snort_inline
Link http://snort-inline.sourceforge.net/oldhome.html
What is snort_inline?
snort_inline is basically a modified version of Snort that accepts packets from iptables and IPFW via libipq(linux) or divert sockets(FreeBSD), instead of libpcap. It then uses new rule types (drop, sdrop, reject) to tell iptables/IPFW whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set. Think of this as an Intrusion Prevention System (IPS) that uses existing Intrusion Detection System (IDS) signatures to make decisions on packets that traverse snort_inline.
Contact Info
The code is currently maintained by William Metcalf and Victor Julien. Major contributions have also come from Dave Remien and Nick Rogness. Check out the monitored snort_inline mailing list for discussions on bugs and enhancements. You must become a member in order to be able to send and receive messages to and from this mailing list. This was done in order to reduce the amount of spam. Click here and follow the directions to become a member.
Downloads
snort_inline comes in three forms: source code, statically compiled binary, and patch.
https://sourceforge.net/projects/snort-inline/files/
FAQ
- I am having problems compiling snort_inline.
- I am having problems running snort_inline.
- Snort_inline is not dropping any packets.
- Which version of libnet do I need?
- I want to handle only selected traffic with snort_inline
- Question: I am having problems compiling snort_inline. Here is a sample of the error messages I get during compilation:
-I../../src/detection-plugins -I../../src/preprocessors -I/usr/include
-g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c'
|| echo './'`spo_alert_fast.c
In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
from /usr/include/libipq.h:37,
from ../../src/inline.h:8,
from ../../src/snort.h:38,
from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory
`/home/matt/src/BUILD/snort-2.0.5/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/matt/src/BUILD/snort-2.0.5'
make: *** [all] Error 2
Answer: You need to update the kernel headers used by your glibc. A quick fix is to create a link between /usr/include and the include directory of your kernel source. For example, if you are trying to use this with kernel version 2.4.24, you can do the following:
cd /usr/include
mv linux linux.orig
ln -s /usr/src/linux-2.4.24/include/linux linux
Now simply go to your snort_inline directory and recompile (make clean first).
** That is, point to a set of "real" kernel includes instead of RH's glibc-kernheaders package. **
- Reading from iptables
- Running in IDS mode
- Log directory = /var/log/snort
- Initializing Inline mode
- InitInline: : Failed to send netlink message: Connection refused
- Answer: This means that snort_inline cannot talk to iptables because the ip_queue module is not loaded. You can verify this by doing an lsmod. If you don't see ip_queue listed, you need to load it before starting snort_inline: insmod ip_queue.
First, you have snort_inline running in bridge mode. If the kernel is not compiled with the bridge/firewall patch, the bridge will not pass the packets to iptables, and therefore, not pass the packets to snort_inline. The easiest way to test this is to start the bridge and set default iptable policies to drop. If packets still get through the bridge, you need to download the bridge/firewall patch for your kernel; apply it to your kernel; and recompile the kernel.
Second, you need to verify the HOME_NET variable in the snort_inline.conf file to ensure you are monitoring the proper network. Snort_inline will only act on traffic that is destined to or originating from a monitored network.
1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport 25 -j QUEUE
2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE
Mailing List
The code is currently maintained by William Metcalf.
Links
Related information that may help with the deployment of snort_inline.
- Ebtables: The bridging firewall kernel patch may be required if you intend to use snort_inline on a bridge.
- Honeynet Project: Contains information regarding the deployment of snort_inline in a honeynet environment.
- iptables: This is how snort_inline receives packets.
- Libnet: This library allows snort_inline to reject packets.
- libpcap: This is the packet capture library used to by snort, snort_inline, and many other network analyzers.
- Snort: The core of snort_inline.
- snort_inline: The SourceForge project page.
- snort_inline blog: The snort_inline blog page.
============ End