8.4 The Snort Inline Patch

The Snort inline patch allows a Snort sensor to act as a gateway IDS (GIDS). It is similar in function (although much simpler) to SnortSAM; the difference is that the inline patch only allows the sensor itself to be the gateway. It is also limited in that it only supports iptables. It is not commonly used in more complex networks.

To act as a gateway, the Snort sensor has to be configured with two network interfaces—one on the internal network and the other on the external network. Traffic flows through the sensor. The sensor becomes the firewall for the internal network, a firewall based on iptables, which dynamically drops traffic when an attack is detected. This sounds very exciting, but I must remind you to be very careful when blocking traffic dynamically. You may cause more trouble than you are preventing. Only enable blocking for rules that are almost never going to generate false positives.

The Snort inline patch requires that iptables be enabled in the kernel. You'll also need libnet Version 1.0.x. The Snort inline patch is downloadable from http://snort-inline.sourceforge.net and is the full version of Snort, already patched and ready for compiling. Once the latest version is downloaded, it is configured, made, and installed with the following command line:

# ./configure --enable-inline

# make

#make install

8.4.1 Configuring Snort

Once the inline patch has been installed, configure Snort using the techniques we've discussed. It is important to carefully configure the network variables to ensure that Snort knows what it is protecting. You may want to limit the networks that are watched—only the servers on your DMZ, for instance.

There is no "exclude" or "white" list with the inline patch. You can perform the same function by careful configuration of the $EXTERNAL_NET variable. If you configure the variable to be the inverse of the addresses that you never want to block, you've for all practical purposes created a white list. Here's a (very simplified) example. If we want to make sure that no hosts in the 10.10.10.0/24 range are ever blocked, we can do this:

var EXTERNAL_NET !10.10.10.0/24

Next, configure the preprocessors appropriately. We still want to normalize traffic to increase Snort's ability to match the signatures within the rules. Output plug-ins can be used, just like in a normal Snort sensor.

Do not attempt to use the gateway sensor the same way you would use a standalone sensor. Excessive load on your gateway device can result in performance problems for the network. Only enable the services that you need in order for the gateway to act as a dynamic firewall.

8.4.2 Creating Rules for the Snort Inline Patch

The Snort inline patch adds two rule actions, drop and sdrop, and one rule option, replace. To use drop or sdrop, replace the alert action in the rule with one of these new actions. You also have the option of altering the packet as it passes through the gateway, making it harmless to the destination host. Here are the new rule actions:

drop

Generates an alert as usual but also drops the packet—it doesn't pass it on to the internal network at all. This rule generates an alert and drops the packet:

drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit 

attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; 

classtype:misc-attack; sid:1812; rev:2;)

sdrop

Configures Snort to drop packets matching the rule without triggering an alert. You can use this feature to configure Snort to block ICMP echo-request packets—ICMP probes are annoying and occur all the time. Simply blocking them without generating an alert is an adequate response. The following rule drops the packet without generating an alert:

sdrop udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; 

content:"|02|"; offset:0; depth:1; reference:nessus,10674; classtype:misc-

activity; sid:2049; rev:1;)

replace

Replaces the content of the packet (which matches the content field in the rule) with the contents of the replace field. The contents of the replace field should allow the meaning of the content to pass through without allowing the target to be affected adversely.

Snort signatures try to match strings within packets to determine if they are an alert—if the string may also be inside an email or another document being transferred on the network. To make sure that legitimate communication is not hindered but a real attack is, you can replace a potentially dangerous string with a more innocuous string that still gets the point across for legitimate uses. In this case, you can use the replace option. Here's an example:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ~root attempt"; flow:to_

server,established; content:"~root"; replace:"~ userroot"; nocase; )

When coupled with the iptables firewall rules, the Snort inline patch lends a great deal of additional functionality. As long as proper care is taken and details are attended to, Snort as a Gateway IDS (GIDS) has a great deal of promise for a large number of organizations.