Snort Inline ( http://snort-inline.sourceforge.net) is a true IPS that is deployed between network segments with the capability to alter or drop packets in real time as they flow through the system. It runs on a Linux system and uses IPtables packet queuing to collect and make decisions about packets as they traverse the system s interfaces. It can also be used in stealth mode as a bridge between network segments, so it will not be detected as a hop in the network. One of the most interesting features of Snort Inline is its ability to mitigate attacks by altering application-layer data as the packet traverses the system.

Snort Inline installation requires several specific versions of utilities and a kernel patch (see Chapter 5 Network Inline Data Modification for more information). In a nutshell, installation of Snort Inline requires a kernel recompile and the installation of bridge-utils and libipq (which is classified as a development library by the Netfilter project). In addition, Snort_inline requires a 1.0.x version of libnet instead of a later version in the 1.1. x series, so you may need to install the older libnet if your Linux distribution shipped with a recent version. Once installed, there are several configuration steps that must be made including configuring IPtables and Snort. Snort Inline adds three new rule actions for rules:

• Drop Drops the packet using IPtables and logs via Snort

• Reject The communication is closed by either TCP RST for TCP sessions...