Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 492 lines (486 sloc) 18.847 kb
6da1b29 @mrash Added the fwsnort.8 man page
authored
1 .\" Process this file with
2 .\" groff -man -Tascii foo.1
3 .\"
e4db8e0 @mrash minor date update
authored
4 .TH FWSNORT 8 "Jan, 2011" Linux
6da1b29 @mrash Added the fwsnort.8 man page
authored
5 .SH NAME
6 .B fwsnort
7 \- Firewall Snort
8 .SH SYNOPSIS
60199f1 @mrash minor doc updates
authored
9 .B fwsnort [options]
6da1b29 @mrash Added the fwsnort.8 man page
authored
10 .SH DESCRIPTION
11 .B fwsnort
6b71d7f @mrash update to include information about the iptables-save format
authored
12 translates SNORT rules into iptables rules on Linux systems and generates a
25c2799 @mrash minor documentation fixes
authored
13 corresponding iptables policy in iptables-save format. This ruleset allows
14 network traffic that matches Snort signatures (i.e. attacks and other suspicious
15 network behavior) to
65e372b @mrash Added --include-regex and --exclude-regex options
authored
16 be logged and/or dropped by iptables directly without putting an interface
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
17 into promiscuous mode or queuing packets from kernel to user space. Note
18 that fwsnort can also build an iptables policy that combines the string
19 match extension with the NFQUEUE or QUEUE targets to allow the kernel to
20 perform preliminary string matches that are defined within Snort rules
4d65f91 @mrash minor man page wording update
authored
21 before queuing matching packets to a userspace snort_inline instance. Because the bulk of
25c2799 @mrash minor documentation fixes
authored
22 network communications are not generallly malicious, this should provide a speedup
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
23 for snort_inline since the majority of packets do not then have to be
24 copied from kernel memory into user memory and subsequently inspected by
25 snort_inline. There is a tradeoff here in terms of signature detection
2b3b278 @mrash minor dodumentation fixes
authored
26 however because snort_inline when deployed in this way does not have the
27 opportunity to see all packets associated with a session, so stream
28 reassembly and signature comparisons against a reassembled buffer do not
800584c @mrash Minor man page wording update for NFQUEUE mode
authored
29 take place (the stream preprocessor should be disabled in the userspace
30 snort_inline instance).
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
31
6b71d7f @mrash update to include information about the iptables-save format
authored
32 As of
33 .B fwsnort-1.5
34 all iptables rules built by fwsnort are written out to the
b0f8062 @mrash applied patch from Franck to fix man page paths to reflect new instal…
authored
35 .I /var/lib/fwsnort/fwsnort.save
6b71d7f @mrash update to include information about the iptables-save format
authored
36 file in iptables-save format. This allows a long fwsnort policy (which may
37 contain thousands of iptables rules translated from a large Snort signature
38 set) to be quickly instantiated via the "iptables-restore" command. A wrapper
39 script
b0f8062 @mrash applied patch from Franck to fix man page paths to reflect new instal…
authored
40 .I /var/lib/fwsnort/fwsnort.sh
6b71d7f @mrash update to include information about the iptables-save format
authored
41 is also written out to make this easy. Hence, the typical work flow for
42 fwsnort is to: 1) run fwsnort, 2) note the Snort rules that fwsnort was able
43 to successfully translate (the number of such rules is printed to stdout),
44 and then 3) execute the
b0f8062 @mrash applied patch from Franck to fix man page paths to reflect new instal…
authored
45 .I /var/lib/fwsnort/fwsnort.sh
6b71d7f @mrash update to include information about the iptables-save format
authored
46 wrapper script to instantiate the policy in the running kernel.
47
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
48 .B fwsnort
79a88ab @mrash minor man page wording update
authored
49 (optionally) uses the IPTables::Parse CPAN module to parse
f0daf79 @mrash doc update, Netfilter -> iptables
authored
50 the iptables ruleset on the machine to determine which Snort rules are
51 applicable to the specific iptables policy. After all, if iptables is
6b71d7f @mrash update to include information about the iptables-save format
authored
52 blocking all inbound http traffic from external addresses for example, it
53 is probably not of much use to try detecting inbound attacks against against
54 tcp/80. By default fwsnort generates iptables rules that log Snort sid's
55 within a \-\-log-prefix to syslog where the messages can be analyzed with a
56 log analyzer such as
65e372b @mrash Added --include-regex and --exclude-regex options
authored
57 .B psad
58 (see http://www.cipherdyne.org/psad/).
6da1b29 @mrash Added the fwsnort.8 man page
authored
59 .B fwsnort
f0daf79 @mrash doc update, Netfilter -> iptables
authored
60 relies on the iptables string match module to match Snort content fields
5d539fd @mrash updated man page
authored
61 in the application portion of ip traffic. Since Snort rules can contain
65e372b @mrash Added --include-regex and --exclude-regex options
authored
62 hex data in content fields (specified between pipe "|" characters), fwsnort
63 implements a patch against iptables (which has been accepted by the Netfilter
38ab85a @mrash Franck Joncourt
authored
64 project as of iptables-1.2.7a) which adds a "\-\-hex-string" option. This
65e372b @mrash Added --include-regex and --exclude-regex options
authored
65 allow iptables to accept content fields from Snort rules such as
66 "|0d0a5b52504c5d3030320d0a|" without any modification.
f6b724c @mrash minor fixes
authored
67 .B fwsnort
f0daf79 @mrash doc update, Netfilter -> iptables
authored
68 is able to translate approximately 60% of all rules from the Snort-2.3.3
69 IDS into equivalent iptables rules. For more information about the
f6b724c @mrash minor fixes
authored
70 translation strategy as well as advantages/disadvantages of the method
71 used by fwsnort to obtain intrusion detection data, see the README
72 included with the fwsnort sources or browse to:
60199f1 @mrash minor doc updates
authored
73 http://www.cipherdyne.org/fwsnort/
6b71d7f @mrash update to include information about the iptables-save format
authored
74
75 .B fwsnort
76 is able to apply Snort rules to IPv6 traffic by building an ip6tables policy
77 (see the "\-\-ip6tables" command line argument).
6da1b29 @mrash Added the fwsnort.8 man page
authored
78 .SH OPTIONS
79 .TP
80 .BR \-c ", " \-\^\-config\ \<configuration\ file>
f6b724c @mrash minor fixes
authored
81 By default fwsnort makes use of the configuration file
6da1b29 @mrash Added the fwsnort.8 man page
authored
82 .B /etc/fwsnort/fwsnort.conf
83 for almost all configuration parameters. fwsnort can be made to
84 override this path by specifying a different file on the command
38ab85a @mrash Franck Joncourt
authored
85 line with the \-\-config option.
6da1b29 @mrash Added the fwsnort.8 man page
authored
86 .TP
9fbba8d @mrash - Bug fix to allow case insensitive matches to work properly with the
authored
87 .BR \-\^\-update-rules
88 Download the latest Emerging Threats rules from http://www.emergingthreats.net
89 This will overwrite the emerging-all.rules file in the
90 /etc/fwsnort/snort_rules/ directory. Note that the automatic downloading
91 of Snort rules from http://www.snort.org/ as of March, 2005 is only offered
92 as a pay service.
93 .TP
c91a9e3 @mrash - Added the --rules-url argument so that the URL for updating the
authored
94 .BR \-\^\-rules-url\ \ <url>
95 Specify the URL to use when updating the Emerging Threats rule set (or any
96 other rule set). The default URL is: http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules
97 .TP
7dd40b3 @mrash - Added the ability to build an fwsnort policy that utilizes ip6tables
authored
98 .BR \-6 ", " \-\^\-ip6tables
99 Enable
100 .B ip6tables
101 mode so that the fwsnort rule set is built into an ip6tables policy instead
102 of the iptables policy. This allows fwsnort controls to apply to IPv6
103 traffic.
104 .TP
5d539fd @mrash updated man page
authored
105 .BR \-\^\-include-type\ \ <rules\ type>
6da1b29 @mrash Added the fwsnort.8 man page
authored
106 Restrict to processing snort rules of <rules type>. Example rule
5d539fd @mrash updated man page
authored
107 types would include "ddos", "backdoor", and "web-attacks". This option
108 also supports a comma-separated list of types, e.g. "ddos,backdoor".
109 .TP
110 .BR \-\^\-exclude-type\ \ <rules\ type>
111 Exclude all Snort rules from of type <rules type> from the translation
112 process. For example, if you don't want any rules from the file
f931fed @mrash applied patch from Franck Joncourt to fix fwsnort man page to replace…
authored
113 emerging-all.rules to be translated, then use "emerging-all" as the
5d539fd @mrash updated man page
authored
114 argument to this option. A comma-separated list of types to exclude can
115 be specified.
6da1b29 @mrash Added the fwsnort.8 man page
authored
116 .TP
65e372b @mrash Added --include-regex and --exclude-regex options
authored
117 .BR \-\^\-include-regex\ \ <regex>
118 Only translate Snort rules that match the specified regular expression. This
119 is useful to build
120 .B fwsnort
121 policies for Snort rules that have a common characteristic (such as a string
122 match on the word "Storm" for the Storm worm for example).
123 .TP
124 .BR \-\^\-exclude-regex\ \ <regex>
125 Translate all Snort rules except those that match the specified regular
126 expression. This is useful to omit Snort rules from
127 .B fwsnort
128 policies that have a common characteristic (such as a string
129 match on "HTTP_PORTS" for example).
130 .TP
9fbba8d @mrash - Bug fix to allow case insensitive matches to work properly with the
authored
131 .BR \-\^\-include-re-caseless
132 Make the rule matchine regular expression specified with
133 .I \-\-include\-regex
134 match case insensitively.
135 .TP
136 .BR \-\^\-exclude-re-caseless
137 Make the rule matchine regular expression specified with
138 .I \-\-exclude\-regex
139 match case insensitively.
d05a1d5 @mrash added 0.2 options
authored
140 .TP
0dee690 @mrash added --snort-rdir patch from Franck
authored
141 .BR \-\^\-snort-rdir\ <snort-rules-directory>
fca93a7 @mrash Added support for multiple Snort rule directories as a comma-separated
authored
142 Manually specify the directory where the snort rules files are located.
0dee690 @mrash added --snort-rdir patch from Franck
authored
143 The default is
144 .B /etc/fwsnort/snort_rules.
fca93a7 @mrash Added support for multiple Snort rule directories as a comma-separated
authored
145 Multiple directories are supported as a comma-separated list.
0dee690 @mrash added --snort-rdir patch from Franck
authored
146 .TP
9fbba8d @mrash - Bug fix to allow case insensitive matches to work properly with the
authored
147 .BR \-\^\-snort-rfile\ <snort-rules-file>
148 Manually specify a Snort rules file to translated into iptables rules.
149 Multiple files are also supported as a comma-separated list.
150 .TP
6da1b29 @mrash Added the fwsnort.8 man page
authored
151 .BR \-\^\-snort-sid\ \<sid>
152 Generate an iptables ruleset for a single snort rule specified by
5d539fd @mrash updated man page
authored
153 <sid>. A comma-separated list of sids can be specified, e.g. "2001842,1834".
154 .TP
155 .BR \-\^\-exclude-sid\ \<sid>
156 Provide a list of Snort ID's to be excluded from the translation process.
6da1b29 @mrash Added the fwsnort.8 man page
authored
157 .TP
ee6d073 @mrash - Added the --include-perl-triggers command line argument so that
authored
158 .BR \-\^\-include-perl-triggers
159 Include
160 .I 'perl -e "print ..."'
161 commands as comments in the
162 .I fwsnort.sh
163 script. These commands allow payloads that are designed to trigger snort
164 rules to easily be built, and when combined with netcat (or other software
165 that can send bytes over the wire) it becomes possible to test whether an
166 fwsnort policy appropriately triggers on matching traffic.
167 .TP
6da1b29 @mrash Added the fwsnort.8 man page
authored
168 .BR \-\^\-ipt-script\ \<script\ file>
169 Specify the path to the iptables script generated by fwsnort. The
b0f8062 @mrash applied patch from Franck to fix man page paths to reflect new instal…
authored
170 default location is /var/lib/fwsnort/fwsnort.sh.
6da1b29 @mrash Added the fwsnort.8 man page
authored
171 .TP
09f524a @mrash - Updated the iptables capabilities testing routines to add and delete
authored
172 .BR \-\^\-ipt-check-capabilities
173 Check iptables capabilities and exit.
174 .TP
a161a0d @mrash - Updated fwsnort to create logs in the /var/log/fwsnort/ directory
authored
175 .BR \-\^\-Last\-cmd
176 Run
177 .B fwsnort
178 with the same command line arguments as the previous execution. This is a
179 convenient way of rebuilding the
b0f8062 @mrash applied patch from Franck to fix man page paths to reflect new instal…
authored
180 .I /var/lib/fwsnort/fwsnort.sh
a161a0d @mrash - Updated fwsnort to create logs in the /var/log/fwsnort/ directory
authored
181 script without having to remember what the last command line args were.
182 .TP
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
183 .BR \-\^\-NFQUEUE
184 Build an
185 .B fwsnort
186 policy that sends packets that match Snort
187 .B content
188 or
189 .B uricontent
190 fields to userspace via the iptables NFQUEUE target for further analysis. This is a
191 mechanism for reducing the signature inspection load placed on snort_inline.
192 A parallel set of Snort rules that are successfully translated are placed in
193 the /etc/fwsnort/snort_rules_queue directory. This requires
194 CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in the Linux kernel.
195 .TP
196 .BR \-\^\-QUEUE
197 Same as the
198 .B --NFQUEUE
199 command line argument except that the older QUEUE target is used instead of
200 the NFQUEUE target. This requires CONFIG_IP_NF_QUEUE support in the Linux kernel.
201 .TP
bd65809 @mrash added --queue-num command line argument
authored
202 .BR \-\^\-queue-num\ \<num>
38ab85a @mrash Franck Joncourt
authored
203 Specify a queue number in \-\-NFQUEUE mode.
bd65809 @mrash added --queue-num command line argument
authored
204 .TP
fe692d2 @mrash Added --queue-pre-match-max <num> argument
authored
205 .BR \-\^\-queue-pre-match-max\ \<num>
206 In \-\-QUEUE or \-\-NFQUEUE mode, limit the number of content matches that are
207 performed within the kernel before sending a matching packet to a userspace
208 Snort instance. This allows a level of tuning with respect to how much work
209 the kernel does to qualify a packet based on a signature match before having
210 Snort do the same thing. The default is to perform all specified content
211 matches in the signature before queuing the packet to userspace because the
212 multiple in-kernel content matches is probably less expensive than sending a
213 packet to userspace by default.
214 .TP
b74bf5a @mrash - Added the --string-match-alg argument to allow the string matching
authored
215 .BR \-\^\-string-match-alg\ \<alg>
216 Specify the string matching algorithm to use with the kernel. By default, this
217 is 'bm' for the 'Boyer-Moore' string matching algorithm, but 'kmp' may also be
218 specified (short for the 'Knuth–Morris–Pratt' algorithm).
219 .TP
6da1b29 @mrash Added the fwsnort.8 man page
authored
220 .BR \-\^\-ipt-apply
221 Execute the iptables script generated by fwsnort.
222 .TP
5d539fd @mrash updated man page
authored
223 .BR \-\^\-ipt-flush
224 Flush all
225 .B fwsnort
f0daf79 @mrash doc update, Netfilter -> iptables
authored
226 currently active iptables rules (flushes the fwsnort chains).
5d539fd @mrash updated man page
authored
227 .TP
228 .BR \-\^\-ipt-list
229 List all
230 .B fwsnort
f0daf79 @mrash doc update, Netfilter -> iptables
authored
231 currently active iptables rules (lists the fwsnort chains).
5d539fd @mrash updated man page
authored
232 .TP
5eec4ab @mrash replace --ipt-block with --ipt-reject and --ipt-drop
authored
233 .BR \-\^\-ipt-drop
5d539fd @mrash updated man page
authored
234 For each logging rule generated by
235 .B fwsnort
236 add a corresponding DROP
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
237 rule. Note that for TCP sessions using this option will cause retransmissions
5eec4ab @mrash replace --ipt-block with --ipt-reject and --ipt-drop
authored
238 as packets that are part of established sessions selectively dropped.
239 Remember that false positives are common occurrences for intrusion detection
38ab85a @mrash Franck Joncourt
authored
240 systems, and so using this or the \-\-ipt-reject option may break things on
5eec4ab @mrash replace --ipt-block with --ipt-reject and --ipt-drop
authored
241 your network! You have been warned.
242 .TP
243 .BR \-\^\-ipt-reject
5d539fd @mrash updated man page
authored
244 For each logging rule generated by
245 .B fwsnort
246 add a corresponding REJECT rule.
5eec4ab @mrash replace --ipt-block with --ipt-reject and --ipt-drop
authored
247 Reset packets will be generated for TCP sessions through the use of
38ab85a @mrash Franck Joncourt
authored
248 the "\-\-reject-with tcp-reset" option, and ICMP port unreachable messages will
5eec4ab @mrash replace --ipt-block with --ipt-reject and --ipt-drop
authored
249 be generated for UDP packets through the use of the
38ab85a @mrash Franck Joncourt
authored
250 "\-\-reject-with icmp-port-unreachable" option.
6da1b29 @mrash Added the fwsnort.8 man page
authored
251 .TP
00c4379 @mrash Added the --Conntrack-state argument
authored
252 .BR \-C ", " \-\^\-Conntrack-state\ \<state>
253 Specify a conntrack state in place of the "established" state that commonly
254 accompanies the Snort "flow" keyword. By default, fwsnort uses the conntrack
255 state of "ESTABLISHED" for this. In certain corner cases, it might be useful
256 to use "ESTABLISHED,RELATED" instead to apply application layer inspection to
257 things like ICMP port unreachable messages that are responses to real attempted
258 communications.
259 .TP
6da1b29 @mrash Added the fwsnort.8 man page
authored
260 .BR \-\^\-no-ipt-log
261 By default fwsnort generates an iptables script that implements a logging
262 rule for each successfully translated snort rule. This can be disabled
38ab85a @mrash Franck Joncourt
authored
263 with the \-\-no-ipt-log option, but \-\-ipt-drop must also be specified.
6da1b29 @mrash Added the fwsnort.8 man page
authored
264 .TP
265 .BR \-\^\-no-ipt-sync
724f75a @mrash Switched --no-ipt-sync to default to not syncing with the iptables po…
authored
266 This is a deprecated option since the default behavior is to translate as
267 many Snort rules into iptables rules as possible. With
268 .B fwsnort
269 able to produce iptables rules in iptables\-save format, it is extremely fast
270 to instantiate a large set of translated Snort rules into an iptables policy.
271 A new \-\-ipt-sync option has been added to reverse this behavior (not
272 recommended).
273 .TP
274 .BR \-\^\-ipt-sync
275 Consult the iptables policy currently running on the machine
276 for applicable snort rules.
6da1b29 @mrash Added the fwsnort.8 man page
authored
277 .TP
d05a1d5 @mrash added 0.2 options
authored
278 .BR \-\^\-no-ipt-test
279 Do not test the iptables build for existence of support for the LOG and
280 REJECT targets, and ascii and hex string matching.
281 .TP
282 .BR \-\^\-no-ipt-jumps
f0daf79 @mrash doc update, Netfilter -> iptables
authored
283 Do not jump packets from the built-in iptables INPUT, OUTPUT, and
5d539fd @mrash updated man page
authored
284 FORWARD chains to the custom
285 .B fwsnort
286 chains. This options is mostly useful to make it
d05a1d5 @mrash added 0.2 options
authored
287 easy to manually alter the placement of the jump rules in the iptables
288 ruleset.
289 .TP
3fbaff6 @mrash documentation updates for comment and rule num options
authored
290 .BR \-\^\-no-ipt-rule-nums
291 By default
292 .B fwsnort
293 includes the rule number within the logging prefix for each of the rules it
294 adds to the fwsnort chains. E.g. the logging prefix for rule 34 would look
295 something like "[34] SID1242 ESTAB". Use this option to not include the
296 rule number.
297 .TP
298 .BR \-\^\-no-ipt-comments
299 If the iptables "comment" match exists, then
300 .B fwsnort
301 puts the Snort "msg", "classtype", "reference", "priority", and "rev" fields
302 within a comment for each iptables rule. Use this option to disable this.
303 .TP
5d539fd @mrash updated man page
authored
304 .BR \-\^\-no-ipt-INPUT
f0daf79 @mrash doc update, Netfilter -> iptables
authored
305 Do not jump packets from the iptables INPUT chain to the
5d539fd @mrash updated man page
authored
306 .B fwsnort
307 chains.
308 .TP
309 .BR \-\^\-no-ipt-OUTPUT
f0daf79 @mrash doc update, Netfilter -> iptables
authored
310 Do not jump packets from the iptables OUTPUT chain to the
5d539fd @mrash updated man page
authored
311 .B fwsnort
312 chains.
313 .TP
314 .BR \-\^\-no-ipt-FORWARD
f0daf79 @mrash doc update, Netfilter -> iptables
authored
315 Do not jump packets from the iptables FORWARD chain to the
5d539fd @mrash updated man page
authored
316 .B fwsnort
317 chains.
318 .TP
49acb36 @mrash Added the --no-fast-pattern-ordering argument
authored
319 .BR \-\^\-no-fast-pattern-ordering
320 Cause
321 .B fwsnort
322 to not try to reorder pattern matches to process the longest pattern first.
323 The Snort
324 .I fast_pattern
325 keyword is also ignored if this option is specified.
326 .TP
5d539fd @mrash updated man page
authored
327 .BR \-H ", " \-\^\-Home-net\ \<network/mask>
99a37e1 @mrash added --internal-net and --dmz-net
authored
328 Specify the internal network instead of having
329 .B fwsnort
5d539fd @mrash updated man page
authored
330 derive it from the HOME_NET keyword in the fwsnort.conf configuration
331 file.
99a37e1 @mrash added --internal-net and --dmz-net
authored
332 .TP
5d539fd @mrash updated man page
authored
333 .BR \-E ", " \-\^\-External-net\ \<network/mask>
334 Specify the external network instead of having
335 .B fwsnort
336 derive it from the EXTERNAL_NET keyword in the fwsnort.conf configuration
337 file.
99a37e1 @mrash added --internal-net and --dmz-net
authored
338 .TP
5d539fd @mrash updated man page
authored
339 .BR \-\^\-no-addresses
340 Disable all checks against the output of ifconfig for proper IP addresses.
341 This is useful if
342 .B fwsnort
343 is running on a bridging firewall.
344 .TP
345 .BR \-\^\-Dump-conf
6da1b29 @mrash Added the fwsnort.8 man page
authored
346 Print the fwsnort configuration on STDOUT and exit.
347 .TP
348 .BR \-\^\-debug
349 Run in debug mode. This will cause all parse errors which are normally
350 written to the fwsnort logfile
351 .B /var/log/fwsnort.log
352 to be written to STDOUT instead.
353 .TP
354 .BR \-\^\-strict
355 Run fwsnort in "strict" mode. This will prevent fwsnort from translating
356 snort rules that contain the keywords "offset", "uricontent", and "depth".
357 .TP
bb34295 @mrash added support for the pass and log actions in Snort rules, added gene…
authored
358 .BR \-U ", " \-\^\-Ulog
359 Force the usage of the ULOG target for all log messages instead of the
360 default LOG target.
361 .TP
362 .BR \-\^\-ulog-nlgroup
363 Specify the netlink group for ULOG rules. Such rules are only added for
364 Snort rules that have an action of "log", or when
365 .B fwsnort
366 is run in
367 .B --Ulog
368 mode.
369 .TP
6da1b29 @mrash Added the fwsnort.8 man page
authored
370 .BR \-l ", " \-\^\-logfile\ <logfile>
371 By default fwsnort logs all parse errors to the logfile
372 .B /var/log/fwsnort.log.
38ab85a @mrash Franck Joncourt
authored
373 This path can be manually changed with the \-\-logfile option.
6da1b29 @mrash Added the fwsnort.8 man page
authored
374 .TP
375 .BR \-v ", " \-\^\-verbose
376 Run fwsnort in verbose mode. This will cause fwsnort to add the original
377 snort rule as a comment to the fwsnort.sh script for each successfully
378 translated rule.
379 .TP
380 .BR \-V ", " \-\^\-Version
381 Print the fwsnort version and exit.
382 .TP
383 .BR \-h ", " \-\^\-help
384 Print usage information on STDOUT and exit.
385 .SH FILES
386 .B /etc/fwnort/fwsnort.conf
387 .RS
388 The fwsnort configuration file. The path to this file can be
38ab85a @mrash Franck Joncourt
authored
389 changed on the command line with \-\-config.
6da1b29 @mrash Added the fwsnort.8 man page
authored
390 .RE
391
b0f8062 @mrash applied patch from Franck to fix man page paths to reflect new instal…
authored
392 .B /var/lib/fwnort/fwsnort.sh
6da1b29 @mrash Added the fwsnort.8 man page
authored
393 .RS
394 The iptables script generated by fwsnort. The path can be manually
38ab85a @mrash Franck Joncourt
authored
395 specified on the command line with the \-\-ipt-script option.
6da1b29 @mrash Added the fwsnort.8 man page
authored
396 .SH FWSNORT CONFIGURATION VARIABLES
397 This section describes what each of the more important fwsnort configuration
398 variables do and how they can be tuned to meet your needs. These variables
399 are located in the fwsnort configuration file
400 .B /etc/fwsnort/fwsnort.conf
401 .TP
5d539fd @mrash updated man page
authored
402 .BR HOME_NET
6da1b29 @mrash Added the fwsnort.8 man page
authored
403 .B fwsnort
5d539fd @mrash updated man page
authored
404 uses the same HOME_NET and EXTERNAL_NET variables as defined in Snort rules,
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
405 and the same semantics are supported. I.e., individual IP addresses or networks
5d539fd @mrash updated man page
authored
406 in standard dotted-quad or CIDR notation can be specified, and comma separated
407 lists are also supported.
6da1b29 @mrash Added the fwsnort.8 man page
authored
408 .TP
5d539fd @mrash updated man page
authored
409 .BR EXTERNAL_NET
410 Defines the external network. See the HOME_NET variable for more information.
6da1b29 @mrash Added the fwsnort.8 man page
authored
411 .SH EXAMPLES
412 The following examples illustrate the command line arguments that could
413 be supplied to fwsnort in a few situations:
8128f00 @mrash format fixes
authored
414 .PP
6da1b29 @mrash Added the fwsnort.8 man page
authored
415 Script generation in logging mode, parse errors written to the fwsnort
416 logfile, and iptables policy checking are enabled by default without
417 having to specify any command line arguments:
8128f00 @mrash format fixes
authored
418 .PP
6da1b29 @mrash Added the fwsnort.8 man page
authored
419 .B # fwsnort
8128f00 @mrash format fixes
authored
420 .PP
da92569 @mrash added a -6 example to the EXAMPLES section
authored
421 Generate ip6tables rules for attacks delivered over IPv6:
422 .PP
423 .B # fwsnort -6
424 .PP
f0daf79 @mrash doc update, Netfilter -> iptables
authored
425 Generate iptables rules for ddos and backdoor Snort rules only:
8128f00 @mrash format fixes
authored
426 .PP
f721263 @mrash .
authored
427 .B # fwsnort --include-type ddos,backdoor
8128f00 @mrash format fixes
authored
428 .PP
f931fed @mrash applied patch from Franck Joncourt to fix fwsnort man page to replace…
authored
429 Generate iptables rules for Snort ID's 2008475 and 2003268 (from emerging-all.rules):
8128f00 @mrash format fixes
authored
430 .PP
f931fed @mrash applied patch from Franck Joncourt to fix fwsnort man page to replace…
authored
431 .B fwsnort --snort-sid 2008475,2003268
8128f00 @mrash format fixes
authored
432 .PP
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
433 Generate iptables rules for Snort ID's 1834 and 2001842 but queue them to userspace
434 via the NFQUEUE target and restrict exclude the INPUT and OUTPUT chains:
435 .PP
436 .B fwsnort --snort-sid 1834,2001842 --NFQUEUE --no-ipt-INPUT --no-ipt-OUTPUT
437 .PP
5d539fd @mrash updated man page
authored
438 Instruct
bbed2af @mrash man page updates to include --NFQUEUE and --QUEUE language
authored
439 .B fwsnort
440 to only inspect traffic that traverses the eth0 and eth1 interfaces:
8128f00 @mrash format fixes
authored
441 .PP
5d539fd @mrash updated man page
authored
442 .B # fwsnort --restrict-intf eth0,eth1
8128f00 @mrash format fixes
authored
443 .PP
25c2799 @mrash minor documentation fixes
authored
444 Generate iptables rules for Snort rules that appear to be allowed by the local
445 iptables policy, and write original snort rules to the iptables script as a comment:
8128f00 @mrash format fixes
authored
446 .PP
25c2799 @mrash minor documentation fixes
authored
447 .B # fwsnort --ipt-sync --verbose
6da1b29 @mrash Added the fwsnort.8 man page
authored
448 .SH DEPENDENCIES
449 .B fwsnort
450 requires that the iptables string match module be compiled into the
451 kernel (or as a loadable kernel module) in order to be able to match
452 snort signatures that make use of the "content" keyword. Note that
38ab85a @mrash Franck Joncourt
authored
453 the \-\-no-opt-test option can be specified to have fwsnort generate an
6da1b29 @mrash Added the fwsnort.8 man page
authored
454 iptables script even if the string match module is not compiled in.
8128f00 @mrash format fixes
authored
455 .PP
6da1b29 @mrash Added the fwsnort.8 man page
authored
456 .B fwsnort
79a88ab @mrash minor man page wording update
authored
457 also requires the IPTables::Parse CPAN module in order to parse
458 iptables policies. This module is bundled with the fwsnort sources in
459 the deps/ directory for convenience.
6da1b29 @mrash Added the fwsnort.8 man page
authored
460 .SH DIAGNOSTICS
38ab85a @mrash Franck Joncourt
authored
461 The \-\-debug option can be used to display on STDOUT any errors that
6da1b29 @mrash Added the fwsnort.8 man page
authored
462 are generated as fwsnort parses each snort rule. Normally these
463 errors are written to the fwsnort logfile /var/log/fwsnort.log
464 .SH "SEE ALSO"
35fb637 @mrash added in psad in SEE ALSO section psad.8
authored
465 .BR psad (8),
6da1b29 @mrash Added the fwsnort.8 man page
authored
466 .BR iptables (8),
467 .BR snort (8),
468 .BR nmap (1)
469 .SH AUTHOR
3ce905b @mrash updated to cipherdyne.org, removed version numbers from directories i…
authored
470 Michael Rash <mbr@cipherdyne.org>
877923c @mrash minor contributor update
authored
471 .SH CONTRIBUTORS
472 Many people who are active in the open source community have contributed to fwsnort;
473 see the
474 .B CREDITS
a4b8fa2 @mrash minor update to include contributors
authored
475 file in the fwsnort sources, or visit
476 .B http://www.cipherdyne.org/fwsnort/docs/contributors.html
477 to view the online list of contributors.
877923c @mrash minor contributor update
authored
478
f6b724c @mrash minor fixes
authored
479 .B fwsnort
480 is based on the original
481 .B snort2iptables
482 script written by William Stearns.
6da1b29 @mrash Added the fwsnort.8 man page
authored
483 .SH BUGS
3ce905b @mrash updated to cipherdyne.org, removed version numbers from directories i…
authored
484 Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are
6da1b29 @mrash Added the fwsnort.8 man page
authored
485 always welcome as well.
486 .SH DISTRIBUTION
487 .B fwsnort
60869ae @mrash minor update to include the GPL version number (v2) suggested by Guil…
authored
488 is distributed under the GNU General Public License (GPLv2), and the latest
6da1b29 @mrash Added the fwsnort.8 man page
authored
489 version may be downloaded from
60199f1 @mrash minor doc updates
authored
490 .B http://www.cipherdyne.org/
ee6d073 @mrash - Added the --include-perl-triggers command line argument so that
authored
491 Snort is a registered trademark of Sourcefire, Inc.
Something went wrong with that request. Please try again.