Chinaunix首页 | 论坛 | 博客
  • 博客访问: 917320
  • 博文数量: 194
  • 博客积分: 7991
  • 博客等级: 少将
  • 技术积分: 2067
  • 用 户 组: 普通用户
  • 注册时间: 2007-12-09 22:03
文章分类

全部博文(194)

文章存档

2010年(8)

2009年(71)

2008年(109)

2007年(6)

我的朋友

分类: LINUX

2008-05-15 18:46:06

Snort inline mode overview

 

sxg

 

2008-5-15

 

Preface

 

Today I reviewed inline-associated part in snort source codes, libipq, and ip_queue module in netfilter, and had a general figure about snort’s inline mode. Here I would like to share it with you. Your comment would be appreciated.

 

 

What is inline mode of snort

 

As you may already know that snort can be configured to run as an intrusion prevention system, which is so called “inline mode”. During this mode, snort gets packets from ip_queue module through netlink socket (wrappered in libipq actually), instead of from libpcap. Inline mode snort can be thinked as an IPS that uses existing IDS signatures to make decisions on packets that snort receieves. It tells netfilter whether a packet should be droped, rejected, modified, or allowed to pass based on the existing snort rule set.

       Notice: inline mode snort can only handle packet at ip layer and above.

 

How inline mode works

 

The following figure shows you the overview of the snort’s inline mode flow.

Netfilter adds extra ability to ip layer to process the packets before they get into user space. In inline mode, snort gets packets from ip_queue, thoes packets are previously redirected to ip_queue from ip layer by iptables. If snort finds something abnormal, it will tell netfilter to behave accordingly.

 

There are 3 steps to make snort work in inline mode:

1) recompile snort to get inline mode support

       #./configure –enable-inline && make && make install

2) use iptables to redirect the ip layer packets to ip_queue, maybe like this,

       #iptables –A INPUT –j QUEUE

3) start snort with –Q option

       #snort –Qc /etc/snort/snort.conf

 

 

Code snippet for reference

 

SnortMain

       |à IpqLoop

              |à ipq_read

                     |à recvfrom (netlink, ip_queue)

              |à PcapProcessPacket

              |à HandlePacket

 

grinder = DecodeIptablesPkt;

 

case 'Q':

LogMessage("Reading from iptables\n");

pv.inline_flag = 1;

 

int InlineDrop(Packet *p){

    iv.drop = 1;

}

int InlineReject(Packet *p){

    iv.reject = 1;

    iv.drop = 1;

}

 

int InlineAccept(){

    iv.drop = 0;

}

 

int InlineReplace(){

    iv.replace = 1;

}

 

The above 4 routines are called occasionly in preprocessor and in detection engine.

 

void HandlePacket(ipq_packet_msg_t *m){

 

    if (iv.drop)

    {

        status = ipq_set_verdict(ipqh, m->packet_id, NF_DROP, 0, NULL);

        if (iv.reject)

        {

           if(pv.layer2_resets)

           {

                     RejectLayer2(m);

           }

           else

           {

                     RejectSocket();

           }

        }

    }

    else if (!iv.replace)

    {

        status = ipq_set_verdict(ipqh, m->packet_id, NF_ACCEPT, 0, NULL);

    }

    else

    {

        status = ipq_set_verdict(ipqh, m->packet_id, NF_ACCEPT,

                 m->data_len, m->payload);

    }

}

 

Here HandlePacket is the boss to make decisions on packets, it will tell netfilter which action should be taken to deal with some packets.

阅读(2668) | 评论(3) | 转发(0) |
给主人留下些什么吧!~~

chinaunix网友2010-04-20 20:15:13

我也想学习一下,谢谢哦,我的qq403788085

chinaunix网友2009-05-21 19:31:51

thanks very much,it's very useful for me...I appreciate of your work!