Table 8 Compiler Configuration Options
| Compilation Option | Description |
|
|
|
1 | Target Device | Choose the model of your appliance. |
|
| • The P10 requires type |
|
|
|
2 | Match | Answering Yes to this option matches packets that are not IPv4. This |
|
| option should be set to No if only IP traffic is allowed. (see Figure 35 on |
|
| page 58) |
|
|
|
Answering Yes to this option:
•Adds a rule to match fragmented IPv4 packets
•Adds a rule to match IPv4 packets with any option in the header (see Figure 35 on page 58).
4 | Rules File | Specify the rules file that contains the Snort rules that will be compiled into |
|
| firmware. |
|
| • Include the relative path of the file in your entry. |
|
| • Your entry is used to create the firmware names. |
|
| • Enter null to create firmware with no static rules; compiling firmware |
|
| with no static rules maximizes dynamic rule capacity (see Figure 35 on |
|
| page 58). |
|
| Note: The script performs a syntax check on the input file. If there are |
|
| errors, you are prompted to enter the file name again. The entry must be |
|
| made at the prompt; if the Enter key is pressed erroneously such that the |
|
| entry cannot made at the prompt, enter |
|
| process, and then enter gmake to begin again. |
5 | Dynamic Rules | Enter the number of dynamic rules to synthesize. |
|
| • If you enter one of the sample Snort rules files, choose the minimum |
|
| number of dynamic rules; otherwise, the placing may fail. |
|
| • If you are using fewer static rules, you can increase the number of |
|
| dynamic rules up to approximately 30 for each channel (60 in total) (see |
|
| Figure 35 on page 58). |
|
| Note: The number of dynamic rules specified in this option is guideline that |
|
| the compiler uses to reserve space on the FPGA. The number you choose |
|
| is the approximate number of rules you will be able to configure at runtime. |
|
| The amount of space a rule consumes varies based on the complexity of |
|
| the rule. Therefore, you might not be able to compile as many dynamic |
|
| rules as specified in this option if the rules are complex. |
|
|
|
6 | meta.rules | The |
|
| located in the |
|
| flow information and provide compatibility with Snort; include or exclude |
|
| this file considering that including them allows you to run Snort on the DPI |
|
| interface. |
It is best to include this file if Snort is being used as the front end. If not using Snort as the front end, these rules should not be included or they should be changed to accommodate other packet analysis requirements (see Figure 36 on page 59).
56 | Compiling Rules |
