Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Application Layer IDS/IPS with iptables
Perl

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
deps
packaging
patches
CREDITS
ChangeLog
INSTALL
LICENSE
README
README.RPM
TODO
VERSION
bump_version.pl
fwsnort
fwsnort.8
fwsnort.conf
install.pl
snort_opts.pl
snortspoof.pl

README

fwsnort   (Firewall Snort)
Version:  0.6.4
Author:   Michael Rash <mbr@cipherdyne.org>
Website:  http://www.cipherdyne.org/fwsnort/

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
INSTALLATION:

    (See the INSTALL file in the source directory.)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
**IMPORTANT**:

fwsnort requires the iptables string match module in order to be able to
detect application layer attacks.  In addition, fwsnort extends iptables by
adding a "--hex-string" option with a patch against
iptables/extensions/libipt_string.c.  This patch has been accepted by the
iptables maintainers and is a part of iptables as of the 1.2.9 release.
If you are running a version of iptables that is less than 1.2.9, then you
will need to apply the patch yourself (the patch is against
iptables-1.2.7a).  The basic steps to do this are:

-download iptables-1.2.7a.tar.bz2 from http://www.netfilter.org
-tar xvfj iptables-1.2.7a.tar.bz2
-cp fwsnort-0.1/libipt_string.c.patch iptables-1.2.7a/extensions
-cd iptables-1.2.7a/extensions
-patch libipt_string.c libipt_string.c.patch
-compile and install iptables

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DESCRIPTION:

fwsnort is a perl script that translates snort rules into equivalent iptables
rules.  Some snort rule options such as "content-list", and "sameip" have no
direct translation into iptables options so not all snort rules can be
translated.  However approximately 65% of all snort signatures can be
successfully translated through the use of the iptables string match module.
Also, included with the fwsnort sources is a patch for the user space portion
of iptables that adds a new option "--hex-string" which accepts an argument
such as "|5a 4e|".  This allows the content fields in snort rules to be
directly input into iptables rulesets from the command line.  fwsnort parses
the running iptables policy on the machine in order to determine which snort
rules are applicable to the specific policy loaded on the machine.

NOTE: The Netfilter string match extension has not yet been ported to the
2.6 Linux kernel, and so fwsnort is yet not compatible with the 2.6 kernel.

Also, note that string_replace_iptables.patch and
string_replace_iptables.patch are included in the fwsnort sources, but they
are not actually used by fwsnort.  These patches provide the ability to
alter application layer data in a manner similar to the "replace" keyword
in Snort_inline by adding two new iptables command line options
"--replace-string" and "--replace-hex-string".

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
PLATFORMS:

fwsnort is compatible with iptables only, hence fwsnort will exclusively run
on Linux running a 2.4.x series kernel.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
COPYRIGHT:

Copyright (C) 2003 Michael Rash (mbr@cipherdyne.org)

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.


$Id$
Something went wrong with that request. Please try again.