Snort is often used as an Intrusion Detection System (IDS), and it can be further configured as an Intrusion Prevention System (IPS). Snort utilizes a Data Acquisition (DAQ) module to monitor the firewall packet queue and handles packets in conjunction with Snort rule actions like drop, alert, etc. After Snort starts, the firewall adds linked list queues. When packets pass through the firewall, they are handed over to Snort for processing, and it immediately responds with actions when intrusion detection rules are triggered, blocking packets. Ideally, an intrusion prevention system should be directly connected to the network environment, which requires configuring a bridge. Snort listens to the bridge functionality, and the firewall must support the bridge. The bridge can also be configured in transparent mode. Here, we are simply attempting the IPS mode of Snort configured on a single machine, blocking packets that trigger rules. Below is the configuration and testing process.
1. Preparing the Environment
1.1. System and Software Versions
Environment: Ubuntu 15.10 + Snort 2.9.8.0 + DAQ 2.0.4 (Note: Snort’s IDS mode was already installed, so Snort and DAQ are recompiled and installed.)
2.1. Dependencies
To configure Snort in IPS mode, first set up the DAQ to support nfq mode, and install netfilter_queue, libnfnetlink, and libmnl for DAQ. Download the corresponding source packages, extract, compile, and install them. Alternatively, you may attempt command-line installation, but I used the source method. Also, install the development packages of the above dependencies as DAQ source compilation requires development package support. Then download the libdnet source package to extract, compile, and install.
2. System Installation Process
2.1. Data Acquisition DAQ
Configure DAQ to support nfq mode; enter the following command line:
liang@ubuntu:~/snort/daq$ sudo ./configureIf the following result is printed, the configuration is successful, and you can proceed to compile and install. Otherwise, recheck the installation dependency steps for correctness. The NFQ DAQ mode should display as yes.
Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes
Build netmap DAQ module...... : noCompile and link DAQ; enter the command line:
liang@ubuntu:~/snort/daq$ sudo makeInstall DAQ command:
liang@ubuntu:~/snort/daq$ sudo make installView Snort DAQ supported functions with the following command:
liang@ubuntu:~/snort_ips/libdnet-1.11$ snort --daq-listIt prints the following results, showing Snort DAQ does not support nfq. Recompile the Intrusion Detection System (IDS):
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
2.2. Intrusion Detection Snort
Enter the following command line to compile and install:
liang@ubuntu:~/snort/snort$ sudo make clean
liang@ubuntu:~/snort/snort$ sudo ./configure
liang@ubuntu:~/snort/snort$ sudo make
liang@ubuntu:~/snort/snort$ sudo make install
Again, check the Snort DAQ supported functions with the following command:
liang@ubuntu:~/snort/snort$ sudo snort --daq-listNFQ mode is now supported, allowing the configuration and testing of IPS mode:
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv3. Simple Rule Design
3.1. Add Two Drop Rules
drop tcp any any -> 192.168.213.170 80 (msg: "Drop http:80";sid:26287)
drop icmp any any -> 192.168.213.170 any (msg: "Drop ping";sid:8886288)3.2. Drop and Alert Together
alert icmp any any -> 192.168.213.170 any (msg: "ICMP PING";sid:8886288)
drop tcp any any -> 192.168.213.170 80 (msg: "Drop http:80";sid:26287)3.3. Only Drop Rule Exists
drop tcp any any -> 192.168.213.170 80 (msg: "Drop http:80";sid:26287)4. Snort and IPTables Interaction
4.1. Explanation
First start Snort, then add firewall rules. You can use shell scripts or C programs to monitor Snort’s successful start and add firewall rules. The setting and restoration of firewall rules can be written in a file and accomplished with the iptables command. Snort can only use one queue, and multiple rules can be added to one queue inside the firewall.
4.2. Snort Startup
The Snort startup command is as follows:
sudo snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /etc/snort/etc/snort.conf4.3. IPTables Queue
The firewall queue configuration process is as simple as follows:
sudo /usr/sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -I FORWARD -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -t INPUT -I PREROUTING -j NFQUEUE --queue-num 1
Check the firewall filter table rules:
liang@ubuntu:~$ sudo iptables -nLOutput as follows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination Check the firewall nat table rules:
liang@ubuntu:~$ sudo iptables -t nat -nLOutput as follows:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NFQUEUE all -- 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination 5. Testing
5.1. Add Two Drop Rules
Monitor alert output file on this machine:
liang@ubuntu:~$ tail -f /var/log/snort/alert Another machine accesses this machine’s port 80, monitoring outputs as follows, and access to port 80 fails:
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:37.362404 192.168.213.162:40640 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:15682 IpLen:20 DgmLen:60 DF
******S* Seq: 0x3DB5D5B Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408601 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:37.595837 192.168.213.162:40642 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:17709 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8619257E Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408659 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:37.731718 192.168.213.162:40644 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:6892 IpLen:20 DgmLen:60 DF
******S* Seq: 0xA1C7A99 Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408693 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:37.884915 192.168.213.162:40646 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:42308 IpLen:20 DgmLen:60 DF
******S* Seq: 0x495EC5DF Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408731 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:38.082540 192.168.213.162:40648 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:7605 IpLen:20 DgmLen:60 DF
******S* Seq: 0xEF657D78 Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408781 0 NOP WS: 7
[**] [1:26287:0] "Drop http:80" [**]
[Priority: 0]
03/28-18:15:38.333060 192.168.213.162:40650 -> 192.168.213.170:80
TCP TTL:64 TOS:0x0 ID:61398 IpLen:20 DgmLen:60 DF
******S* Seq: 0x64518EDD Ack: 0x0 Win: 0x7210 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 16408843 0 NOP WS: 7 Another machine pings the host machine, output appears as follows, and the ping fails:
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:50.932352 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:36821 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:1 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:51.940781 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:36847 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:2 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:52.941954 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37040 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:3 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:53.941261 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37191 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:4 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:54.941031 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37319 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:5 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:55.941207 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37535 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:6 ECHO
[**] [1:8886288:0] "Drop ping" [**]
[Priority: 0]
03/28-18:16:56.941222 192.168.213.162 -> 192.168.213.170
ICMP TTL:4 TOS:0x0 ID:37771 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:41134 Seq:7 ECHOChecking Snort terminal output, you can see 29 packets were blocked. Combined with the above printed information, this confirms Snort is in IPS mode:
Commencing packet processing (pid=3466)
Decoding Raw IP4
^C*** Caught Int-Signal
===============================================================================
Run time for packet processing was 261.437100 seconds
Snort processed 763 packets.
Snort ran for 0 days 0 hours 4 minutes 21 seconds
Pkts/min: 190
Pkts/sec: 2
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena): 274706432
Bytes in mapped regions (hblkhd): 21590016
Total allocated space (uordblks): 102918272
Total free space (fordblks): 171788160
Topmost releasable block (keepcost): 59472
===============================================================================
Packet I/O Totals:
Received: 763
Analyzed: 763 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 29
===============================================================================5.2. Drop and Alert Together
Since the rule alert icmp any any -> 192.168.213.170 any (msg: "ICMP PING";sid:8886288) is configured, the ping operation can be completed but gets recorded in the alert log. It seems like an intrusion detection mode, but access to port 80 is still blocked, and it gets recorded in the alert logs. At the same time, Snort terminal outputs blocking packet information.
5.3. Only Drop Rules Exist
In this case, the ping operation can be completed without being logged. Access to port 80 still exhibits the situation described above, proving the Snort IPS mode configuration is successful, with blocking functions executed according to Snort rule actions.