Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Snort Inline Rule Application Up: Snort Overview Previous: Changing Alert Order   Contents


Inline Mode

Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of Snort Inline into the official Snort project. Snort Inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules.

In order for Snort Inline to work properly, you must download and compile the iptables code to include ``make install-devel'' (http://www.iptables.org). This will install the libipq library that allows Snort Inline to interface with iptables. Also, you must build and install LibNet, which is available from http://www.packetfactory.net.

There are three rule types you can use when running Snort with Snort Inline:

  • drop - The drop rule type will tell iptables to drop the packet and log it via usual Snort means.
  • reject - The reject rule type will tell iptables to drop the packet, log it via usual Snort means, and send a TCP reset if the protocol is TCP or an icmp port unreachable if the protocol is UDP.
  • sdrop - The sdrop rule type will tell iptables to drop the packet. Nothing is logged.

Note:   You can also replace sections of the packet payload when using Snort Inline. See Section 1.5.3 for more information.

When using a reject rule, there are two options you can use to send TCP resets:

  • You can use a RAW socket (the default behavior for Snort Inline), in which case you must have an interface that has an IP address assigned to it. If there is not an interface with an IP address assigned with access to the source of the packet, the packet will be logged and the reset packet will never make it onto the network.

  • You can also now perform resets via a physical device when using iptables. We take the indev name from ip_queue and use this as the interface on which to send resets. We no longer need an IP loaded on the bridge, and can remain pretty stealthy as the config layer2_resets in snort_inline.conf takes a source MAC address which we substitue for the MAC of the bridge. For example: 
    config layer2resets
    tells Snort Inline to use layer2 resets and uses the MAC address of the bridge as the source MAC in the packet, and: 
    config layer2resets: 00:06:76:DD:5F:E3
    will tell Snort Inline to use layer2 resets and uses the source MAC of 00:06:76:DD:5F:E3 in the reset packet.

  • The command-line option -disable-inline-initialization can be used to not initialize IPTables when in inline mode. To be used with command-line option -T to test for a valid configuration without requiring opening inline devices and adversely affecting traffic flow.


Subsections
next up previous contents
Next: Snort Inline Rule Application Up: Snort Overview Previous: Changing Alert Order   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.