|< Day Day Up >|
8.4 The Snort Inline Patch
The Snort inline patch allows a Snort sensor to act as a gateway IDS (GIDS). It is similar in function (although much simpler) to SnortSAM; the difference is that the inline patch only allows the sensor itself to be the gateway. It is also limited in that it only supports iptables. It is not commonly used in more complex networks.
To act as a gateway, the Snort sensor has to be configured with two network interfaces—one on the internal network and the other on the external network. Traffic flows through the sensor. The sensor becomes the firewall for the internal network, a firewall based on iptables, which dynamically drops traffic when an attack is detected. This sounds very exciting, but I must remind you to be very careful when blocking traffic dynamically. You may cause more trouble than you are preventing. Only enable blocking for rules that are almost never going to generate false positives.
The Snort inline patch requires that iptables be enabled in the kernel. You'll also need libnet Version 1.0.x. The Snort inline patch is downloadable from http://snort-inline.sourceforge.net and is the full version of Snort, already patched and ready for compiling. Once the latest version is downloaded, it is configured, made, and installed with the following command line:
# ./configure --enable-inline # make #make install
8.4.1 Configuring Snort
Once the inline patch has been installed, configure Snort using the techniques we've discussed. It is important to carefully configure the network variables to ensure that Snort knows what it is protecting. You may want to limit the networks that are watched—only the servers on your DMZ, for instance.
There is no "exclude" or "white" list with the inline patch. You can perform the same function by careful configuration of the $EXTERNAL_NET variable. If you configure the variable to be the inverse of the addresses that you never want to block, you've for all practical purposes created a white list. Here's a (very simplified) example. If we want to make sure that no hosts in the 10.10.10.0/24 range are ever blocked, we can do this:
var EXTERNAL_NET !10.10.10.0/24
Next, configure the preprocessors appropriately. We still want to normalize traffic to increase Snort's ability to match the signatures within the rules. Output plug-ins can be used, just like in a normal Snort sensor.
Do not attempt to use the gateway sensor the same way you would use a standalone sensor. Excessive load on your gateway device can result in performance problems for the network. Only enable the services that you need in order for the gateway to act as a dynamic firewall.
8.4.2 Creating Rules for the Snort Inline Patch
The Snort inline patch adds two rule actions, drop and sdrop, and one rule option, replace. To use drop or sdrop, replace the alert action in the rule with one of these new actions. You also have the option of altering the packet as it passes through the gateway, making it harmless to the destination host. Here are the new rule actions:
When coupled with the iptables firewall rules, the Snort inline patch lends a great deal of additional functionality. As long as proper care is taken and details are attended to, Snort as a Gateway IDS (GIDS) has a great deal of promise for a large number of organizations.
|< Day Day Up >|