Runing snort inline-test mode
-
Hello,
I am new to snort. I've read through the documentation and the great quick-setup guide.
Reading the snort manual it mentions running in inline-test mode(section 1.9.5.1) which sounds great since I want to do some testing before doing an actual deployment affecting the current setup.Which steps do I need to take to run snort in test mode.
Regards
Senselesscow -
Running Snort in "inline" mode is currently not possible on pfSense.
-
I am a little bit confused. Doesn't inline mean that it is able to block traffic? So that it is not just an IDS but and IPS ?
If snort is running on an interface it runs in promiscious mode and every traffic which hits the interface will be analyzed and could be blocked.
-
Yes but it analyses only a copy of the packet and therefore the block only comes when the next packet is going through. 1st one always get through.
If it ran inline then its realtime monitoring… and it isnt yet.
-
Supermule is correct. Today Snort and Suricata both use the libpcap library to obtain copies of the packets as they traverse the monitored interface. Since it is a copy, the original packet has continued unaltered into the pf firewall. It may get blocked there by other rules, or it may pass through to the intended host.
Once Snort has seen enough of the traffic to make a "good/bad" call, then it will insert the offending IP addresses into the packet filter's table if it deems the traffic "bad" and blocking is enabled. If you have also configured Snort to kill states when it blocks (the recommended setting, by the way), then any state that may have been established while Snort was deciding what to do will be killed and the bad traffic totally blocked.
Which IP addresses go into the table is determined by the "which IP to block" setting. The value can be both, src or dst. Before the final IP decision is made, it is compared against the PASS LIST (or the default pass list values if one is not assigned). If the IP is in the pass list, then it will not be blocked.
A true inline IPS (intrusion prevention system) would intercept the packet stream, buffer the packets while making the "good/bad" decision, and only after coming to a decision would the traffic be allowed to continue through the firewall. If it is deemed "bad", then all the buffered packets would simply be discarded. Nothing ever leaks through with a true IPS. This mode is planned for pfSense once Netmap support is fully incorporated.
Bill
-
Completed for Suricata, should see it in next 2.1 Beta…
https://redmine.openinfosecfoundation.org/issues/336
The roadmap:
https://redmine.openinfosecfoundation.org/projects/suricata/roadmap
F.
-
Completed for Suricata, should see it in next 2.1 Beta…
https://redmine.openinfosecfoundation.org/issues/336
The roadmap:
https://redmine.openinfosecfoundation.org/projects/suricata/roadmap
F.
Yes, but we also need support for Netmap in the pfSense kernel.
Bill
-
The following questions and answers actually helped tremendously clarifying what it meant running inline and for how I want to use snort.
I was initially trying to run snort in some kind of test mode where I could see which consequences or actions would be taken to before actual deployment as an IPS so would running snort as an IDS provide some clues in that aspect?
So far I've followed the quick setup guide but can't determine if I would only get alerts or if some traffic would be blocked by snort. I haven't checked block offenders.
Will try to clarify if needed.
Senselesscow
-
It depends on how you plan to deply Snort….WAN or LAN scenario??
There is a difference.
-
It depends on how you plan to deply Snort….WAN or LAN scenario??
There is a difference.
First case WAN to get some experience but later preferably a setup as explained here: https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417
-
First case WAN to get some experience but later preferably a setup as explained here: https://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417
To run Snort in a "test mode" of sorts, simply uncheck the Block Offenders box on the INTERFACE SETTINGS tab for each Snort interface. The checkbox is within the Alert Settings section of the tab. With that box unchecked, Snort will alert and log the incident, but it will not insert any blocks into the firewall's packet filter engine for the IP addresses in the alert.
In the configuration described in the above paragraph, Snort is running as an IDS (Intrusion Detection System). It detects a problem, but only alerts you to its presence. When you check the Block Offenders checkbox and then restart Snort on the interface, it will insert blocks for the offending IP addresses (depending on the setting of the Which IP to Block drop-down) into the firewall's packet filter engine. When the Block Offenders box is checked Snort behaves closer to an IPS (Intrusion Prevention System) within the limits described earlier in the thread relative to using libpcap and working from copies of packets, etc.
For the majority of home networks, running Snort on the LAN only is probably the best solution. I run some rules on the WAN solely for the purpose of seeing some alerts from Snort as part of my testing. My firewall rules block pretty much all unsolicited inbound traffic anyway, so Snort on the WAN for me is not adding to security. It is just there to gather some log data really.
Bill