Match) |
The average time the SNORT engine takes to check
each packet that matches all rule options. |
Average Ticks Per No Match (Avg/Nonmatch) |
The average time the SNORT engine takes to check
each packet that did not generate an event. Note: This statistic represents
wasted time spent checking clean traffic.
|
Total Ticks |
The rules responsible for consuming the most
processing time. |
To view and download SNORT performance statistics, go to . See Using SNORT rule profiling for information.
What to do next
Apply policy settings after configuring this tab. Apply is
at the bottom of the page. Applying settings sets the system to check
for errors. See Troubleshooting SNORT errors for information
about system behavior when it encounters an error.
This tab
enables SNORT configuration options. However, the system is not analyzing
traffic until you add rules. Go to the SNORT Rules tab
to add SNORT rules.