Snort_inline: idea for an improved bait-and-switch

William Metcalf recently wrote a bait-and-switch plugin for Snort_inline. The idea is that when a rule matches on certain traffic this plugin loads an iptables rule into the system that redirects the offending host to another server. This can present the user an error message such as “Access Denied” for example, but this server can also have al kinds of sniffing tools, or even be a honeypot.

As the plugin currently creates an iptables rule it only works with linux. Also, it has some difficulty with existing iptables rulesets that might be maintained by other programs, such as my own Vuurmuur. My idea is to investigate whether or not it is possible to simply do the redirection in Snort_inline itself. By rewriting the ipaddress in the IP header, it might work as well. Naturally, this would need to be done for every packet, but with a connection to either the flow engine or the stream engine, this should be able to work… just a thought…

2 thoughts on “Snort_inline: idea for an improved bait-and-switch

  1. Will Metcalf is an excellent coder and any questioning of Will’s methods, idea’s, or code shall be seen as an act of treason and the violators shall be sentenced to a life time of QA work.

  2. In the original Bait and Switch (which Will reworked…nice job!), we just had iptables mark packets and let custom routing tables based on the markings do the rest of the work (which meant other iptables rules could be left alone). It also meant your honeypot and prod server could have ducplicate IP’s if you so desired. Doing it in snort-inline is probably possible, but do you want your IDS doing all of that extra work?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s