1. Snort – from IDS to IPS inline mode
1
Author: Simone Tino
Università degli Studi di Catania
Simone Tino
Upgrading Snort IDS to inline mode
for active control
03/12/2013
2. 2
Snort capabilities
Detection and Prevention modes
Works on different network topologies
Traffic replication required for detection only
(i.e. Port Mirroring)
Totally transparency to the hosts
Requires good CPU and Ram capabilities
Open Source Software
Customizable report formatting tools available
(i.e. Barnyard2, MySQL, BASE, Placid)
Requires good configuration rules: TN and FP
Simone Tino
03/12/2013
3. IDS vs IPS
3
IDS
IPS
Detection mode only
Active traffic control
Traffic replication required
“Original” traffic required
Decoupling detection and reaction
Detection and reaction support
functionalities
IDS as a good assistant for network
administration
Usually used for testing rules
No administrator assistance needed
Simone Tino
Requires strict configuration
Two network cards bridging required
03/12/2013
4. 4
Snort Intrusion Detection System
• Port Mirroring
required
• Detection mode only
Used to verify rules
consistency
Simone Tino
03/12/2013
5. 5
Snort Intrusion Prevention System
• Needs original traffic
• Active traffic control
Requires strict rules
configuration
Simone Tino
03/12/2013
6. 6
Snort IPS Demo
• Host 1:
eth0: 192.0.0.2/24
• Host 2:
eth0: 10.0.0.2/24
• Snort IPS:
2 network cards
eth0: 192.0.0.3/24
eth1: 10.0.0.3/24
Communication between 2 different subnets
Snort IPS provides active and transparent control
Totally transparency to the hosts
Routing configuration required
Simone Tino
03/12/2013
8. 8
Configuration steps
IDS works on a copy of
the traffic.
Company solutions
based on Port Mirroring
switch tool.
IPS works on “original”
traffic like firewalls.
Typical installation
between 2 networks.
Simone Tino
03/12/2013
9. 9
From IDS to IPS
Iptables configuration
implies packets to be
redirected to userlevel. Here, Snort must
be active to avoid
packet-loss.
Simone Tino
03/12/2013
10. In the end…
10
Snort IPS can work in multiple modes.
Snort inline with NFQ module is the more flexible and adaptable
IPS solution.
Using NFQ module in DAQ, many queues can be created; a Snort
instance handles each queue (so, a different Snort rule set),
where traffic can be redirected according to iptables rules.
Simone Tino
03/12/2013