Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Using the Honeynet Snort Up: Inline Mode Previous: Installing Snort Inline   Contents

Running Snort Inline

First, you need to ensure that the ip_queue module is loaded. Then, you need to send traffic to Snort Inline using the QUEUE target. For example: 

iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
sends all TCP traffic leaving the firewall going to port 80 to the QUEUE target. This is what sends the packet from kernel space to user space (Snort Inline). A quick way to get all outbound traffic going to the QUEUE is to use the rc.firewall script created and maintained by the Honeynet Project (http://www.honeynet.org/papers/honeynet/tools/) This script is well-documented and allows you to direct packets to Snort Inline by simply changing the QUEUE variable to yes.

Finally, start Snort Inline: 

snort_inline -QDc ../etc/drop.conf -l /var/log/snort

You can use the following command line options:

  • -Q - Gets packets from iptables.
  • -D - Runs Snort Inline in daemon mode. The process ID is stored at /var/run/snort_inline.pid
  • -c - Reads the following configuration file.
  • -l - Logs to the following directory.

Ideally, Snort Inline will be run using only its own drop.rules. If you want to use Snort for just alerting, a separate process should be running with its own rule set.

next up previous contents
Next: Using the Honeynet Snort Up: Inline Mode Previous: Installing Snort Inline   Contents
Steven Sturges 2007-05-11
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.