Snort interface Global Settings

This tab is used to enable rule set packages for download, configure the rules package update interval and start time, configure Snort logging directory size limits and determine whether Snort settings are saved when the package is removed from the system.

Please Choose The Type Of Rules To Download

More than one rule set may be enabled for download, but note the following caveats. If there is a paid subscription for the Snort VRT rules, then all of the Snort GPLv2 Community rules are automatically included within the file downloaded with the Snort VRT rules; therefore do not enable the GPLv2 Community rules if there is a paid-subscriber account for the Snort VRT rules. All of the Emerging Threats Open rules are included within the paid subscription for the Emerging Threats Pro rules. If the Emerging Threats Pro rules are enabled, the Emerging Threats Open rules are automatically disabled.

../_images/enablesnortrulesdownloads.png

To use the Snort VRT rules package, check the Install Snort VRT rules checkbox and then enter the Oinkmaster code in the textbox that appears.

To use the ETPro rules package, check the box next to ETPro and then enter the ETPro subscription code in the textbox that appears.

Rules Update Settings

Use the Update Interval: drop-down selector to choose the periodicity for checking for updates to the enabled rules packages. When any value other than NEVER is selected, the Update Start Time textbox is available for entering a start time in 24-hour format using hours and minutes only.

In most cases every 12 hours is a good choice. The update start time can be customized if desired. Enter the time as hours and minutes in 24-hour time format. The default start time is 3 minutes past midnight local time. So with a 12-hour update interval selected, Snort will check the Snort VRT or Emerging Threats web sites at 3 minutes past midnight and 3 minutes past noon each day for any posted rule package updates.

../_images/snortrulesupdatesettings.png

General Settings

The Log Directory Size Limit, when enabled, sets an absolute hard upper limit on the total size of the Snort logging sub-directory in */var/log/snort*. This can prevent Snort from filling up the /var volume on the firewall. When the Snort logging directory size (the total size of all files within the Snort log directory tree) exceed the value set, all files are automatically pruned (deleted) and the Snort process is signaled to soft-restart and resynchronize logging. The default size limit is 20% of the available space on the volume. This may be overridden by setting a value in megabytes (MB) in the textbox provided.

Remove Blocked Hosts Interval: controls how long Snort-blocked IP addresses must be inactive before being cleared. Once per interval specified, Snort executes a cron job that tests all the IP addresses it has inserted into the firewall’s block table for activity. IP addresses that have had no further network activity within the time specified are removed from the block table.

Remove Blocked Hosts After Deinstall: determines whether or not Snort-blocked IP addresses are automatically removed when the Snort package is uninstalled.

Remove Snort Log Files After Deinstall: determines whether or not log files generated by Snort are retained or removed when the Snort package is removed.

Keep Snort Settings After Deinstall: controls whether the Snort configuration is retained when the Snort package is removed.

../_images/snortglobaltabgeneralsettings.png