Take these steps and consider these appliance behaviors
when using SNORT.
Risks
If you know how to use SNORT, the
system offers customized protection against a vast range of threats.
However, if not used properly, the SNORT system can burden the appliance
with errors and hinder its performance. Do not use the integrated
SNORT system if you are not familiar with SNORT. IBM® Customer Support is not available to help
write or troubleshoot custom SNORT rules and configuration contents.
Use the information
in this section to configure and manage the integrated SNORT system
on the Network
IPS appliance.
For the latest information about SNORT, including rules, documentation,
and community forums, go to http://www.snort.org.
Considerations
SNORT rules- Use an appropriate SNORT rule syntax checker to review the integrity
of your rules because the integrated system does not check rule syntax.
- Import no more than 9000 SNORT rules from a rules file. Importing
more rules at one time impacts IPS Local Management Interface and SiteProtector™ console performance.
- Import SNORT rules files no bigger than 5 MB. Importing bigger
SNORT rules files impacts IPS Local Management Interface and SiteProtector console performance.
- The Network
IPS appliance
does not support the use of dynamic rules for SNORT.
- The current integrated system supports quarantine rules for actively
responding to unwanted traffic. It also supports the use of SNORT
TCP reset rules for actively responding to unwanted traffic.
- The current integrated system processes rules with duplicate SIDs
and revision numbers by inspecting traffic with the rule that was
last entered. The system ignores the previous rule.
- Use event filters in the configuration file to manage SNORT rules
that cause an excessive number of alerts.
SNORT configuration- The Network
IPS appliance
does not support the use of third party preprocessors.
- Review and adjust the settings and directories in the configuration
file (either the default configuration file or an imported configuration
file) so that the file works for your environment.
- If you import a SNORT.conf file, delete rule path variables.
Examples of rule path variables:
- var PREPROC_RULE_PATH ../preproc_rules
- var WHITE_LIST_PATH /etc/snort/rules
Performance- Use SNORT rule profiling
only when needed because it can impact SNORT engine performance.
- High SNORT rule activity can burden the appliance. Use the secured
and unanalyzed throughput statistics to determine the capacity of
your SNORT rule activity. Find these throughput statistics in the Network
Dashboard. Low secured traffic and high unanalyzed traffic
might indicate high SNORT rule activity.
General- The current integrated system does not support the block response
because the integrated SNORT system is not inline. It is in IDS mode.
- The SNORT system sends TCP resets in response to unwanted TCP
connections through the TCP reset port.
- The SNORT system sends ICMP port unreachable messages in response
to unwanted UDP connections through the TCP reset port.