Inline IPS with afpacket
Ian Paton
Any tips for running Security Onion with afpacket inline, as an IPS to drop alert rules?
I have it setup currently and it works fine, apart from when I run pulledpork with modifysid.conf set to change all the alerts to drop.
It processes the rules ok (apart from the expected inline errors), drops/blocks any incoming malicious packets, as expected, but it loses the link to Sguil and there are no alerts shown.
I have a separate log file and it logs the alerts fine, which I had setup for a few OSSEC active responses. I've just been using the snort.conf file from the eth1 interface folder, modified to run Snort.
Best Regards,
Ian
Wes
Ian,
This isn't really supported with Security Onion (https://github.com/Security-Onion-Solutions/security-onion/wiki/FAQ#can-security-onion-run-in-ips-mode), but you may try looking in regard to barnyard2/snort-agent as barnyard2 processes Snort's unified2 files, and snort-agent ships the alerts to sguild (Sguil).
Thanks,
Wes
Ian Paton
Thanks for clarifying that, Wes. I had a look at the snort agent, sensors and logs. It was strange because sometimes only one sensor would go down. I'm running VMware as a project and have been suspending the VM, so I worked out that the log files when resuming were still being processed in the folder for the previous date.
Running the setup program again fixed all issues and the sensors work fine afterwards and process the alerts in Sguil.
I understand Security Onion's not really meant for this. I had originally envisioned using PF_RING in an inline preventative mode with Metaflows inline adaptations - https://www.metaflows.com/features/pf_ring/
However it only works passively, so went with afpacket instead.