FWSNORT

NAME

SYNOPSIS

DESCRIPTION

fwsnort (optionally) uses the IPTables::Parse module to parse the iptables ruleset on the machine to determine which Snort rules are applicable to the specific iptables policy. After all, if iptables is blocking all inbound http traffic from external addresses, it is probably not of much use to try detecting inbound attacks against against tcp/80. By default fwsnort generates iptables rules that log Snort sid's within a --log-prefix to syslog where the messages can be analyzed with a log analyzer such as psad (see http://www.cipherdyne.org/psad/). fwsnort relies on the iptables string match module to match Snort content fields in the application portion of ip traffic. Since Snort rules can contain hex data in content fields (specified between pipe "|" characters), fwsnort implements a patch against iptables (which has been accepted by the Netfilter project as of iptables-1.2.7a) which adds a "--hex-string" option. This allow iptables to accept content fields from Snort rules such as "|0d0a5b52504c5d3030320d0a|" without any modification. fwsnort is able to translate approximately 60% of all rules from the Snort-2.3.3 IDS into equivalent iptables rules. For more information about the translation strategy as well as advantages/disadvantages of the method used by fwsnort to obtain intrusion detection data, see the README included with the fwsnort sources or browse to: http://www.cipherdyne.org/fwsnort/  

OPTIONS

-c, --config <configuration file>

By default fwsnort makes use of the configuration file /etc/fwsnort/fwsnort.conf for almost all configuration parameters. fwsnort can be made to override this path by specifying a different file on the command line with the --config option.

--update-rules

Download the latest Emerging Threats rules from http://www.emergingthreats.net This will overwrite the emerging-all.rules file in the /etc/fwsnort/snort_rules/ directory. Note that the automatic downloading of Snort rules from http://www.snort.org/ as of March, 2005 is only offered as a pay service.

-6, --ip6tables

Enable ip6tables mode so that the fwsnort rule set is built into an ip6tables policy instead of the iptables policy. This allows fwsnort controls to apply to IPv6 traffic.

--include-type  <rules type>

Restrict to processing snort rules of <rules type>. Example rule types would include "ddos", "backdoor", and "web-attacks". This option also supports a comma-separated list of types, e.g. "ddos,backdoor".

--exclude-type  <rules type>

Exclude all Snort rules from of type <rules type> from the translation process. For example, if you don't want any rules from the file emerging-all.rules to be translated, then use "emerging-all" as the argument to this option. A comma-separated list of types to exclude can be specified.

--include-regex  <regex>

Only translate Snort rules that match the specified regular expression. This is useful to build fwsnort policies for Snort rules that have a common characteristic (such as a string match on the word "Storm" for the Storm worm for example).

--exclude-regex  <regex>

Translate all Snort rules except those that match the specified regular expression. This is useful to omit Snort rules from fwsnort policies that have a common characteristic (such as a string match on "HTTP_PORTS" for example).

--include-re-caseless

Make the rule matchine regular expression specified with --include-regex match case insensitively.

--exclude-re-caseless

Make the rule matchine regular expression specified with --exclude-regex match case insensitively.

--snort-rdir <snort-rules-directory>

Manually specify the directory where the snort rules files are located. The default is /etc/fwsnort/snort_rules. Multiple directories are supported as a comma-separated list.

--snort-rfile <snort-rules-file>

Manually specify a Snort rules file to translated into iptables rules. Multiple files are also supported as a comma-separated list.

--snort-sid <sid>

Generate an iptables ruleset for a single snort rule specified by <sid>. A comma-separated list of sids can be specified, e.g. "2001842,1834".

--exclude-sid <sid>

Provide a list of Snort ID's to be excluded from the translation process.

--include-perl-triggers

Include 'perl -e print ...' commands as comments in the fwsnort.sh script. These commands allow payloads that are designed to trigger snort rules to easily be built, and when combined with netcat (or other software that can send bytes over the wire) it becomes possible to test whether an fwsnort policy appropriately triggers on matching traffic.

--ipt-script <script file>

Specify the path to the iptables script generated by fwsnort. The default location is /etc/fwsnort/fwsnort.sh.

--Last-cmd

Run fwsnort with the same command line arguments as the previous execution. This is a convenient way of rebuilding the /etc/fwsnort/fwsnort.sh script without having to remember what the last command line args were.

--NFQUEUE

Build an fwsnort policy that sends packets that match Snort content or uricontent fields to userspace via the iptables NFQUEUE target for further analysis. This is a mechanism for reducing the signature inspection load placed on snort_inline. A parallel set of Snort rules that are successfully translated are placed in the /etc/fwsnort/snort_rules_queue directory. This requires CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in the Linux kernel.

--QUEUE

Same as the --NFQUEUE command line argument except that the older QUEUE target is used instead of the NFQUEUE target. This requires CONFIG_IP_NF_QUEUE support in the Linux kernel.

--queue-num <num>

Specify a queue number in --NFQUEUE mode.

--ipt-apply

Execute the iptables script generated by fwsnort.

--ipt-flush

Flush all fwsnort currently active iptables rules (flushes the fwsnort chains).

--ipt-list

List all fwsnort currently active iptables rules (lists the fwsnort chains).

--ipt-drop

For each logging rule generated by fwsnort add a corresponding DROP rule. Note that for TCP sessions using this option will cause retransmissions as packets that are part of established sessions selectively dropped. Remember that false positives are common occurrences for intrusion detection systems, and so using this or the --ipt-reject option may break things on your network! You have been warned.

--ipt-reject

For each logging rule generated by fwsnort add a corresponding REJECT rule. Reset packets will be generated for TCP sessions through the use of the "--reject-with tcp-reset" option, and ICMP port unreachable messages will be generated for UDP packets through the use of the "--reject-with icmp-port-unreachable" option.

--no-ipt-log

By default fwsnort generates an iptables script that implements a logging rule for each successfully translated snort rule. This can be disabled with the --no-ipt-log option, but --ipt-drop must also be specified.

--no-ipt-sync

Do not consult the iptables policy currently running on the machine for applicable snort rules. Unless limited with the --include-type or --snort-sid options this can result in a fwsnort.sh script that contains several thousand iptables rules.

--no-ipt-test

Do not test the iptables build for existence of support for the LOG and REJECT targets, and ascii and hex string matching.

--no-ipt-jumps

Do not jump packets from the built-in iptables INPUT, OUTPUT, and FORWARD chains to the custom fwsnort chains. This options is mostly useful to make it easy to manually alter the placement of the jump rules in the iptables ruleset.

--no-ipt-rule-nums

By default fwsnort includes the rule number within the logging prefix for each of the rules it adds to the fwsnort chains. E.g. the logging prefix for rule 34 would look something like "[34] SID1242 ESTAB". Use this option to not include the rule number.

--no-ipt-comments

If the iptables "comment" match exists, then fwsnort puts the Snort "msg", "classtype", "reference", "priority", and "rev" fields within a comment for each iptables rule. Use this option to disable this.

--no-ipt-INPUT

Do not jump packets from the iptables INPUT chain to the fwsnort chains.

--no-ipt-OUTPUT

Do not jump packets from the iptables OUTPUT chain to the fwsnort chains.

--no-ipt-FORWARD

Do not jump packets from the iptables FORWARD chain to the fwsnort chains.

-H, --Home-net <network/mask>

Specify the internal network instead of having fwsnort derive it from the HOME_NET keyword in the fwsnort.conf configuration file.

-E, --External-net <network/mask>

Specify the external network instead of having fwsnort derive it from the EXTERNAL_NET keyword in the fwsnort.conf configuration file.

--no-addresses

Disable all checks against the output of ifconfig for proper IP addresses. This is useful if fwsnort is running on a bridging firewall.

--Dump-conf

Print the fwsnort configuration on STDOUT and exit.

--debug

Run in debug mode. This will cause all parse errors which are normally written to the fwsnort logfile /var/log/fwsnort.log to be written to STDOUT instead.

--strict

Run fwsnort in "strict" mode. This will prevent fwsnort from translating snort rules that contain the keywords "offset", "uricontent", and "depth".

-U, --Ulog

Force the usage of the ULOG target for all log messages instead of the default LOG target.

--ulog-nlgroup

Specify the netlink group for ULOG rules. Such rules are only added for Snort rules that have an action of "log", or when fwsnort is run in --Ulog mode.

-l, --logfile <logfile>

By default fwsnort logs all parse errors to the logfile /var/log/fwsnort.log. This path can be manually changed with the --logfile option.

-v, --verbose

Run fwsnort in verbose mode. This will cause fwsnort to add the original snort rule as a comment to the fwsnort.sh script for each successfully translated rule.

-V, --Version

Print the fwsnort version and exit.

-h, --help

Print usage information on STDOUT and exit.

FILES

The fwsnort configuration file. The path to this file can be changed on the command line with --config.

/etc/fwnort/fwsnort.sh

The iptables script generated by fwsnort. The path can be manually specified on the command line with the --ipt-script option.

FWSNORT CONFIGURATION VARIABLES

HOME_NET

fwsnort uses the same HOME_NET and EXTERNAL_NET variables as defined in Snort rules, and the same semantics are supported. I.e., individual IP addresses or networks in standard dotted-quad or CIDR notation can be specified, and comma separated lists are also supported.

EXTERNAL_NET

Defines the external network. See the HOME_NET variable for more information.

EXAMPLES

Script generation in logging mode, parse errors written to the fwsnort logfile, and iptables policy checking are enabled by default without having to specify any command line arguments:

# fwsnort

Generate ip6tables rules for attacks delivered over IPv6:

# fwsnort -6

Generate iptables rules for ddos and backdoor Snort rules only:

# fwsnort --include-type ddos,backdoor

Generate iptables rules for Snort ID's 2008475 and 2003268 (from emerging-all.rules):

fwsnort --snort-sid 2008475,2003268

Generate iptables rules for Snort ID's 1834 and 2001842 but queue them to userspace via the NFQUEUE target and restrict exclude the INPUT and OUTPUT chains:

fwsnort --snort-sid 1834,2001842 --NFQUEUE --no-ipt-INPUT --no-ipt-OUTPUT

Instruct fwsnort to only inspect traffic that traverses the eth0 and eth1 interfaces:

# fwsnort --restrict-intf eth0,eth1

Generate iptables rules for all Snort rules, and write original snort rule to the iptables script as a comment:

# fwsnort --no-ipt-sync --verbose  

DEPENDENCIES

fwsnort also requires the IPTables::Parse module in order to parse iptables policies.  

DIAGNOSTICS

SEE ALSO

AUTHOR

CONTRIBUTORS

fwsnort is based on the original snort2iptables script written by William Stearns.  

BUGS

DISTRIBUTION

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

FILES

FWSNORT CONFIGURATION VARIABLES

EXAMPLES

DEPENDENCIES

DIAGNOSTICS

SEE ALSO

AUTHOR

CONTRIBUTORS

BUGS

DISTRIBUTION