分类: LINUX
2008-05-15 18:46:06
Snort inline mode overview
sxg
2008-5-15
Preface
Today I reviewed inline-associated part in snort source codes, libipq, and ip_queue module in netfilter, and had a general figure about snort’s inline mode. Here I would like to share it with you. Your comment would be appreciated.
What is inline mode of snort
As you may already know that snort can be configured to run as an intrusion prevention system, which is so called “inline mode”. During this mode, snort gets packets from ip_queue module through netlink socket (wrappered in libipq actually), instead of from libpcap. Inline mode snort can be thinked as an IPS that uses existing IDS signatures to make decisions on packets that snort receieves. It tells netfilter whether a packet should be droped, rejected, modified, or allowed to pass based on the existing snort rule set.
Notice: inline mode snort can only handle packet at ip layer and above.
How inline mode works
The following figure shows you the overview of the snort’s inline mode flow.
Netfilter adds extra ability to ip layer to process the packets before they get into user space. In inline mode, snort gets packets from ip_queue, thoes packets are previously redirected to ip_queue from ip layer by iptables. If snort finds something abnormal, it will tell netfilter to behave accordingly.
There are 3 steps to make snort work in inline mode:
1) recompile snort to get inline mode support
#./configure –enable-inline && make && make install
2) use iptables to redirect the ip layer packets to ip_queue, maybe like this,
#iptables –A INPUT –j QUEUE
3) start snort with –Q option
#snort –Qc /etc/snort/snort.conf
Code snippet for reference
SnortMain
|à IpqLoop
|à ipq_read
|à recvfrom (netlink, ip_queue)
|à PcapProcessPacket
|à HandlePacket
grinder = DecodeIptablesPkt;
case 'Q':
LogMessage("Reading from iptables\n");
pv.inline_flag = 1;
int InlineDrop(Packet *p){
iv.drop = 1;
}
int InlineReject(Packet *p){
iv.reject = 1;
iv.drop = 1;
}
int InlineAccept(){
iv.drop = 0;
}
int InlineReplace(){
iv.replace = 1;
}
The above 4 routines are called occasionly in preprocessor and in detection engine.
void HandlePacket(ipq_packet_msg_t *m){
if (iv.drop)
{
status = ipq_set_verdict(ipqh, m->packet_id, NF_DROP, 0, NULL);
if (iv.reject)
{
if(pv.layer2_resets)
{
RejectLayer2(m);
}
else
{
RejectSocket();
}
}
}
else if (!iv.replace)
{
status = ipq_set_verdict(ipqh, m->packet_id, NF_ACCEPT, 0, NULL);
}
else
{
status = ipq_set_verdict(ipqh, m->packet_id, NF_ACCEPT,
m->data_len, m->payload);
}
}
Here HandlePacket is the boss to make decisions on packets, it will tell netfilter which action should be taken to deal with some packets.
chinaunix网友2009-05-21 19:31:51
thanks very much,it's very useful for me...I appreciate of your work!
