Configuring SNORT rules

Use the SNORT Rules tab to import a SNORT rules file, to add SNORT rules, and to configure these rules for the network.

1. Click the SNORT Rules tab.
2. Do one or both of the following tasks:
   • In the Import SNORT Rule File area, click Select *.rules file(s) to import, navigate to the applicable rules file on the system, and open it.
   • In the Rules area, click the Add icon to add unique SNORT rules and to set the following options:
     Notes:

     • The appliance groups all the rules you add using the Add icon together.
     • The Network IPS appliance does not support the use of dynamic rules for SNORT.

     Option	Description
     Enabled	Enables the SNORT rule.
     SID	Displays the SNORT-assigned identification of the rule. Note: A SNORT rule must have a SID or the appliance identifies the rule as invalid.
     File	Displays the SNORT rules file from which the SNORT rule was imported.
     Message	Displays the SNORT-assigned description of the rule.
     Rule String	Lists the string version of the SNORT rule.
     Comment	Specifies an optional description of the SNORT rule.
     Severity	Specifies a severity level for the rule: low, medium, or high. Note: This setting is useful for statistical and filtering purposes. Use it to manipulate data on log pages (such as the Security Alerts page) and in graphs (such as the Attacks by Severity graph).
     Display	Specifies how to display the SNORT event in the SiteProtector Management console: None does not display the detected event. Without Raw logs a summary of the event. With Raw logs a summary of the event and logs the associated packet capture.
     Log Evidence	Determines the type of packet to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory. You can retrieve log evidence files from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures > Log Evidence. None: The appliance captures no traffic. Offending Packet: The appliance captures the suspicious traffic. Connection: The appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLan ID. Interface: The appliance captures all traffic that passes through the specified interfaces. All Interfaces: The appliance captures all traffic that passes through all interfaces. Note: Connection, Interface, and All Interfaces are not available for the SNORT feature.
     User Overridden	Identifies modified imported rules and rules created on the appliance. This setting is read-only and is useful for grouping.
     Responses	Email: Specifies the email address that receives alerts about SNORT activity. For more information, see Supported agent parameters. Quarantine: Specifies responses that block intruders, including worms and Trojan horses, when the appliance detects SNORT activity. Note: Quarantine responses work in inline protection mode only. See Predefined quarantine responses for descriptions of quarantine responses. SNMP: Sends an SNMP trap that includes pertinent information about the SNORT traffic. User Specified: Specifies a custom response to SNORT traffic. Tip: If you do not receive responses for SNORT activity, see if the setting Send alert messages to syslog is enabled on the SNORT Execution tab. When this setting is enabled, the SNORT system does not send responses for SNORT activity. If a response is not in the drop down lists, you can configure the responses in Secure Protection Settings > Response Tuning > Responses.