Nexapp - Intrusion Prevention System (Snort)

Intrusion Prevention System (Snort)

Snort 3 is an open-source Intrusion Prevention System (IPS) integrated into NexappOS. It performs real-time traffic inspection to detect and stop threats such as:

  • buffer overflows
  • stealth and brute-force scans
  • web (CGI) attacks
  • SMB probes
  • OS fingerprinting attempts
  • and many other network exploits

Snort analyzes packets inline and can generate alerts or actively block traffic based on the enabled ruleset.

Enable IPS

IPS is disabled by default.

  1. Go to Security → IPS
  2. Open the Settings tab
  3. Enable the Status switch

After enabling, choose a policy. Policies group rules to match different deployment needs:

  • Connectivity
    Prioritizes performance over strict security. Designed to minimize false positives and keep throughput high while still detecting common threats.

  • Balanced (recommended for first rollout)
    Good starting point for production. Balances detection strength with performance and maintains a low false-positive rate.

  • Security
    Maximum protection with higher sensitivity. Best for high-security sites with lower bandwidth or environments that tolerate more false positives.

Click Save to apply the policy.

Access to Snort Rules via Oinkcode

NexappOS supports Snort rule subscriptions through an Oinkcode.
An Oinkcode is a personal token from Snort.org that allows access to official rule feeds.

Rule categories

  • Community Rules (Free)
    Maintained by the Snort community. Basic protection, slower updates.
    No Oinkcode required.

  • Registered Rules (Free with delay)
    Official Snort rules published with a ~30-day delay.
    Oinkcode required.

  • Subscriber Rules (Paid, real-time)
    Immediate access to the latest official rules.
    Oinkcode required.

How to obtain and use an Oinkcode

  1. Register at Snort.org
  2. Copy your Oinkcode from your account profile
  3. In Security → IPS → Settings, paste the code into Oinkcode
  4. Click Test code to validate it

Today Event List

The Today event list shows IPS detections from current traffic.
Each entry includes:

  • triggered rule ID
  • source and destination IP
  • protocol
  • action taken (alert or block)

You can:

  • filter events using the search bar
  • open rule documentation by clicking the rule ID
  • suppress or disable a noisy rule directly from the record menu

Source and Destination Bypass

Sometimes trusted systems must bypass IPS inspection.

  1. Go to Filter bypass tab
  2. Click Add bypass
  3. Fill:
  • Address type: IPv4 or IPv6
  • IP address / CIDR: address to bypass
  • Direction: source or destination
  • Description: optional

Save to apply bypass.

Disable Rules

Rules that are too strict or generate false positives can be excluded from the active ruleset.

  1. Go to Disabled rules tab
  2. Click Disable rule
  3. Enter:
  • GID: Generator ID (usually 1)
  • SID: Signature ID
  • Description: optional

Disabled rules will no longer be evaluated.

Suppressed Alerts

Suppression ignores a rule only for specific sources/destinations, while keeping it active elsewhere.

  1. Go to Suppressed alerts tab
  2. Click Suppress alert
  3. Enter:
  • GID: usually 1
  • SID: rule signature ID
  • Direction: source or destination
  • IP address / CIDR: target to suppress
  • Description: optional

This is useful for known-benign traffic that would otherwise flood alerts.

Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on