Configuring SNORT execution

Use the SNORT Execution tab on the SNORT Configuration and Rules page for the Network IPS appliance to enable the SNORT engine and to configure SNORT command-line options.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Advanced IPS > SNORT Configuration and Rules

Navigating in the SiteProtector™ system: select the SNORT Configuration and Rules policy

Procedure

  1. Click the SNORT Execution tab.
  2. Select the Enable SNORT Execution check box.
  3. In the Command Line Options area, configure the following options:
    Option Description
    Packet snap length Determines the packet size that the engine inspects. A packet snap length of zero inspects entire packets. This setting causes longer processing time and decreases the packet buffering. However, it helps to detect large packets that have malicious content at the end of the packet.
    Send alert messages to syslog Sends alert messages to the system log in the following folders:
    • var/log/secure on Linux systems
    • var/log/messages on other systems
    Important: If you enable sending alert messages to the syslog, the SNORT system behaves in the following ways:
    • The SNORT system does not send events to the Security Alerts page. If you want to create quarantine rules for SNORT activity, you need events on the Security Alerts page.
    • The SNORT system does not send alerts to the SiteProtector system.
    • The SNORT system does not send email, SNMP, quarantine, or user-specified responses for SNORT activity, even if they are enabled on the SNORT Rules tab.

    View system log messages in the Network IPS Local Management Interface at Review Analysis and Diagnostics > Logs > System.
    Process alert before pass Sets the SNORT engine to process alert rules before it applies pass rules. By default, SNORT applies rules in the order of pass > drop > alert > log.
    Notes:
    • Pass before alert (default): This option can improve performance but it can increase false negatives.
    • Alert before pass: This option can decrease false negatives but it can hinder performance and increase false positives.
    Process all triggered events in group order Sets the SNORT engine to process all events that are associated with a packet and to process all these events based on the setting for rule ordering.
    Report HTTP request URL data with alert Sets the SNORT engine to display URL data in SNORT events that are triggered by HTTP requests. Retrieve SNORT events in Reveiw Analysis and Diagnostics > Logs > Security Alerts.
    Expression Sets the SNORT engine to filter traffic that matches "true" to the expression. If there is no expression, then the operation includes all traffic.

What to do next

Apply policy settings after you configure settings for this tab. Apply is at the bottom of the page.

This tab enables the SNORT engine and some command-line options. However, the system is not analyzing traffic until you add rules. Configure settings in the SNORT Configuration tab or review the default configuration file, and add rules to the SNORT Rules tab.

Parent topic: Configuring SNORT configuration and rules
Related concepts:
SNORT and quarantine functions
SNORT and PAM
SNORT and HA mode
Risks and considerations with SNORT
The SnEP
About deleting SNORT rules
About imported SNORT rules
Related reference:
Unsupported SNORT configuration options