Effective Packet Monitoring with Snort: Configuring IPS Mode for Intrusion Prevention

Snort is frequently utilized as an Intrusion Detection System (IDS) and can also be configured as an Intrusion Prevention System (IPS). It employs data acquisition (DAQ) modules for Packet Monitoring of firewall packet queues. Together with actions like drop and alert, Snort processes packets effectively. When Snort is initiated, packet queues are added by the firewall. As messages transit through the firewall, they are directed to Snort for processing. If an intrusion detection rule is triggered, Snort promptly acts to block the packet. For optimal performance, an Intrusion Prevention System should be integrated directly into the network, necessitating a bridge configuration. Snort can monitor these bridges, and the firewall must support them as well. The bridge is configured in transparent mode. Here’s a basic setup for using Snort in IPS mode on a standalone machine, designed to block packets accessing the machine and triggering specific rules. The following outlines the configuration and testing steps.

Preparation Environment for Packet Monitoring

1.1. System and Software Versions: Packet Monitoring

Environment: Ubuntu 15.10 + Snort 2.9.8.0 + DAQ 2.0.4 (Note: since Snort’s IDS mode was already installed, Snort and DAQ have been recompiled and installed)

2.1. Dependency Libraries for Packet Monitoring

For configuring Snort in IPS mode, first configure the data acquisition (DAQ) to support NFQ mode. Install Netfilter_Queue, libnfnetlink, libmnl. Download the corresponding source packages, extract, compile, and install. Alternatively, you can use command-based installation, but I used the source-based method. Additionally, install the development packages of the above dependencies, as compiling DAQ from source requires development package support. Then, download, extract, compile, and install the libdnet source package.

2. Packet Monitoring System Installation Process

2.1. Packet Monitoring for Data Acquisition (DAQ)

Configure the DAQ to support NFQ mode by inputting the following commands:

liang@ubuntu:~/snort/daq$ sudo ./configure

The following output indicates a successful configuration, allowing further compilation and installation. If not, reevaluate the steps for installing dependency libraries. NFQ DAQ mode should be ‘yes’.

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Build netmap DAQ module...... : no

Compile and link DAQ with the following commands:

liang@ubuntu:~/snort/daq$ sudo make

Install DAQ with:

liang@ubuntu:~/snort/daq$ sudo make install

Check the features supported by Snort DAQ with the following command:

liang@ubuntu:~/snort_ips/libdnet-1.11$ snort --daq-list

If NFQ is not supported, recompile the IDS:

Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

2.2. Intrusion Detection: Packet Monitoring with Snort

Compile and install using the following commands:

liang@ubuntu:~/snort/snort$ sudo make clean
liang@ubuntu:~/snort/snort$ sudo ./configure
liang@ubuntu:~/snort/snort$ sudo make
liang@ubuntu:~/snort/snort$ sudo make install

Again, check the features supported by Snort DAQ with the command:

liang@ubuntu:~/snort/snort$ sudo snort --daq-list

NFQ mode is now supported, allowing the configuration and testing of IPS mode:

Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

3. Designing Simple Rules for Packet Monitoring

3.1. Adding Two Drop Rules

drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)
drop icmp any any -> 192.168.213.170 any (msg:"Drop ping";sid:8886288)

3.2. Drop and Alert Coexist

alert icmp any any -> 192.168.213.170 any (msg:"ICMP PING";sid:8886288)
drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)

3.3. Only Drop Rules Exist

drop tcp any any -> 192.168.213.170 80 (msg:"Drop http:80";sid:26287)

4. Snort and IPTables Integration

4.1. Description

First, start Snort, then add firewall rules. Shell scripts or C programs can be used to listen for Snort startup and add firewall rules. Firewall rule settings and recovery can be written in files and executed with the iptables command. Snort can utilize a single queue, but multiple rules can be added to one queue within the firewall.

4.2. Snort Startup

The following command starts Snort:

sudo snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /etc/snort/etc/snort.conf

4.3. IPTables Queue

The firewall queue is as follows, with a simple configuration process:

sudo /usr/sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -I FORWARD -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -t filter -I INPUT -j NFQUEUE --queue-num 1

View the firewall filter table rules:

liang@ubuntu:~$ sudo iptables -nL

The following output appears:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            NFQUEUE num 1

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            NFQUEUE num 1

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

View the firewall NAT table rules:

liang@ubuntu:~$ sudo iptables -t nat -nL

The following appears:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0            NFQUEUE num 1

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination 

5. Testing

5.1. Adding Two Drop Rules

Monitor alert output file locally:

liang@ubuntu:~$ tail -f /var/log/snort/alert

Another machine attempts to access port 80 of the local machine, the following output and failure to access port 80 are recorded:

[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0] 
03/28-18:15:37.362404 192.168.213.162:40640 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:15682 IpLen:20 DgmLen:60 DF
S* Seq: 0x3DB5D5B  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408601 0 NOP WS: 7 

(...other entries...)

[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0] 
03/28-18:15:38.333060 192.168.213.162:40650 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:61398 IpLen:20 DgmLen:60 DF
S* Seq: 0x64518EDD  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408843 0 NOP WS: 7 

Another machine pings the local host, resulting in the following output, with ping failure:

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:50.932352 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:36821 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:1  ECHO

(...other entries...)

[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0] 
03/28-18:16:56.941222 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37771 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:41134   Seq:7  ECHO

Upon checking Snort terminal outputs, it shows that 29 packets were blocked, confirming the effective Snort IPS mode configuration:

Commencing packet processing (pid=3466)
Decoding Raw IP4
^C Caught Int-Signal
===============================================================================
Run time for packet processing was 261.437100 seconds
Snort processed 763 packets.
Snort ran for 0 days 0 hours 4 minutes 21 seconds
   Pkts/min:          190
   Pkts/sec:            2
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       274706432
  Bytes in mapped regions (hblkhd):      21590016
  Total allocated space (uordblks):      102918272
  Total free space (fordblks):           171788160
  Topmost releasable block (keepcost):   59472
===============================================================================
Packet I/O Totals:
   Received:          763
   Analyzed:          763 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           29
===============================================================================

5.2. Drop and Alert Coexist

Due to the alert rule configured (alert icmp any any -> 192.168.213.170 any (msg:”ICMP PING”;sid:8886288)), the ping operation can proceed, however, it’s logged as an alert. It acts as an Intrusion Detection mode, whereas the blocked access to port 80 continues, recorded within the alert log. Snort terminal also prints blocked packet information.

5.3. Only Drop Rules Exist

Ping operations complete successfully without being recorded in logs. However, accessing port 80 faces the same restrictions as before, proving that the Snort IPS mode configuration succeeds, as Snort executes the block actions as rule-based.