Hack 87 Prevent and Contain Intrusions with Snort_inline

figs/expert.gif figs/hack87.gif

Install Snort_inline on your firewall to contain intrusions, or to stop them as they're happening.

Wouldn't it be nice if your NIDS could not only detect intrusions, but also do something about them? It would be nice if it could actually stop the intrusion occurring on the host that was being attacked, but the next best thing would be to block the network traffic that's propagating the attack. One tool that can do this for you is Snort_inline (http://snort-inline.sf.net).

Snort_inline is a patch to Snort that modifies it to read data from the Linux kernel's Netfilter queue, which allows Snort to effectively integrate itself with the firewall. This allows it to not only detect intrusions, but to decide whether to drop packets or to forward them to another host (using Libnet). This of course requires that your kernel be compiled with IP queue support, either statically or as a module.

You can see if you have the module by running a command like this:

$ locate ip_queue.o




In this case, you can see that the module is available by looking at the last line of the output. If that doesn't exist, you can check to see whether the file /proc/net/ip_queue exists. If you can't find the module, but that file exists, then it means IP queue support is compiled into your kernel statically. If neither file exists, you'll need to enable it in your kernel and recompile.

In addition to requiring IP queue support, Snort_inline also needs libipq. This is a library that comes with Netfilter and is used by applications to communicate with Netfilter's queue. You can check to see if it's installed on your system by running this command:

$ locate libipq



If you don't see output similar to this, chances are that you don't have libipq installed. You can install it by downloading the iptables source from the Netfilter distribution site (http://www.netfilter.org). For instructions on compiling it, refer to [Hack #41] . After compilation is finished, run make install-dev, since libipq is not installed by default.

In addition to those libraries, you'll also need the Libnet packet injection library (http://www.packetfactory.net/projects/libnet/). To install Libnet, simply download the source distribution, unpack it, and then run ./configure && make install as root.

Now that all the prerequisites are out of the way, you can compile Snort_inline. First download and unpack the source distribution, and then change to the directory that it creates. Then run this command:

$ ./configure --enable-inline && make

You can also use any configure options that you'd normally use with Snort, since at it's heart Snort_inline is still Snort.

Don't be alarmed if your compile aborts with the following error:

gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I../../src/sfutil 

-I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/

preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan  -I../../

src/preprocessors/flow/int-snort  -I../../src/preprocessors/HttpInspect/include  -I/usr/

include/pcre -I/usr/local/include  -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D_  

_FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c' || 

echo './'`spo_alert_fast.c

In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,

                 from /usr/include/libipq.h:37,

                 from ../../src/inline.h:8,

                 from ../../src/snort.h:38,

                 from spo_alert_fast.c:51:

/usr/include/linux/if.h:59: redefinition of `struct ifmap'

/usr/include/linux/if.h:77: redefinition of `struct ifreq'

/usr/include/linux/if.h:126: redefinition of `struct ifconf'

make[3]: *** [spo_alert_fast.o] Error 1

make[3]: Leaving directory `/home/andrew/snort_inline-2.1.0/src/output-plugins'

make[2]: *** [all-recursive] Error 1

make[2]: Leaving directory `/home/andrew/snort_inline-2.1.0/src'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/home/andrew/snort_inline-2.1.0'

make: *** [all] Error 2

This is caused by /usr/include/linux/netfilter_ipv4/ip_queue.h including /usr/include/linux/if.h instead of /usr/include/net/if.h (a problem that the author encountered while writing this). You can fix this by simply editing ip_queue.h and changing this line near the top of the file:

#include <linux/if.h>

to this:

#include <net/if.h>

You can then restart the compilation from where it left off by simply typing make, or, if you're paranoid, you can use this command to completely start over:

$ make clean && make

After compilation has finished, become root and type make install.

You can now configure Snort_inline just as you would configure Snort regularly. However, it's recommended that you run a separate instance of Snort if you want alerting and use Snort_inline solely for setting firewall rules.

In addition to modifying Snort to capture packets from Netfilter rather than libpcap, the Snort_inline patch also adds three new rule types, as well as a new rule option. The new rule types are drop , sdrop, and reject. The drop rule type will drop the packet that triggered the rule without notifying the sending host, much like the iptables DROP target, and will log that it has done so. The sdrop rule type is similar, except that packets are silently dropped with no log entry to tell you that it occurred. Using the reject rule type will block the offending packet, but will notify the sending host with either a TCP RST or an ICMP port unreachable message, depending on whether the packet that triggered the rule used the TCP or UDP protocols, respectively. The new rule option added by Snort_inline allows you to replace arbitrary content within a packet with whatever you choose. The only restriction is that the replacement byte stream must be the same length as the original. This is implemented with the replace rule option and is used in conjunction with the content rule option to select what is to be replaced.

To run Snort_inline, start it just as you would start Snort. Snort_inline does add a new command-line switch, though: -Q tells it to use IP queues rather than libpcap to gather packets. So, you'll need to use this option if you want to use it in inline mode.

The only thing left to do before actually running it in inline mode is to configure the kernel to send the packets to the IP queues. This is done with the iptables command:

# iptables -F 

# iptables -A INPUT -j QUEUE

# iptables -A OUTPUT -j QUEUE

# iptables -A FORWARD -j QUEUE

This will push all traffic going in, out, and through the machine into an IP queue from which Snort_inline will read its packets. You can then start snort_inline as you would Snort (just don't forget to use the -Q option):

# snort_inline -Qvc /etc/snort/snort_inline.conf

If you're administering the machine remotely, you'll probably want to start snort_inline before enabling the QUEUE targets, since it's snort_inline that will actually pass the packets back and forth. Otherwise, your remote logins will be dropped as soon as you put the iptables rules in place. If you're particularly paranoid, have your QUEUE target rules ignore packets coming from a certain IP address or range of addresses.