The Snort inline patch allows a Snort sensor to act as a gateway IDS (GIDS). It is similar in function (although much simpler) to SnortSAM; the difference is that the inline patch only allows the sensor itself to be the gateway. It is also limited in that it only supports iptables. It is not commonly used in more complex networks.
To act as a gateway, the Snort sensor has to be configured with two network interfaces—one on the internal network and the other on the external network. Traffic flows through the sensor. The sensor becomes the firewall for the internal network, a firewall based on iptables, which dynamically drops traffic when an attack is detected. This sounds very exciting, but I must remind you to be very careful when blocking traffic dynamically. You may cause more trouble than you are preventing. Only enable blocking for rules that are almost never going to generate false positives.
The Snort inline patch requires that iptables be enabled in the kernel. You'll also need libnet Version 1.0.x. The Snort inline patch is downloadable from http://snort-inline.sourceforge.net and is the full version of Snort, already patched and ready for compiling. Once the latest version is downloaded, it is configured, made, and installed with the following command line:
# ./configure --enable-inline # make #make install
Once the inline patch has been installed, configure Snort using the techniques we've discussed. It is important to carefully configure ...