Use the SNORT Configuration tab to
review the default SNORT configuration file or to add configuration
contents. Apply the file to specific appliance interfaces and configure
SNORT rule profiling.
About this task
Navigating in the IPS Local Management Interface:
Navigating in SiteProtector™ Management: select the SNORT
Configuration and Rules policy
Important: Use
the SNORT rule profiling feature only when needed because it can affect
SNORT engine performance.
Unsupported SNORT configuration options
Procedure
- Click the SNORT Configuration tab.
- In the Import SNORT Configuration File area,
use the default configuration file, import a SNORT.conf file,
or add supported configuration contents.
Notes: - If you import a SNORT.conf file, it replaces
the default one.
- If you import a SNORT.conf file, delete variable
rule paths. Examples of variable rule paths:
- var PREPROC_RULE_PATH ../preproc_rules
- var WHITE_LIST_PATH /etc/snort/rules
- If you use the default configuration file, review and adjust its
network settings so that it works for your environment.
- The Network
IPS appliance
does not support the use of third-party preprocessors.
- In the Interfaces area, set the following
options:
- Select the appropriate interfaces to apply the configuration
file.
- Select the Inspect HA mirrored ports check
box to enable the SNORT systems on appliances in a high availability
(HA) pair to analyze packets on mirrored ports. See SNORT and HA mode for information about
the behavior of the SNORT system when this check box is enabled or
disabled.
- In the Rule Profiling area, configure
the options for gathering performance metrics about SNORT rules.
- Select the Enable rule profiling check
box to record SNORT performance statistics.
Note: You
must also enable the SNORT Execution check
box on the SNORT Execution tab for this feature
to work.
- Select Number of rules to display from
the list. The appliance displays the rules with the worst statistics.
- Select the Sort option, which
is a list of statistics that the system uses to order the rule profile. The statistics are:
Statistic |
Description |
Checks |
The number of times that the SNORT engine checks
for rule options after the SNORT engine completes an initial analysis
to group and pre-screen traffic. |
Matches |
The number of times that the SNORT engine finds
traffic matching all rule options. |
No Matches |
The number of times that the SNORT engine finds
no traffic matching all rule options. |
Average Ticks (Avg/Check) |
The average time that the SNORT engine takes
to check each packet against the listed rule. |
Average Ticks Per Match (Avg/Match) |
The average time that the SNORT engine takes
to check each packet that matches all rule options. |
Average Ticks Per No Match (Avg/Nonmatch) |
The average time that the SNORT engine takes
to check each packet that did not generate an event. Note: This statistic
represents wasted time spent checking clean traffic.
|
Total Ticks |
The rules that are responsible for consuming
the most processing time. |
To view and download SNORT performance statistics, go to . See Using SNORT rule profiling for information.
What to do next
Apply policy settings after you configure settings for
this tab. Apply is at the bottom of the page.
When you apply settings, you set the system to check for errors. See Troubleshooting SNORT errors for information
about system behavior when it encounters an error.
This
tab enables SNORT configuration options. However, the system is not
analyzing traffic until you add rules. Go to the SNORT
Rules tab to add SNORT rules.