<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!--Converted with LaTeX2HTML 2002-2-1 (1.71)
original version by: Nikos Drakos, CBLU, University of Leeds
* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>1.5 Inline Mode</TITLE>
<META NAME="description" CONTENT="1.5 Inline Mode">
<META NAME="keywords" CONTENT="snort_manual">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
<LINK REL="STYLESHEET" HREF="snort_manual.css">
<LINK REL="next" HREF="node8.html">
<LINK REL="previous" HREF="node6.html">
<LINK REL="up" HREF="node2.html">
<LINK REL="next" HREF="node8.html">
</HEAD>
<BODY >
<!--Navigation Panel-->
<A NAME="tex2html334"
HREF="node8.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
<A NAME="tex2html330"
HREF="node2.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
<A NAME="tex2html324"
HREF="node6.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
<A NAME="tex2html332"
HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html335"
HREF="node8.html">1.6 Miscellaneous</A>
<B> Up:</B> <A NAME="tex2html331"
HREF="node2.html">1. Snort Overview</A>
<B> Previous:</B> <A NAME="tex2html325"
HREF="node6.html">1.4 Network Intrusion Detection</A>
<B> <A NAME="tex2html333"
HREF="node1.html">Contents</A></B>
<BR>
<BR>
<!--End of Navigation Panel-->
<!--Table of Child-Links-->
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>
<UL>
<LI><A NAME="tex2html336"
HREF="node7.html#SECTION00251000000000000000">1.5.1 Snort Inline Rule Application Order</A>
<LI><A NAME="tex2html337"
HREF="node7.html#SECTION00252000000000000000">1.5.2 New STREAM4 Options for Use with Snort Inline</A>
<LI><A NAME="tex2html338"
HREF="node7.html#SECTION00253000000000000000">1.5.3 Replacing Packets with Snort Inline</A>
<LI><A NAME="tex2html339"
HREF="node7.html#SECTION00254000000000000000">1.5.4 Installing Snort Inline</A>
<LI><A NAME="tex2html340"
HREF="node7.html#SECTION00255000000000000000">1.5.5 Running Snort Inline</A>
<LI><A NAME="tex2html341"
HREF="node7.html#SECTION00256000000000000000">1.5.6 Using the Honeynet Snort Inline Toolkit</A>
<LI><A NAME="tex2html342"
HREF="node7.html#SECTION00257000000000000000">1.5.7 Troubleshooting Snort Inline</A>
</UL>
<!--End of Table of Child-Links-->
<HR>
<H1><A NAME="SECTION00250000000000000000"></A><A NAME="Snort_Inline"></A>
<BR>
1.5 Inline Mode
</H1>
<P>
Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of
snort_inline into the official Snort project. Snort_inline obtains packets
from iptables instead of libpcap and then uses new rule types to help iptables
pass or drop packets based on Snort rules.
<P>
In order for snort_inline to work properly, you must download and compile the
iptables code to include ``make install-devel''
(http://www.iptables.org). This will install the <TT>libipq</TT> library
that allows snort_inline to interface with iptables. Also, you must build and
install LibNet, which is available from http://www.packetfactory.net.
<P>
There are three rule types you can use when running Snort with snort_inline:
<P>
<UL>
<LI><B>drop</B> - The drop rule type will tell iptables to drop the packet and log it
via usual Snort means.
</LI>
<LI><B>reject</B> - The reject rule type will tell iptables to drop the packet, log it
via usual Snort means, and send a TCP reset if the protocol is
TCP or an icmp port unreachable if the protocol is UDP.
</LI>
<LI><B>sdrop</B> - The sdrop rule type will tell iptables to drop the packet. Nothing
is logged.
</LI>
</UL>
<P>
<BR>
<BR><I>
<FONT SIZE="+4"><IMG
WIDTH="18" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img3.png"
ALT="$\triangle$"> <FONT SIZE="+2"><IMG
WIDTH="8" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="img4.png"
ALT="$^!$"></FONT></FONT>
<FONT SIZE="+2">NOTE</FONT>
</I>
<DIV ALIGN="CENTER">
</DIV>
<P>
<DIV ALIGN="CENTER">
<BR>
</DIV>
<P>
<DIV ALIGN="CENTER">
<!-- MATH
$\fbox{
\usebox{
\savepar
}
}$
-->
<IMG
WIDTH="714" HEIGHT="76" ALIGN="MIDDLE" BORDER="0"
SRC="img5.png"
ALT="\fbox{
\usebox{
\savepar
}
}">
</DIV>
<P>
<DIV ALIGN="CENTER">
</DIV>
<P>
When using a <TT>reject</TT> rule, there are two options you can use to send
TCP resets:
<UL>
<LI>You can use a RAW socket (the default behavior for snort_inline), in which case
you must have an interface that has an IP address assigned to it. If there is not an
interface with an IP address assigned with access to the source of the packet,
the packet will be logged and the reset packet will never make it onto the
network.
<P>
</LI>
<LI>You can also now perform resets via a physical device when using iptables.
We take the indev name from ip_queue and use this as the interface on which
to send resets. We no longer need an IP loaded on the bridge, and can remain
pretty stealthy as the config layer2_resets in snort_inline.conf takes a source
MAC address which we substitue for the MAC of the bridge. For example:
<PRE>
config layer2resets
</PRE>
tells snort_inline to use layer2 resets and uses the MAC address of the bridge
as the source MAC in the packet, and:
<PRE>
config layer2resets: 00:06:76:DD:5F:E3
</PRE>
will tell snort_inline to use layer2 resets and uses the source MAC of
00:06:76:DD:5F:E3 in the reset packet.
<P>
</LI>
</UL>
<P>
<H2><A NAME="SECTION00251000000000000000"></A><A NAME="InlineRuleOrder"></A>
<BR>
1.5.1 Snort Inline Rule Application Order
</H2>
<P>
The current rule application order is:
<PRE>
->activation->dynamic->drop->sdrop->reject->alert->pass->log
</PRE>
This will ensure that a drop rule has precedence over an alert or log rule.
You can use the -o flag to the rule application order to:
<PRE>
->activation->dynamic->pass->drop->sdrop->reject->alert->log
</PRE>
<P>
<H2><A NAME="SECTION00252000000000000000"></A><A NAME="Stream4Inline"></A>
<BR>
1.5.2 New STREAM4 Options for Use with Snort Inline
</H2>
<P>
When using <TT>snort_inline</TT>, you can use two additional stream4 options:
<P>
<UL>
<LI><TT>inline_state</TT> (no arguments)
<P>
This option causes Snort to drop TCP packets that are not associated with
an existing TCP session, and is not a valid TCP initiator.
<P>
</LI>
<LI><TT>midstream_drop_alerts</TT> (no arguments)
<P>
By default, when running in inline mode, Snort will silently drop any
packets that were picked up in midstream and would have caused an alert
to be generated, if not for the 'flow: established' option. This is to
mitigate stick/snot type attacks when the user hasn't enabled
inline_state. If you want to see the alerts that are silently
dropped, enable this keyword. Note that by enabling this keyword,
you have opened yourself up to stick/snot-type attacks.
<P>
</LI>
</UL>
<P>
For more information about Stream4, see Section <A HREF="node11.html#stream_4_section"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>.
<P>
<H2><A NAME="SECTION00253000000000000000"></A><A NAME="ReplaceInline"></A>
<BR>
1.5.3 Replacing Packets with Snort Inline
</H2>
<P>
Additionally, Jed Haile's content replace code allows you to modify packets
before they leave the network. For example:
<P>
<PRE>
alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
alert udp any any <> any 53 (msg: "udp replace"; \
content: "yahoo"; replace: "xxxxx";)
</PRE>
<P>
These rules will comb tcp port 80 traffic looking for GET, and udp port 53
traffic looking for yahoo. Once they are found, they are replaced with BET and
xxxxx, respectively. The only catch is that the replace must be the same
length as the content.
<P>
<H2><A NAME="SECTION00254000000000000000"></A><A NAME="InlineInstall"></A>
<BR>
1.5.4 Installing Snort Inline
</H2>
To install Snort inline, use the following command:
<PRE>
./configure --enable-inline
make
make install
</PRE>
<P>
<H2><A NAME="SECTION00255000000000000000">
1.5.5 Running Snort Inline</A>
</H2>
<P>
First, you need to ensure that the ip_queue module is loaded. Then,
you need to send traffic to snort_inline using the QUEUE target. For
example,
<PRE>
iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
</PRE>
sends all TCP traffic leaving the firewall going to port 80 to the QUEUE
target. This is what sends the packet from kernel space to user space
(<TT>snort_inline</TT>). A quick way to get all outbound traffic going to the
QUEUE is to use the rc.firewall script created and maintained by the
Honeynet Project (http://www.honeynet.org/papers/honeynet/tools/)
This script is well-documented and allows you to direct packets
to <TT>snort_inline</TT> by simply changing the QUEUE variable to yes.
<P>
Finally, start snort_inline.
<P>
<PRE>
snort_inline -QDc ../etc/drop.conf -l /var/log/snort
</PRE>
<P>
You can use the following command line options:
<UL>
<LI><TT>-Q</TT> - Gets packets from iptables.
</LI>
<LI><TT>-D</TT> - Runs <TT>snort_inline</TT> in daemon mode. The process ID is stored
at /var/run/snort_inline.pid
</LI>
<LI><TT>-c</TT> - Reads the following configuration file.
</LI>
<LI><TT>-l</TT> - Logs to the following directory.
<P>
</LI>
</UL>
<P>
Ideally, snort_inline will be run using only its own drop.rules. If
you want to use Snort for just alerting, a separate process should be
running with its own ruleset.
<P>
<H2><A NAME="SECTION00256000000000000000">
1.5.6 Using the Honeynet Snort Inline Toolkit</A>
</H2>
<P>
The Honeynet Snort Inline Toolkit is a statically compiled <TT>snort_inline</TT>
binary put together by the
Honeynet Project for the Linux operating system. It comes with a set
of drop.rules, the <TT>snort_inline</TT> binary, a snort-inline rotation shell
script, and a good README. It can be found at:
<P>
http://www.honeynet.org/papers/honeynet/tools/
<P>
<H2><A NAME="SECTION00257000000000000000">
1.5.7 Troubleshooting Snort Inline</A>
</H2>
<P>
If you run snort_inline and see something like this:
<PRE>
Initializing Output Plugins!
Reading from iptables
Log directory = /var/log/snort
Initializing Inline mode
InlineInit: : Failed to send netlink message: Connection refused
</PRE>
More than likely, the ip_queue module is not loaded or ip_queue
support is not compiled into your kernel. Either recompile
your kernel to support ip_queue, or load the module.
<P>
The ip_queue module is loaded by executing:
<PRE>
insmod ip_queue
</PRE>
Also, if you want to ensure snort_inline is getting packets, you can
start it in the following manner:
<PRE>
snort_inline -Qvc <configuration file>
</PRE>
This will display the header of every packet that snort_inline sees.
<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html334"
HREF="node8.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
<A NAME="tex2html330"
HREF="node2.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
<A NAME="tex2html324"
HREF="node6.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
<A NAME="tex2html332"
HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html335"
HREF="node8.html">1.6 Miscellaneous</A>
<B> Up:</B> <A NAME="tex2html331"
HREF="node2.html">1. Snort Overview</A>
<B> Previous:</B> <A NAME="tex2html325"
HREF="node6.html">1.4 Network Intrusion Detection</A>
<B> <A NAME="tex2html333"
HREF="node1.html">Contents</A></B>
<!--End of Navigation Panel-->
</BODY>
</HTML>
