In this article, I will show you how snort_inline working with FreeBSD using IPFW and divert sockets. To configure it, you must understand how ipfw work. In this testing, it shows how a packet flows through ipfw->divert->snort_inline. To do this, you must have snort_inline and ipfw in your FreeBSD.
In a kernel, when a packets received, it runs through ipfw rules. After that, when a rule matches on divert line, packet is sent to divert socket port 600 for processing (In this example, i choose port 600 as a divert port). And then snort_inline received packet on divert port 600. When received packet, snort_inline checks packet against IDS rules and determine what to do with it :
- Rejected (packet is dropped and a TCP reset is send to the sender)
- Dropped (packet is dropped and not inserted back into ipfw)
- Accepted (packet is reinserted at the next ipfw rule number)
Note: Kernel does not keep track of successfully received packet by snort_inline. If nothing is listening on port 600 and you have a ipfw divert rule sending packets to port 600, the packets are dropped.
Firstly, you must install snort_inline in your FreeBSD box and you should simply have to cd/usr/ports/security/snort_inline && make install clean. To setup this, the first thing you need to recompile your FreeBSD kernel and add the following options:
After recompile your FreeBSD kernel, you need to add the following options in /etc/rc.conf file. In this testing, i'm using 'open' firewall ruleset in /etc/rc.firewall.
To start it, you need to tell snort_inline to receive packets from divert port 600, using the following steps:
# cd /usr/local/etc/
# snort_inline -J 600 -c snort_inline.conf
and you will see snort_inline running successfully.
Look at my ipfw firewall ruleset using this command:
You need to find a spot which rule number you want to insert the ipfw divert rule. We know that ipfw uses a linear ruleset processing order. Here we can see a rule number 65000 allows 'ip from any to any'. We must insert ipfw divert port before 65000. This is due to the fact that once a rule is matched, the packet does not get checked against anything else. If we insert it after 65000, packets will not reach snort_inline.
So, i add to rule number 3000 to divert port 600 using this command:
#ipfw add 3000 divert 600 ip from any to any
And then list the ruleset:
I'm using 7 Sphere PortScan 1.1 to scan and test my snort_inline. The result is here:
Result from tail -f /var/log/snort/snort_inline-fast
Result from tail -f /var/log/snort/snort_inline-full
I have actually read it sometimes ago, however tend to forget because of lacking practice on it.