[Snort-devel] snort_inline-1.9.1-2 release

Rob McMillen rvmcmil at ...1029...
Sun Mar 30 10:38:06 EST 2003

The Honeynet Project has updated snort_inline to include preprocessor support. 
Any preprocessor that normalizes data can be used with snort_inline 1.9.1-2. 
The Honeynet Project is also currently porting pre-processors that actively
alert (or drop) attacks.  The snort_inline.conf file has been updated with these
new capabilities.  You can find src code, binaries, and updated configuration
files at

Why couldn't we use plugins before?  To answer this question, we need to give a
basic description of snort_inline. 

Basically, the kernel makes a copy of the packet and gives it to snort_inline. 
snort_inline then takes this copy of the packet; adds a pcap header, and sends
it through the snort process.  At the end of the process, snort_inline checks
the packet routing decision: drop, sdrop, reject or accept (default if drop,
sdrop, or reject are not set).  When the packet is marked for drop, sdrop, or
reject, snort_inline tells the kernel to drop the packet and disregard the copy
of the packet it sent us earlier.  When the packet is not marked for drop,
sdrop, or reject, snort_inline tells (this is what was fixed) the kernel to
accept the packet and use the copy of the packet we are not providing instead of
the copy the kernel kept.  The intent of this action was to allow the use of the
"replace" keyword that lets users change the packet payload.  For example,
I can use the "content" keyword to find cmd.exe and use the "replace" keyword to
change it to xxx.exe.  This would render attacks using an exploit that used
cmd.exe useless.

Now, snort_inline tells the kernel to accept the packet and use the copy the
kernel kept unless the payload was modified by the use of the replace keyword. 
Why is this important?  This is important for two reasons:
	1.  It increases snort_inline throughput because we are no longer
copying a packet from kernel space to user space; making a routing decision; and
copying a packet from user space to kernel space.  We are only doing this when
it is absolutely necessary.
	2.  It allows the use of plugins that "normalize" (modify) the payload
so the detection engine can better identify attacks in packets sent by "evil"
people trying to hide by using things such as unicode to hide their intent.

The way these plugins work in Snort-1.9.1 is that they modify the packet payload
("normalize") so that the rule base has a better shot at identifying an attack. 
Things such as unicode attacks are decoded by the http_decode preprocessor
plugin before the packet is sent to the detection engine.  This increases the
chance of identifying the attack. 

Feel free to drop me a line if you have any problems/questions.


More information about the Snort-devel mailing list