Thursday, December 07, 2006

Snort Inline (Part 2)

In this article, I will show you how snort_inline working with FreeBSD using IPFW and divert sockets. To configure it, you must understand how ipfw work. In this testing, it shows how a packet flows through ipfw->divert->snort_inline. To do this, you must have snort_inline and ipfw in your FreeBSD.

In a kernel, when a packets received, it runs through ipfw rules. After that, when a rule matches on divert line, packet is sent to divert socket port 600 for processing (In this example, i choose port 600 as a divert port). And then snort_inline received packet on divert port 600. When received packet, snort_inline checks packet against IDS rules and determine what to do with it :
- Rejected (packet is dropped and a TCP reset is send to the sender)
- Dropped (packet is dropped and not inserted back into ipfw)
- Accepted (packet is reinserted at the next ipfw rule number)

Note: Kernel does not keep track of successfully received packet by snort_inline. If nothing is listening on port 600 and you have a ipfw divert rule sending packets to port 600, the packets are dropped.

Firstly, you must install snort_inline in your FreeBSD box and you should simply have to cd/usr/ports/security/snort_inline && make install clean. To setup this, the first thing you need to recompile your FreeBSD kernel and add the following options:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT


After recompile your FreeBSD kernel, you need to add the following options in /etc/rc.conf file. In this testing, i'm using 'open' firewall ruleset in /etc/rc.firewall.
firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/rc.firewall"
firewall_quite="NO"


To start it, you need to tell snort_inline to receive packets from divert port 600, using the following steps:
# cd /usr/local/etc/

# snort_inline -J 600 -c snort_inline.conf
and you will see snort_inline running successfully.



Look at my ipfw firewall ruleset using this command:
#ipfw list



You need to find a spot which rule number you want to insert the ipfw divert rule. We know that ipfw uses a linear ruleset processing order. Here we can see a rule number 65000 allows 'ip from any to any'. We must insert ipfw divert port before 65000. This is due to the fact that once a rule is matched, the packet does not get checked against anything else. If we insert it after 65000, packets will not reach snort_inline.
So, i add to rule number 3000 to divert port 600 using this command:
#ipfw add 3000 divert 600 ip from any to any

And then list the ruleset:
#ipfw list



I'm using 7 Sphere PortScan 1.1 to scan and test my snort_inline. The result is here:


Result from tail -f /var/log/snort/snort_inline-fast


Result from tail -f /var/log/snort/snort_inline-full

Yes!! Successful!!
I have actually read it sometimes ago, however tend to forget because of lacking practice on it.

4 comments:

Richard Bejtlich said...

Hello,

Have you tried

(1) Running Snort 2.6.1.1 compiled to support inline (./configure --enable-ipfw --enable-divert --enable-inline && make && make install)

(2) Run that version of Snort in inline mode on a FreeBSD bridge

(3) Run snort_inline in inline mode on a FreeBSD bridge?

Johncrackernet said...

Not yet. Thanks Richard for your suggestion. I will try it later...

Anonymous said...

and with clamav??????
./configure --enable-clamav, etc, etc

NO WORKS... error in make compile.

Anonymous said...

I wish not acquiesce in on it. I think precise post. Especially the appellation attracted me to study the unscathed story.