Snort - the de facto standard for intrusion detection/prevention
the de facto standard for IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: 1.6 Miscellaneous Up: 1. Snort Overview Previous: 1.4 Network Intrusion Detection   Contents

Subsections


1.5 Inline Mode

Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of Snort Inline into the official Snort project. Snort Inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules.

In order for Snort Inline to work properly, you must download and compile the iptables code to include ``make install-devel'' (http://www.iptables.org). This will install the libipq library that allows Snort Inline to interface with iptables. Also, you must build and install LibNet, which is available from http://www.packetfactory.net.

There are three rule types you can use when running Snort with Snort Inline:

  • drop - The drop rule type will tell iptables to drop the packet and log it via usual Snort means.
  • reject - The reject rule type will tell iptables to drop the packet, log it via usual Snort means, and send a TCP reset if the protocol is TCP or an icmp port unreachable if the protocol is UDP.
  • sdrop - The sdrop rule type will tell iptables to drop the packet. Nothing is logged.

Note:   You can also replace sections of the packet payload when using Snort Inline. See Section [*] for more information.

When using a reject rule, there are two options you can use to send TCP resets:

  • You can use a RAW socket (the default behavior for Snort Inline), in which case you must have an interface that has an IP address assigned to it. If there is not an interface with an IP address assigned with access to the source of the packet, the packet will be logged and the reset packet will never make it onto the network.

  • You can also now perform resets via a physical device when using iptables. We take the indev name from ip_queue and use this as the interface on which to send resets. We no longer need an IP loaded on the bridge, and can remain pretty stealthy as the config layer2_resets in snort_inline.conf takes a source MAC address which we substitue for the MAC of the bridge. For example: 
    config layer2resets
    tells Snort Inline to use layer2 resets and uses the MAC address of the bridge as the source MAC in the packet, and: 
    config layer2resets: 00:06:76:DD:5F:E3
    will tell Snort Inline to use layer2 resets and uses the source MAC of 00:06:76:DD:5F:E3 in the reset packet.


1.5.1 Snort Inline Rule Application Order

The current rule application order is: 

	->activation->dynamic->drop->sdrop->reject->alert->pass->log
This will ensure that a drop rule has precedence over an alert or log rule. You can use the -o flag to change the rule application order to: 
	->activation->dynamic->pass->drop->sdrop->reject->alert->log


1.5.2 New STREAM4 Options for Use with Snort Inline

When using Snort Inline, you can use two additional stream4 options:

  • inline_state (no arguments)

    This option causes Snort to drop TCP packets that are not associated with an existing TCP session, and is not a valid TCP initiator.

  • midstream_drop_alerts (no arguments)

    By default, when running in inline mode, Snort will silently drop any packets that were picked up in midstream and would have caused an alert to be generated, if not for the 'flow: established' option. This is to mitigate stick/snot type attacks when the user hasn't enabled inline_state. If you want to see the alerts that are silently dropped, enable this keyword. Note that by enabling this keyword, you have opened yourself up to stick/snot-type attacks.

For more information about Stream4, see Section [*].


1.5.3 Replacing Packets with Snort Inline

Additionally, Jed Haile's content replace code allows you to modify packets before they leave the network. For example: 

alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
alert udp any any <> any 53 (msg: "udp replace"; \
    content: "yahoo"; replace: "xxxxx";)

These rules will comb TCP port 80 traffic looking for GET, and UDP port 53 traffic looking for yahoo. Once they are found, they are replaced with BET and xxxxx, respectively. The only catch is that the replace must be the same length as the content.


1.5.4 Installing Snort Inline

To install Snort inline, use the following command: 
./configure --enable-inline
make
make install

1.5.5 Running Snort Inline

First, you need to ensure that the ip_queue module is loaded. Then, you need to send traffic to Snort Inline using the QUEUE target. For example: 

iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
sends all TCP traffic leaving the firewall going to port 80 to the QUEUE target. This is what sends the packet from kernel space to user space (Snort Inline). A quick way to get all outbound traffic going to the QUEUE is to use the rc.firewall script created and maintained by the Honeynet Project (http://www.honeynet.org/papers/honeynet/tools/) This script is well-documented and allows you to direct packets to Snort Inline by simply changing the QUEUE variable to yes.

Finally, start Snort Inline: 

snort_inline -QDc ../etc/drop.conf -l /var/log/snort

You can use the following command line options:

  • -Q - Gets packets from iptables.
  • -D - Runs Snort Inline in daemon mode. The process ID is stored at /var/run/snort_inline.pid
  • -c - Reads the following configuration file.
  • -l - Logs to the following directory.

Ideally, Snort Inline will be run using only its own drop.rules. If you want to use Snort for just alerting, a separate process should be running with its own rule set.

1.5.6 Using the Honeynet Snort Inline Toolkit

The Honeynet Snort Inline Toolkit is a statically compiled Snort Inline binary put together by the Honeynet Project for the Linux operating system. It comes with a set of drop.rules, the Snort Inline binary, a snort-inline rotation shell script, and a good README. It can be found at:

http://www.honeynet.org/papers/honeynet/tools/

1.5.7 Troubleshooting Snort Inline

If you run Snort Inline and see something like this: 

Initializing Output Plugins!
Reading from iptables
Log directory = /var/log/snort
Initializing Inline mode
InlineInit: : Failed to send netlink message: Connection refused
More than likely, the ip_queue module is not loaded or ip_queue support is not compiled into your kernel. Either recompile your kernel to support ip_queue, or load the module.

The ip_queue module is loaded by executing: 

insmod ip_queue
Also, if you want to ensure Snort Inline is getting packets, you can start it in the following manner: 
snort_inline -Qvc <configuration file>
This will display the header of every packet that Snort Inline sees.

next up previous contents
Next: 1.6 Miscellaneous Up: 1. Snort Overview Previous: 1.4 Network Intrusion Detection   Contents
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.