Prevent and Contain Intrusions with Snort_inline
Install Snort_inline on your firewall to contain intrusions, or to stop them as they’re happening.
Wouldn’t it be
nice if your NIDS could not only detect intrusions, but also do
something about them? It would be nice if it could actually stop the
intrusion occurring on the host that was being attacked, but the next
best thing would be to block the network traffic
that’s propagating the attack. One tool that can do
this for you is
Snort_inline is a patch to Snort that modifies
it to read data from the Linux kernel’s
Netfilter queue, which allows
Snort to effectively integrate itself with the firewall. This allows
it to not only detect intrusions, but to decide whether to drop
packets or to forward them to another host (using Libnet). This of
course requires that your kernel be compiled with
IP queue support, either statically or
as a module.
You can see if you have the module by running a command like this:
locate ip_queue.o/usr/src/linux-2.4.20-8/net/ipv4/netfilter/ip_queue.o /usr/src/linux-2.4.20-8/net/ipv4/netfilter/.ip_queue.o.flags /lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ip_queue.o
In this case, you can see that the module is available by looking at
the last line of the output. If that doesn’t exist,
you can check to see whether the file
/proc/net/ip_queue exists. If you can’t find the module, but that file exists, then it means IP queue support is compiled into your kernel ...