Skip to content
Application Layer IDS/IPS with iptables
Perl Groff
Find file
Failed to load latest commit information.
deps [deps] update to IPTables::Parse-1.6
lib/IPTables apply UTF-8 encoding patch from Gregor Herrmann of the Debian Perl Group
packaging spec files fwsnort-1.6.5 release
patches added patch to fix a bug where repetitive strings could not be matche…
test fix test suite config, properly detect uninitialized vars
CREDITS Use '-p all' instead of '-p ip', closes #10
ChangeLog support 'ip' for getting local IP's, closes #9
ChangeLog.git changes since 1.6.4
INSTALL converted from Net::AddrIPv4 to the excellent NetAddr::IP module
LICENSE GPL license address update (mentioned by Guillermo Gomez)
README bumped version and copyright info
README.RPM added note about trying yum/agt-get installation (Guillermo Gomez)
TODO added download of Emerging Threats as a tarball (suggested by Franck …
VERSION bumped version to 1.6.5 added README to version changing script
fwsnort fix test suite config, properly detect uninitialized vars
fwsnort.8 minor typo fix
fwsnort.conf fix test suite config, properly detect uninitialized vars bug fix for installation directory names, check_commands() enhancements add -f for parsing a specific Snort rules file GPL license address update (mentioned by Guillermo Gomez)


fwsnort   (Firewall Snort)
Version:  1.6.4
Author:   Michael Rash <>


fwsnort is a perl script that translates Snort rules into equivalent iptables
rules.  Some Snort rule options (such as "pcre") have no direct translation
into iptables options so not all Snort rules can be translated.  However
approximately 65% of all Snort-2.3.3 signatures (the last release of Snort
signatures under the GPL) can be successfully translated through the use of the
iptables string match module.  When tranlating Snort rules, fwsnort makes heavy
use of the iptables string match extension with its "--hex-string" option
(added to iptables by the fwsnort project) which accepts Snort "content"
argument with hex bytes between "|" chars (such as "|5a 4e|").  This allows the
content fields in Snort rules to be directly input into iptables rulesets from
the command line.  fwsnort alse parses the running iptables policy on the
machine in order to determine which Snort rules are applicable to the specific
policy loaded on the machine.

fwsnort requires the iptables string match module in order to be able to
detect application layer attacks.  If you are running modern Linux
distribution then it is likely that the kernel has been compiled with iptables
string matching support, and fwsnort will automatically test this.


fwsnort is compatible with iptables only, hence fwsnort will exclusively run
on Linux running a 2.6 series kernel (with some support for 2.4 kernels as

Snort is a registered trademark of Sourcefire, Inc


    (See the INSTALL file in the source directory.)


    If are installing fwsnort from sources (i.e. not through a distribution
package manager such as RPM or apt), you can just run the "" script.
It takes care of upgrades, and it will merge any customized configuration
variables in the /etc/fwsnort/fwsnort.conf file with the new file in the
source directory.  Even if you are using a distribution package manager, you
can still run the script in order to preserve any existing
configuration.  However, in this case the script will also put in
place fwsnort according to how it normally handles installation paths, and
these may not match how your distribution package manager normally handles


Copyright (C) 2003-2014 Michael Rash (

fwsnort is distributed under the GNU General Public License (GPLv2), and the
latest version may be downloaded from

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
Something went wrong with that request. Please try again.