1.5 Inline Mode
1.5 Inline Mode: "Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of snort_inline into the official Snort project. Snort_inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules.

In order for snort_inline to work properly, you must download and compile the iptables code to include ``make install-devel'' (http://www.iptables.org). This will install the libipq library that allows snort_inline to interface with iptables. Also, you must build and install LibNet, which is available from http://www.packetfactory.net.

There are three rule types you can use when running Snort with snort_inline:

* drop - The drop rule type will tell iptables to drop the packet and log it via usual Snort means.
* reject - The reject rule type will tell iptables to drop the packet, log it via usual Snort means, and send a TCP reset if the protocol is TCP or an icmp port unreachable if the protocol is UDP.
* sdrop - The sdrop rule type will tell iptables to drop the packet. Nothing is logged."
- posted by Gp @ 7:09 AM