How to run Snort in inline mode

Snort inline mode turns a sensor into an enforcement point on the traffic path. Instead of only alerting on matching packets, Snort can pass, drop, block, reject, or rewrite traffic when the selected DAQ and rule actions support that behavior.

Inline operation depends on two layers working together. The ips policy controls how rule actions are handled, while the DAQ module controls how packets enter and leave Snort. On Linux, afpacket can run inline with a paired interface argument such as enp1s0:enp2s0, and the dump DAQ can emulate inline forwarding against a pcap before production interfaces are placed in the path.

Use a controlled pcap or inline-test policy before enforcing drops on live traffic. A pcap test proves rule action behavior, but real forwarding still needs a cabled and approved interface pair, routing or bridge design, and a rollback path if traffic stops passing.

Related: How to monitor a live interface with Snort
Related: How to test a Snort rule

Steps to run Snort in inline mode:

  1. Confirm that Snort can see inline-capable DAQ modules. 
    $ snort --daq-list
Available DAQ modules:
afpacket(v7): live inline multi unpriv
##### snipped #####
dump(v5): inline unpriv wrapper
##### snipped #####

    afpacket is the Linux interface-pair DAQ. dump is useful for a pcap-based inline test before a sensor is cabled into a forwarding path.
    Related: How to check Snort DAQ modules

  2. Add or identify an enforcement rule for the controlled test. 
    drop udp any any -> any 31340 (msg:"LOCAL UDP inline drop test"; content:"SNORT-INLINE-DROP"; sid:1000005; rev:1;)

    Use a local SID range and a payload that appears only in the test traffic.
    Related: How to test a Snort rule

  3. Open a dedicated inline-test profile. 
    $ sudo vi /usr/local/etc/snort/snort-inline-test.lua
  4. Configure the profile to load the normal Snort config and run the local rules in inline-test mode. 
    dofile('/usr/local/etc/snort/snort.lua')
 
ips =
{
    mode = 'inline-test',
    include = '/usr/local/etc/snort/rules/local.rules'
}

    inline-test exercises inline policy decisions without applying final enforcement behavior.

  5. Validate the inline-test profile. 
    $ sudo snort -c /usr/local/etc/snort/snort-inline-test.lua -T
--------------------------------------------------
o")~   Snort++ 3.12.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort-inline-test.lua:
##### snipped #####
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

    Fix configuration or rule errors before testing any inline run command.
    Related: How to test Snort configuration

  6. Copy the profile for enforcement testing. 
    $ sudo cp /usr/local/etc/snort/snort-inline-test.lua /usr/local/etc/snort/snort-inline.lua
  7. Change the copied profile to inline mode. 
    dofile('/usr/local/etc/snort/snort.lua')
 
ips =
{
    mode = 'inline',
    include = '/usr/local/etc/snort/rules/local.rules'
}
  8. Validate the inline profile. 
    $ sudo snort -c /usr/local/etc/snort/snort-inline.lua -T
--------------------------------------------------
o")~   Snort++ 3.12.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort-inline.lua:
##### snipped #####
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting
  9. Test the inline action against a controlled pcap with the dump DAQ. 
    $ sudo snort -Q --daq dump -c /usr/local/etc/snort/snort-inline.lua \
    -r inline-drop.pcap -A alert_fast -k none
--------------------------------------------------
o")~   Snort++ 3.12.2.0
--------------------------------------------------
##### snipped #####
dump:pcap DAQ configured to inline.
##### snipped #####
06/25-00:41:55.388690 [drop] [**] [1:1000005:1] "LOCAL UDP inline drop test" [**] [Priority: 0] {UDP} 127.0.0.1:34075 -> 127.0.0.1:31340
##### snipped #####
ips_actions
                     drop: 1

    The dump DAQ writes only packets that would have been passed through. When the test packet is dropped, the alert line and ips_actions.drop counter prove the inline action path.
    Related: How to read Snort run statistics

  10. Start the real afpacket inline pair only after controlled tests pass. 
    $ sudo snort -Q --daq afpacket \
    -i enp1s0:enp2s0 \
    -c /usr/local/etc/snort/snort-inline.lua \
    -A alert_fast -l /var/log/snort

    Use only an interface pair that is cabled and approved for forwarding. A wrong pair can interrupt traffic for every host behind the sensor.

  11. Check action counters after controlled live traffic reaches the pair. 
    ips_actions
                     pass: 12
                     drop: 1

    If counters stay empty, confirm cabling, interface names, DAQ selection, rule direction, and whether traffic is actually crossing the pair.
    Related: How to read Snort run statistics

  12. Move the tested command into a managed service after the inline pair is proven.

    Related: How to create a Snort systemd service