Configuring SNORT rules

Use the SNORT Rules tab to import a SNORT rules file, to add SNORT rules, and to configure these rules for the network.

About this task

Navigating in IPS Local Management Interface: Secure Protection Settings > Advanced IPS > SNORT Configuration and Rules

Navigating in SiteProtector™ Management: select the SNORT Configuration and Rules policy

Procedure
  1. Click the SNORT Rules tab.
  2. Do one or both of the following tasks:
    • In the Import SNORT Rule File area, click Select *.rules file(s) to import, navigate to the applicable rules file on the system, and open it.
    • In the Rules area, click the Add icon to add unique SNORT rules and to set the following options:
      Notes:
      • The appliance groups all the rules you add using the Add icon together.
      • The Network IPS appliance does not support the use of dynamic rules for SNORT.
      Option Description
      Enabled Enables the SNORT rule.
      SID Displays the SNORT-assigned identification of the rule.
      Note: A SNORT rule must have a SID or the appliance identifies the rule as invalid.
      Message Displays the SNORT-assigned description of the rule.
      Rule String Lists the string version of the SNORT rule.
      Comment Specifies an optional description of the SNORT rule.
      Display Specifies how to display the SNORT event in the SiteProtector Management console:
      • None does not display the detected event.
      • Without Raw logs a summary of the event.
      Severity Specifies a severity level for the rule: low, medium, or high.
      Note: This setting is useful for statistical and filtering purposes. Use it to manipulate data on log pages (such as the Security Alerts page) and in graphs (such as the Attacks by Severity graph).
      User Override Identifies modified imported rules and rules created on the appliance. This setting is read-only and is useful for grouping.
      Responses
      • Email: Specifies the email address that receives alerts about SNORT activity. For more information, see Supported agent parameters.
      • Quarantine: Specifies responses that block intruders, including worms and Trojan horses, when the appliance detects SNORT activity.
        Note: Quarantine responses work in inline protection mode only. See Predefined quarantine responses for descriptions of quarantine responses.
      • SNMP: Sends an SNMP trap that includes pertinent information about the SNORT traffic.
      • User Specified: Specifies a custom response to SNORT traffic.
      Tip: If you do not receive responses for SNORT activity, see if the setting Send alert messages to syslog is enabled on the SNORT Execution tab. When this setting is enabled, the SNORT system does not send responses for SNORT activity.

      If a response is not in the drop down lists, you can configure the responses in Secure Protection Settings > Response Tuning > Responses.

What to do next

Apply policy settings after configuring this tab. Apply is at the bottom of the page. Applying settings sets the system to check for errors. See Troubleshooting SNORT errors for information about system behavior when it encounters an error.