Pseries Installation Guide

ManualsBrandsForce10 Networks ManualsNetwork CardPSeries 100-00055-01

56 Compiling Rules

Table 8 Compiler Configuration Options

Compilation Option Description

1 Target Device Choose the model of your appliance.

• The P10 requires type PB-10G-2P (see Figure 35 on page 58)

2 Match non-IP Traffic Answering Yes to this option matches packets that are not IPv4. This

option should be set to No if only IP traffic is allowed. (see Figure 35 on

page 58)

3 Match Fragmented IPv4

Packets or IPv4 Packets w/

Options

Answering Yes to this option:

• Adds a rule to match fragmented IPv4 packets

• Adds a rule to match IPv4 packets with any option in the header (see

Figure 35 on page 58).

4 Rules File Specify the rules file that contains the Snort rules that will be compiled into

firmware.

• Include the relative path of the file in your entry.

• Your entry is used to create the firmware names.

• Enter null to create firmware with no static rules; compiling firmware

with no static rules maximizes dynamic rule capacity (see Figure 35 on

page 58).

Note: The script performs a syntax check on the input file. If there are

errors, you are prompted to enter the file name again. The entry must be

made at the prompt; if the Enter key is pressed erroneously such that the

entry cannot made at the prompt, enter Ctrl-C to halt the configuration

process, and then enter gmake to begin again.

5 Dynamic Rules Enter the number of dynamic rules to synthesize.

• If you enter one of the sample Snort rules files, choose the minimum

number of dynamic rules; otherwise, the placing may fail.

• If you are using fewer static rules, you can increase the number of

dynamic rules up to approximately 30 for each channel (60 in total) (see

Figure 35 on page 58).

Note: The number of dynamic rules specified in this option is guideline that

the compiler uses to reserve space on the FPGA. The number you choose

is the approximate

number of rules you will be able to configure at runtime.

The amount of space a rule consumes varies based on the complexity of

the rule. Therefore, you might not be able to compile as many dynamic

rules as specified in this option if the rules are complex.

6 meta.rules The pnic-Compiler prepends a set of fixed rules called meta.rules —

located in the pnic-compiler/rules directory. The rules in this file report on

flow information and provide compatibility with Snort; include or exclude

this file considering that including them allows you to run Snort on the DPI

interface.

It is best to include this file if Snort is being used as the front end. If not

using Snort as the front end, these rules should not be included or they

should be changed to accommodate other packet analysis requirements

(see Figure 36 on page 59).