Monday, February 2, 2009

Snort 3.0 (SnortSP) Inline Bridging Mode in 3 Steps

One of the many interesting new features in Snort 3.0 (SnortSP) is the ability to run in inline bridging mode.

Step 1: Add a new function to your snort.lua file
If you followed my previous SnortSP Installation HOWTO, then the default snort.lua file is in /etc/SnortSP/snort.lua. Open the file and add the following function:

function bridge(interface1, interface2)
if interface1 == nil then
error("Two interfaces must be specified ( e.g. bridge(\"eth0\", \"eth1\") )")
end
if interface2 == nil then
error("Two interfaces must be specified ( e.g. bridge(\"eth0\", \"eth1\") )")
end
dsrc2 = {name="src2",
type="afpacket",
intf=interface1..":"..interface2,
flags=10,
snaplen=1518,
maxflows=262144,
maxidle=300,
flow_memcap=10000000}
dsrc.new(dsrc2)
eng.new("e2")
eng.link({engine="e2", source="src2"})
eng.start("e2")
end


Step 2: Start SnortSP
Start SnortSP using the following command:
sudo snortsp -L /etc/SnortSP/snort.lua
SnortSP will start up and read your new snort.lua file. You will then be greeted by the SnortSP Lua shell.

Step 3: Use the bridge() function
In the Lua shell, type the following (replacing eth0 and eth1 with the correct interfaces on your system):
bridge("eth0", "eth1")

Once the bridge is up and running, you can do the following to display packets traversing the bridge:
eng.set_display({engine="e2", display="none"})
Press the Up arrow and change "none" to "classic".
View the output.
Press the Up arrow twice to retrieve the "none" command and press Enter.

When finished, shut down SnortSP by running the following command:
ssp.shutdown()

Note that there is a bug in the SnortSP README file (and/or the SnortSP afpacket DAQ itself). The README file suggests the following:
dsrc1 = {name="src",
type="afpacket",
intf="eth2:eth3",
flags=10,
snaplen=0,
maxflows=262144,
maxidle=300,
flow_memcap=10000000}
dsrc.new(dsrc1)

Setting snaplen to 0 and passing traffic through the bridge results in segmentation fault. Per the SnortSP developers, this value should be set to 1518 for normal ethernet operation. Thanks to the SnortSP developers for their assistance with this issue.