Every few weeks the same question comes up: what is the difference between Snort in inline mode and Snort_inline. This makes sense, because the Snort_inline documentation and website fail to explain it. In this post I will try to highlight the main differences. In general I can say that we try to develop Snort_inline as a patchset on top of Snort. Snort_inline is focused at improving the inline part of Snort. Originally of course, Snort’s inline capabilities were developed in the Snort_inline project. With Snort 2.3.0RC1 they were merged into mainline Snort.
Convenience
We did a number of things to make Snort_inline a little more convenient for inline users.
- inline is enabled by default in ./configure
- we got rid of libnet 1.0.2a, switched to libdnet 1.1 instead
- a snort_inline specific manual page was added, as well as some extra docs
- a example configuration file for inline use is supplied
Added functionality
- we support Linux’ new queue’ing mechanism called nfqueue. This was contributed by Nitro Security. Nfqueue supports running multiple copies of Snort_inline to take advantage of SMP and reduce risk of denial of service when Snort_inline should crash.
- stickydrop preprocessor enables you to add options to the rules to block an ipaddress for a configurable amount of time
- bait-and-switch preprocessor (Linux only) allows you to redirect traffic from a host to a honeypot based on the rules
- clamav preprocessor is included (you still need to pass –enable-clamav to ./configure)
- reinject action for FreeBSD: reinjects an accepted packet into the ipfw list at a specific rule number
Improved for inline use
- reject action can send RST packets to both source and destination
- stream4 can drop attacks detected in the reassembled stream. It also enforces the TCP window. It implements a number of ideas from Vern Paxson on TCP reassembly, such as a limit on the number of out of order packets and bytes that are accepted in a stream.
- some fixes for FreeBSD
As the list shows, if you are interested in Snort running inline, using Snort_inline might be a better choice for you!
Inliniac 
Pingback: Inliniac » Blog Archive » Snort_inline 2.6.1.5 released
Pingback: just words › Vuurmuur + Snort_inline = Wholesome Goodness
Pingback: Week’s Links | lonerunners.net
Thx you !
Hello,I am new to snort,if I want to accomplish IPS(intrusion prevention system),could i just install snort_inline??Thank you!!
I’m not involved in Snort or Snort_inline anymore, so please direct your questions on those to http://www.snort.org/
Alternatively, you can have a look at my new IDS/IPS project called Suricata. http://www.openinfosecfoundation.org/
I have installed Suricata,I want to downsize Suricata,so I strip Suricata,size is 1.4M,are there any way to make it smaller,thanks a lot.
You could try the “strip” command. See “man strip”. I have no experience with it.