Install Snort_inline on your firewall to contain intrusions, or to stop them as they’re happening.

Wouldn’t it be nice if your NIDS could not only detect intrusions, but also do something about them? It would be nice if it could actually stop the intrusion occurring on the host that was being attacked, but the next best thing would be to block the network traffic that’s propagating the attack. One tool that can do this for you is Snort_inline (http://snort-inline.sf.net).

Snort_inline is a patch to Snort that modifies it to read data from the Linux kernel’s Netfilter queue, which allows Snort to effectively integrate itself with the firewall. This allows it to not only detect intrusions, but to decide whether to drop packets or to forward them to another host (using Libnet). This of course requires that your kernel be compiled with IP queue support, either statically or as a module.

You can see if you have the module by running a command like this:

$ locate ip_queue.o
/usr/src/linux-2.4.20-8/net/ipv4/netfilter/ip_queue.o
/usr/src/linux-2.4.20-8/net/ipv4/netfilter/.ip_queue.o.flags
/lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ip_queue.o

In this case, you can see that the module is available by looking at the last line of the output. If that doesn’t exist, you can check to see whether the file /proc/net/ip_queue exists. If you can’t find the module, but that file exists, then it means IP queue support is compiled into your kernel ...