**2.1.1 Snort\_inline**

The Snort\_inline IPS is a modified version of the famous Snort IDS. It receives packets sent from the Netfilter firewall with the help of the lipipq library1, compares them with Snort signature rules and tags them as drop if they match a rule, then finally sends them back to Netfilter where the Snort\_Inline tagged packets are dropped.

There are 5 available default actions in Snort, alert, log, pass, activate , and dynamic:



There are three rule options more than Snort's:


<sup>1</sup> Libipq library is a development library for iptables userspace packet queuing

3. Reject – The reject rule type tells iptables to drop the packet; log it via usual snort means; and send a TCP reset if the protocol is TCP or an ICMP port unreachable if the protocol is UDP.
