L83.en
Content
IPS, Snort inline
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• Snort traditionally only rises alerts and logs traffic
• In IPS mode snort is able to drop packets
• The network flow must go through Snort; Snort inline
• ./snort -Q
• ./snort --daq-mode inline
Packet Acquisition
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• DAQ: Data AcQuisition library
• The way Snort grabs the data packets
• Snort may use several DAQ-methods
• --daq-mode <mode>
• <mode> = read-file | passive | inline
• --daq <type>
• <type> = pcap | afpacket |
nfq
PCAP
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• PCAP = Packet CAPture library
• API for capturing network packets
• *nix implementation: libpcap
• Windows: WinPcap
• Used by: tcpdump, Wireshark, Snort, nmap, Bro, Suricata
• pcap is the default snort DAQ
• ./snort --daq pcap --daq-mode passive
AFPACKET
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• Can run Snort in inline mode using afpacket
• ./snort --daq afpacket -i eth0:eth1
• Must have two network interfaces configured as a bridge,
eth0:eth1
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
NFQ, NetFilter Queue
• snort is running in user mode (is not a kernel module)
• needs nfqueue kernel module
• iptables sends traffic to snort using the NFQUEUE target
iptables -A FORWARD -j NFQUEUE
• sends all traffic to the NFQUEUE target
• Sends the packet from kernel space to user space (to snort)
• Snort may then decide to drop a packet
• Returns the other packets to the kernel, but not to netfilter
• All packets blocked if Snort is not running
NFQ
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
snort --daq nfq --daq-var queue=0 -Q \
-l /var/log/snort -c /usr/local/snort/etc/snort.conf
–daq nfq Use NFQ, NetFilter Queue
–daq-var queue=0 Default NFQ queue number
-Q - inline mode
iptables -A INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 2
Snort IPS action
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• drop Tell iptables to drop the packet and log it via usual Snort
means
• reject Tell iptables to drop the packet, log it via usual Snort
means, and send a TCP reset if the protocol is TCP or an icmp
port unreachable if the protocol is UDP
• sdrop The sdrop rule type will tell iptables to drop the packet.
Nothing is logged
replace
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
alert ip any any -> any 80 (msg:"replacing string passwd ";\
content: "passwd"; replace: ".paswd" ; sid:1000001)
• The string matched by content: is replaced by the replace-string
• Snort must run in inline mode
• The number of characters of the replacement string must be
exactly the same
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
Intrusion Prevension Systems:
• Stops and avoids attacks (not just alerts)
PRO
• A false positive may block a legitimate user/host
CON
• An attacker may try to cause some form of denial of service
attack
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• Snort traditionally only rises alerts and logs traffic
• In IPS mode snort is able to drop packets
• The network flow must go through Snort; Snort inline
• ./snort -Q
• ./snort --daq-mode inline
Packet Acquisition
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• DAQ: Data AcQuisition library
• The way Snort grabs the data packets
• Snort may use several DAQ-methods
• --daq-mode <mode>
• <mode> = read-file | passive | inline
• --daq <type>
• <type> = pcap | afpacket |
nfq
PCAP
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• PCAP = Packet CAPture library
• API for capturing network packets
• *nix implementation: libpcap
• Windows: WinPcap
• Used by: tcpdump, Wireshark, Snort, nmap, Bro, Suricata
• pcap is the default snort DAQ
• ./snort --daq pcap --daq-mode passive
AFPACKET
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• Can run Snort in inline mode using afpacket
• ./snort --daq afpacket -i eth0:eth1
• Must have two network interfaces configured as a bridge,
eth0:eth1
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
NFQ, NetFilter Queue
• snort is running in user mode (is not a kernel module)
• needs nfqueue kernel module
• iptables sends traffic to snort using the NFQUEUE target
iptables -A FORWARD -j NFQUEUE
• sends all traffic to the NFQUEUE target
• Sends the packet from kernel space to user space (to snort)
• Snort may then decide to drop a packet
• Returns the other packets to the kernel, but not to netfilter
• All packets blocked if Snort is not running
NFQ
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
snort --daq nfq --daq-var queue=0 -Q \
-l /var/log/snort -c /usr/local/snort/etc/snort.conf
–daq nfq Use NFQ, NetFilter Queue
–daq-var queue=0 Default NFQ queue number
-Q - inline mode
iptables -A INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 2
Snort IPS action
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
• drop Tell iptables to drop the packet and log it via usual Snort
means
• reject Tell iptables to drop the packet, log it via usual Snort
means, and send a TCP reset if the protocol is TCP or an icmp
port unreachable if the protocol is UDP
• sdrop The sdrop rule type will tell iptables to drop the packet.
Nothing is logged
replace
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
alert ip any any -> any 80 (msg:"replacing string passwd ";\
content: "passwd"; replace: ".paswd" ; sid:1000001)
• The string matched by content: is replaced by the replace-string
• Snort must run in inline mode
• The number of characters of the replacement string must be
exactly the same
IPS
Packet
Acquisition
PCAP
AFPACKET
NFQ
NFQ
IPS Action
replace
IPS procon
Intrusion Prevension Systems:
• Stops and avoids attacks (not just alerts)
PRO
• A false positive may block a legitimate user/host
CON
• An attacker may try to cause some form of denial of service
attack
Sponsor Documents
Recommended
No recommend documents