Chapter 9: Translating Snort Rules into iptables Rules
The Snort IDS has shown the community the way to detect network-based attacks, and so it is logical to leverage the Snort signature language in iptables. Because iptables offers a rich logging format and the ability to inspect application layer data, a significant percentage of Snort signatures can be translated into iptables rules.For example, consider the following Snort rule which detects an XMLHttpRequest attempt coming from a malicious webserver back to the web client:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"WEB-CLIENT XMLHttpRequest attempt";
flow:to_client,established; content:"new XMLHttpRequest|28|";
content:"file|3A|//"; nocase; reference:bugtraq,4628;
reference:cve,2002-0354; classtype:web-application-attack; sid:1735;
rev:7;
This Snort rule can be cleanly translated into an equivalent iptables rule even though
it requires multiple content matches, and here is the iptables rule that fwsnort
builds:
$IPTABLES -A FWSNORT_FORWARD_ESTAB -d 192.168.10.0/24 -p tcp --sport 80
-m string --hex-string "new XMLHttpRequest|28|" --algo bm -m string
--hex-string "file|3A|//" --algo bm -m comment --comment "sid:1735;
msg:WEB-CLIENT XMLHttpRequest attempt; classtype:web-application-attack;
reference:bugtraq,4628; rev:7; FWS:1.0.1;" -j LOG --log-ip-options
--log-tcp-options --log-prefix "[1] SID1735 ESTAB "