TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Webmaster:
Blaise Carrera
SNORT_INLINE - The Easy Tutorial - Run Snort_Inline

Snort_Inline Run
Last Change : Apr 26 2007 french flagenglish flag


Tool
Install
Ergonomy
Forum



Details What is Snort_Inline?
Screenshots
Prerequisites
Installation
Oinkmaster - Snort Rules
Oinkmaster - Bleeding Rules
Run Snort_Inline
BASE
Bridging



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!


Netfilter & Snort_Inline

NetFilter is a Linux kernel module available since the kernel version 2.4. It provides three main functionalities:

- Packet filtering - Accepts or drops packets
- NAT - Changes the source or destination IP address of network packets
- Packet Mangling - Modifies packets (like for Quality of Service, QoS)

Iptables is a tool needed to configure Netfilter; it must be launched as root.

Netfilter queues packets to Snort_Inline in the userspace with the help of the ip_queue kernel module and libipq.
Then, if a packet matches a Snort_Inline attack signature, it is tagged by libipq and comes back to Netfilter where it is dropped.

snort_inline netfilter kernel user space queue
There are two Snort-Inline modes:

Drop Mode
A packet is dropped if it matches an attack signature. In our tutorial, we will use this mode.
Three options are available in this mode:
- Drop: Drops a packet, sends a reset back to the host, logs the event.
- Sdrop: Drops a packet without sending a reset back to he host.
- Ignore: Drops a packet, sends a reset back to the host, does not log the event

Replace Mode
A packet is modified if it matches an attack signature.



Load the ip_queue kernel module.

We need to load the ip_queue module and check if it has been done successfully:

#modprobe ip_queue
#lsmod | grep ip_queue
ip_queue 11424 0

To unload ip_queue:"modprobe -r ip_queue"

Configure iptables to test Snort_Inline

Now we have to perform some tests to see if everything is working.
We need first to configure NetFilter with the Iptables tool.
We set below a Netfilter rule to send all the incoming traffic to the Queue where it will be analysed against the Snort_Inline rules.

iptables -A INPUT -j QUEUE
Check your rules:

#iptables -L
Chain INPUT (policy ACCEPT)
target      prot       opt     source         destination
QUEUE     all         --      anywhere      anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


If you want to remove your iptables rules: "iptables -F"

Get information about iptables.


Launch Snort_inline

#snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
-Q -> process the queued traffic
-v -> verbose
-l -> log path
-c -> config path

You need to load the ip_queue module if you have this message:

Reading from iptables
Running in IDS mode
Initializing Inline mode
InitInline: : Failed to send netlink message: Connection refused



Log analyzes:

Let's check that Snort_Inline is working fine. We propose here two ways to do it:

1. First Test

We can simulate an attack by simply accessing a web page located on the Snort_Inline machine from this same machine, because this will match a Snort signature attack.
For example, you can open Firefox and enter http://localhost

Quick log

#tail -f /var/log/snort_inline/snort_inline-fast
03/07-12:39:27.127882 [**] [116:151:1] (snort decoder)
Bad Traffic Same Src/Dst IP [**] {TCP} 127.0.0.1:41050 -> 127.0.0.1:80

03/07-12:39:27.127882 [**] [116:150:1] (snort decoder)
Bad Traffic Loopback IP [**] {TCP} 127.0.0.1:41050 -> 127.0.0.1:80


Full Log

#tail -f /var/log/snort_inline/snort_inline-full
[**] [116:151:1] (snort decoder) Bad Traffic Same Src/Dst IP [**]
03/07-12:37:03.036694 127.0.0.1:53110 -> 127.0.0.1:80
TCP TTL:64 TOS:0x0 ID:16812 IpLen:20 DgmLen:60 DF
******S* Seq: 0x9B74D9F2 Ack: 0x0 Win: 0x7FFF TcpLen: 40
TCP Options (5) => MSS: 16396 SackOK TS: 115788 0 NOP WS: 2

[**] [116:150:1] (snort decoder) Bad Traffic Loopback IP [**]
03/07-12:37:03.036694 127.0.0.1:53110 -> 127.0.0.1:80
TCP TTL:64 TOS:0x0 ID:16812 IpLen:20 DgmLen:60 DF
******S* Seq: 0x9B74D9F2 Ack: 0x0 Win: 0x7FFF TcpLen: 40
TCP Options (5) => MSS: 16396 SackOK TS: 115788 0 NOP WS: 2

BASE output: (See the BASE tutorial)

BASE base analysis and security engine snort_inline  Bad Traffic Same Src/Dst IP Loopback IP
2. Second Test

We add a signature rule to drop any incoming web traffic:
Add the following rule in the /etc/snort_inline/rules/web-attacks.rules file.

#vi /etc/snort_inline/rules/web-attacks.rules
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Snort_Inline is blocking the http link!";)
Quick log

#tail -f /var/log/snort_inline/snort_inline-fast
04/01-18:11:39.454787 [**] [1:0:0] Snort_Inline is blocking the http link!
[**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 192.168.1.3:1626 -> 192.168.1.101:80


Full Log

#tail -f /var/log/snort_inline/snort_inline-full
[**] [1:0:0] Snort_Inline is blocking the http link! [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
04/01-18:11:39.454787 192.168.1.3:1626 -> 192.168.1.101:80
TCP TTL:128 TOS:0x0 ID:47535 IpLen:20 DgmLen:48 DF
******S* Seq: 0x612540DD Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK


BASE output: (See the BASE tutorial)

BASE base analysis and security engine snort_inline  Classification: Attempted User Privilege Gain


Startup scripts

Create a file called snort_inlined and add the script below to start Snort_Inline easily:

#vi /etc/init.d/snort_inlined
#!/bin/bash
#
# snort_inline

start(){
# Start daemons.
echo "Starting ip_queue module:"
lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue;

#
echo "Starting iptables rules:"
# iptables traffic sent to the QUEUE:
# accept internal localhost connections
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# send all the incoming, outgoing and forwarding traffic to the QUEUE
iptables -A INPUT -j QUEUE
iptables -A FORWARD -j QUEUE
iptables -A OUTPUT -j QUEUE

# Start Snort_inline
echo "Starting snort_inline: "
/usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -D -v \
-l /var/log/snort_inline

# -Q -> process the queued traffic
# -D -> run as a daemon
# -v -> verbose
# -l -> log path
# -c -> config path
}

stop() {
# Stop daemons.
# Stop Snort_Inline
# echo "Shutting down snort_inline: "
killall snort_inline
# Remove all the iptables rules and
# set the default Netfilter policies to accept
echo "Removing iptables rules:"
iptables -F

# -F -> flush iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# -P -> default policy
}

restart(){
stop
start
}

case "$1" in

start)
start
;;

stop)
stop
;;

restart)
restart
;;
*)
echo $"Usage: $0 {start|stop|restart|}"
exit 1
esac
Start the snort_inlined script:

#/etc/init.d/snort_inlined start
Starting ip_queue module:
Starting iptables rules:
Starting snort_inline:
Reading from iptables
Initializing Inline mode


Check that Snort_inline is running:

#ps -ef | grep snort_inline
root 5743 1 0 19:53 ? 00:00:01 /usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -D -v -l /var/log/snort_inline

Check your Iptables rules:

#iptables -L
Chain INPUT (policy ACCEPT)
target      prot    opt    source       destination
ACCEPT    all      --     localhost    localhost
QUEUE     all      --     anywhere    anywhere

Chain FORWARD (policy ACCEPT)
target      prot    opt    source       destination
QUEUE     all      --     anywhere    anywhere

Chain OUTPUT (policy ACCEPT)
target      prot    opt    source       destination
ACCEPT    all      --     localhost    localhost
QUEUE     all      --     anywhere    anywhere


update-rc.d

update-rc.d is a tool to easily install or remove startup scripts.
We will use it to configure Debian or Ubuntu to start the snort_inlined script after each system boot.

#update-rc.d snort_inlined defaults 95
Be careful with update-rc.d; an incorrect usage of this command can prevent the system from booting.
If you no longer want to start the snort_inlined script at the startup, use the following command: "update-rc.d -f snort_inlined remove"



Give us your feedback about this tutorial !!!