• Snort traditionally only rises alerts and logs traffic
• In IPS mode snort is able to drop packets
• The network flow must go through Snort; Snort inline
• ./snort -Q
• ./snort --daq-mode inline
• DAQ: Data AcQuisition library
• The way Snort grabs the data packets
• Snort may use several DAQ-methods
• --daq-mode <mode>
• <mode> = read-file | passive | inline
• --daq <type>
• <type> = pcap | afpacket |
• snort is running in user mode (is not a kernel module)
• needs nfqueue kernel module
• iptables sends traffic to snort using the NFQUEUE target
iptables -A FORWARD -j NFQUEUE
• sends all traffic to the NFQUEUE target
• Sends the packet from kernel space to user space (to snort)
• Snort may then decide to drop a packet
• Returns the other packets to the kernel, but not to netfilter
• All packets blocked if Snort is not running
• drop Tell iptables to drop the packet and log it via usual Snort
means
• reject Tell iptables to drop the packet, log it via usual Snort
means, and send a TCP reset if the protocol is TCP or an icmp
port unreachable if the protocol is UDP
• sdrop The sdrop rule type will tell iptables to drop the packet.
alert ip any any -> any 80 (msg:"replacing string passwd ";\
content: "passwd"; replace: ".paswd" ; sid:1000001)
• The string matched by content: is replaced by the replace-string
• Snort must run in inline mode
• The number of characters of the replacement string must be
Intrusion Prevension Systems:
• Stops and avoids attacks (not just alerts)
PRO
• A false positive may block a legitimate user/host
CON
• An attacker may try to cause some form of denial of service