Use the SNORT Rules tab to import
a SNORT rules file, to add SNORT rules, and to configure these rules
for the network.
About this task
Navigating in IPS Local Management Interface:
Navigating in SiteProtector™ Management: select the SNORT
Configuration and Rules policy
Procedure
- Click the SNORT Rules tab.
- Do one or both of the following tasks:
- In the Import SNORT Rule File area, click Select
*.rules file(s) to import, navigate to the applicable
rules file on the system, and open it.
- In the Rules area, click the Add icon
to add unique SNORT rules and to set the following options:
Notes: - The appliance groups all the rules you add using the Add icon
together.
- The Network
IPS appliance
does not support the use of dynamic rules for SNORT.
Option |
Description |
Enabled |
Enables the SNORT rule. |
SID |
Displays the SNORT-assigned identification of the rule. Note: A
SNORT rule must have a SID or the appliance identifies the rule as
invalid.
|
Message |
Displays the SNORT-assigned description of the rule. |
Rule String |
Lists the string version of the SNORT rule. |
Comment |
Specifies an optional description of the SNORT rule. |
Display |
Specifies how to display the SNORT event in the SiteProtector Management console:- None does not display the detected event.
- Without Raw logs a summary of the event.
|
Severity |
Specifies a severity level for the rule: low, medium, or
high. Note: This setting is useful for statistical and filtering purposes.
Use it to manipulate data on log pages (such as the Security
Alerts page) and in graphs (such as the Attacks
by Severity graph).
|
User Override |
Identifies modified imported rules and rules created on the
appliance. This setting is read-only and is useful for grouping. |
Responses |
- Email: Specifies the email address that
receives alerts about SNORT activity. For more information, see Supported agent parameters.
- Quarantine: Specifies responses that block
intruders, including worms and Trojan horses, when the appliance detects
SNORT activity.
- SNMP: Sends an SNMP trap that includes
pertinent information about the SNORT traffic.
- User Specified: Specifies a custom response
to SNORT traffic.
Tip: If you do not receive responses for SNORT activity,
see if the setting Send alert messages to syslog is
enabled on the SNORT Execution tab. When this
setting is enabled, the SNORT system does not send responses for SNORT
activity.
If a response is not in the drop down lists, you
can configure the responses in .
|
What to do next
Apply policy settings after configuring this tab. Apply is
at the bottom of the page. Applying settings sets the system to check
for errors. See Troubleshooting SNORT errors for information
about system behavior when it encounters an error.