next up previous contents
Next: 1.6 Miscellaneous Up: 1. Snort Overview Previous: 1.4 Network Intrusion Detection   Contents

Subsections


1.5 Inline Mode

Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of snort_inline into the official Snort project. Snort_inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules.

In order for snort_inline to work properly, you must download and compile the iptables code to include ``make install-devel'' (http://www.iptables.org). This will install the libipq library that allows snort_inline to interface with iptables. Also, you must build and install LibNet, which is available from http://www.packetfactory.net.

There are three rule types you can use when running Snort with snort_inline:



$\triangle$ $^!$ NOTE


\fbox{
\usebox{
\savepar
}
}

When using a reject rule, there are two options you can use to send TCP resets:


1.5.1 Snort Inline Rule Application Order

The current rule application order is:

	->activation->dynamic->drop->sdrop->reject->alert->pass->log
This will ensure that a drop rule has precedence over an alert or log rule. You can use the -o flag to the rule application order to:
	->activation->dynamic->pass->drop->sdrop->reject->alert->log


1.5.2 New STREAM4 Options for Use with Snort Inline

When using snort_inline, you can use two additional stream4 options:

For more information about Stream4, see Section [*].


1.5.3 Replacing Packets with Snort Inline

Additionally, Jed Haile's content replace code allows you to modify packets before they leave the network. For example:

alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
alert udp any any <> any 53 (msg: "udp replace"; \
    content: "yahoo"; replace: "xxxxx";)

These rules will comb tcp port 80 traffic looking for GET, and udp port 53 traffic looking for yahoo. Once they are found, they are replaced with BET and xxxxx, respectively. The only catch is that the replace must be the same length as the content.


1.5.4 Installing Snort Inline

To install Snort inline, use the following command:
./configure --enable-inline
make
make install

1.5.5 Running Snort Inline

First, you need to ensure that the ip_queue module is loaded. Then, you need to send traffic to snort_inline using the QUEUE target. For example,

iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
sends all TCP traffic leaving the firewall going to port 80 to the QUEUE target. This is what sends the packet from kernel space to user space (snort_inline). A quick way to get all outbound traffic going to the QUEUE is to use the rc.firewall script created and maintained by the Honeynet Project (http://www.honeynet.org/papers/honeynet/tools/) This script is well-documented and allows you to direct packets to snort_inline by simply changing the QUEUE variable to yes.

Finally, start snort_inline.

snort_inline -QDc ../etc/drop.conf -l /var/log/snort

You can use the following command line options:

Ideally, snort_inline will be run using only its own drop.rules. If you want to use Snort for just alerting, a separate process should be running with its own ruleset.

1.5.6 Using the Honeynet Snort Inline Toolkit

The Honeynet Snort Inline Toolkit is a statically compiled snort_inline binary put together by the Honeynet Project for the Linux operating system. It comes with a set of drop.rules, the snort_inline binary, a snort-inline rotation shell script, and a good README. It can be found at:

http://www.honeynet.org/papers/honeynet/tools/

1.5.7 Troubleshooting Snort Inline

If you run snort_inline and see something like this:

Initializing Output Plugins!
Reading from iptables
Log directory = /var/log/snort
Initializing Inline mode
InlineInit: : Failed to send netlink message: Connection refused
More than likely, the ip_queue module is not loaded or ip_queue support is not compiled into your kernel. Either recompile your kernel to support ip_queue, or load the module.

The ip_queue module is loaded by executing:

insmod ip_queue
Also, if you want to ensure snort_inline is getting packets, you can start it in the following manner:
snort_inline -Qvc <configuration file>
This will display the header of every packet that snort_inline sees.


next up previous contents
Next: 1.6 Miscellaneous Up: 1. Snort Overview Previous: 1.4 Network Intrusion Detection   Contents