Minor update Netfilter -> iptables wording

It is more proper to refer to iptables in the context of psad operations, so
changed all "Netfilter" references to "iptables".

ChangeLog

@@ -377,7 +377,7 @@ psad-2.0 (12/10/2006):
       icmp_id, icmp_seq, itype, icode, ip_proto, ipopts, and sameip.
     - Refactored all signatures in /etc/psad/signatures to conform to new
       signature matching support in this release.  There are now about 190
-      signatures that psad can run directly against Netfilter logging
+      signatures that psad can run directly against iptables logging
       messages (i.e. without the help of fwsnort).
     - Added the ability to download the latest signatures file from
       http://www.cipherdyne.org/psad/signatures with the --sig-update command
@@ -395,7 +395,7 @@ psad-2.0 (12/10/2006):
     - Added --CSV mode so that psad can be used to generate comma-separated
       value output suitable for the AfterGlow project (see
       http://afterglow.sourceforge.net/index.html) for graphical
-      representations of Netfilter logs and associated scan data.  Also added
+      representations of iptables logs and associated scan data.  Also added
       nf2csv so that normal users can take advantage of this feature.
     - Added emulation of the Snort "dsize" test through the use of the IP
       length field for TCP/ICMP signatures, and the UDP length field for UDP
@@ -446,7 +446,7 @@ psad-2.0 (12/10/2006):
     - Bugfix to cleanup any lost blocking rules from the running psad
       timeouts (a separate process might have deleted rules from the psad
       chains).
-    - Bugfix to allow Netfilter log messages to include the PHYSDEV (i.e.
+    - Bugfix to allow iptables log messages to include the PHYSDEV (i.e.
       PHYSIN and PHYSOUT) interfaces.
     - Updated to read architecture-dependent perl module installation
       directory out of /usr/lib/psad (e.g. "/usr/lib/psad/x86_64-linux")
@@ -503,7 +503,7 @@ psad-1.4.7 (09/10/2006):
       is ok upon an unsuccessful test of the syslog reconfiguration.  This
       fixes a bug where some syslog daemons might not re-import their
       configurations after receiving a HUP signal.
-    - Bugfix for incorrect config variable name that gated Netfilter
+    - Bugfix for incorrect config variable name that gated iptables
       prerequisite checks.
     - Added code to install.pl to update command paths in psad.conf and
       psadwatchd.conf if any of the paths are broken (i.e. the local system
@@ -522,7 +522,7 @@ psad-1.4.6 (06/13/2006):
       logging prefixes.
     - Added code to save DShield email to a file.
     - Added IPTABLES_PREREQ_CHECK to allow the administrator to control the
-      frequency of Netfilter checks (for auto-block compatibility).
+      frequency of iptables checks (for auto-block compatibility).
     - Added IGNORE_LOG_PREFIXES to allow certain log prefixes to be completely
       ignored by psad.
     - Added classification.config file from Snort-2.3.3 so that psad can
@@ -546,7 +546,7 @@ psad-1.4.5 (01/13/2006):
       this directory is removed by some Linux distributions at boot time.
     - Bugfix for zero masks in auto_dl; this allows a network of "0.0.0.0/0"
       to be specified.
-    - Added ENABLE_FW_LOGGING_CHECK so that the Netfilter policy check can be
+    - Added ENABLE_FW_LOGGING_CHECK so that the iptables policy check can be
       enabled/disabled easily via psad.conf.
     - Enhanced -D output to include "uname -a" and "perl -V" output.
     - Added ENABLE_RENEW_BLOCK_EMAILS to allow whether renew emails are sent
@@ -571,7 +571,7 @@ psad-1.4.4 (11/27/2005):
       keyword "TRUNCATE_FWDATA" (this is enabled by default).
     - Bugfix in auto-blocking mode for deleting AUTO_IPT_SOCK when a HUP
       signal is received.
-    - Bugfix for parsing Netfilter policies that contain ULOG logging rules
+    - Bugfix for parsing iptables policies that contain ULOG logging rules
       instead of the standard LOG target.
     - Removed the smtpdaemon requirement in the RPM because psad might be
       configured to not send email alerts.
@@ -587,7 +587,7 @@ psad-1.4.3 (09/27/2005):
       messages.  This drastically reduces the amount of memory required
       by psad.
     - Updated to only display psad chains if --verbose is set
-    - Updated to automatically flush the psad auto-response Netfilter chains
+    - Updated to automatically flush the psad auto-response iptables chains
       at start time (subject to a new config keyword "FLUSH_IPT_AT_INIT").
 
 psad-1.4.2 (07/15/2005):
@@ -597,7 +597,7 @@ psad-1.4.2 (07/15/2005):
     - Updated to version 0.2 of the IPTables::ChainMgr module.
     - Updated to not truncate the fwdata file upon psad startup.
     - Added --fw-dump which produces a sanitized (i.e. no IP addresses)
-      version of the local Netfilter policy.  Also added --fw-include-ips
+      version of the local iptables policy.  Also added --fw-include-ips
       to (optionally) not sanitize IPs/nets.  Note that the 0.0.0.0 and
       0.0.0.0/0 IPs/nets are not sanitized since they give no useful
       information about specific IPs/nets.
@@ -628,14 +628,14 @@ psad-1.4.1 (03/12/2005):
     - Updated Psad module directory structure to be consistent with current
       versions of perl (5.8.x).
     - Added IPTables::ChainMgr module.
-    - Completely re-worked the Netfilter auto-blocking code to use
+    - Completely re-worked the iptables auto-blocking code to use
       IPTables::ChainMgr functions so that auto-generated rules are placed
       in chains created by psad.
     - Added IPT_AUTO_CHAIN keyword in psad.conf which is used to define the
-      set of chains to which auto-generated Netfilter rules are added.
-    - Added --fw-list-auto to display the contents of psad Netfilter
+      set of chains to which auto-generated iptables rules are added.
+    - Added --fw-list-auto to display the contents of psad iptables
       chains.
-    - Added the ability to import an IP into the Netfilter auto-blocking
+    - Added the ability to import an IP into the iptableiptablesocking
       chains from the command line with --fw-block-ip.  This allows psad to
       apply its timeout mechanism against such IPs/nets.
     - Added the ability to ignore packets based on input interface with

README.SYSLOG

@@ -35,15 +35,15 @@ You should get something along the lines of:
   syslogd     942   root   20u   FIFO  3,5   544097 /var/lib/psad/psadfifo
   kmsgsd    25457   root    0u   FIFO  3,5   544097 /var/lib/psad/psadfifo
 
-The main requirement is that Netfilter logs are getting logged via kern.info
+The main requirement is that iptables logs are getting logged via kern.info
 (or at a higher priority such as "warn") by syslog.  The default for the
-Netfilter LOG target is log Netfilter messages at the "warn" priority, but
+iptables LOG target is log iptables messages at the "warn" priority, but
 this can be changed with the --log-level option.  For example, to have
-Netfilter generate logs at the "info" priority in the INPUT chain, the
+iptables generate logs at the "info" priority in the INPUT chain, the
 following command could be used:
 
 # iptables -A INPUT -j LOG --log-level info
 
-This may help cut down on Netfilter logs being sent to the console if your
+This may help cut down on iptables logs being sent to the console if your
 syslog.conf instructs syslog to log kernel messages at a "warn" level or
 higher to the console device.

SCAN_LOG

@@ -15,7 +15,7 @@ Microsoft VNC service against my Linux box (running kernel 2.6.18):
 
     Scanned tcp ports: [5900: 1 packets]
             tcp flags: [SYN: 1 packets, Nmap: -sT or -sS]
-      Netfilter chain: INPUT (prefix "DROP"), 1 packets
+       iptables chain: INPUT (prefix "DROP"), 1 packets
 
                Source: 71.127.83.44
                   DNS: static-71-127-83-44.aubnin.fios.verizon.net

TODO

@@ -77,7 +77,7 @@
       denied without requiring overly complicated firewall rules to detect
       odd tcp flag combinations.
     - perldoc
-    - Configurable Netfilter prerequisite checks.
+    - Configurable iptables prerequisite checks.
     - Handle "pass" action on Snort rules in the signatures file.  This will
       allow ignore rules to be written in the Snort rules language itself
       (this will far more powerful than any of the IGNORE_* keywords).
@@ -88,4 +88,4 @@
     - Include input/output interfaces, as well as physin and physout
       interfaces.
     - IPCop integration.
-    - Script to turn pcap files into equivalent Netfilter log messages.
+    - Script to turn pcap files into equivalent iptables log messages.

nf2csv

@@ -75,7 +75,7 @@ my %pkt_NF_init = (
     'udp_len'  => -1,
 
     ### extra fields for internals (fwsnort sid matching,
-    ### Netfilter logging prefixes and chains, etc.)
+    ### iptables logging prefixes and chains, etc.)
     'fwsnort_sid' => 0,
     'chain'       => '',
     'log_prefix'  => '',

packaging/psad-nobuildreqs.spec

@@ -302,7 +302,7 @@ fi
 - psad-2.0 release.
 - Added ip_options file for the Snort ipopts rule keyword.
 - Added nf2csv so that normal users can get CSV output from
-  Netfilter log messages.
+  iptables log messages.
 
 * Sun Oct 15 2006 Michael Rash <mbr@cipherdyne.org>
 - psad-1.4.8 release.

packaging/psad-nodeps.spec

@@ -215,7 +215,7 @@ fi
 - psad-2.0 release.
 - Added ip_options file for the Snort ipopts rule keyword.
 - Added nf2csv so that normal users can get CSV output from
-  Netfilter log messages.
+  iptables log messages.
 
 * Sun Oct 15 2006 Michael Rash <mbr@cipherdyne.org>
 - psad-1.4.8 release.

packaging/psad.spec

@@ -303,7 +303,7 @@ fi
 - psad-2.0 release.
 - Added ip_options file for the Snort ipopts rule keyword.
 - Added nf2csv so that normal users can get CSV output from
-  Netfilter log messages.
+  iptables log messages.
 
 * Sun Oct 15 2006 Michael Rash <mbr@cipherdyne.org>
 - psad-1.4.8 release.

psad

@@ -276,7 +276,7 @@ my %auto_assigned_msg = ();
 my %auto_blocked_ips = ();
 
 ### counter to check psad iptables chains and jump rules
-my $netfilter_prereq_check = 0;
+my $iptables_prereq_check = 0;
 
 ### cache the addresses we have issued dns lookups against.
 my %dns_cache = ();
@@ -5824,9 +5824,9 @@ sub ipt_block() {
     }
 
     if ($config{'IPTABLES_PREREQ_CHECK'} > 1) {
-        $netfilter_prereq_check++;
-        $netfilter_prereq_check = 1
-            if $netfilter_prereq_check == $config{'IPTABLES_PREREQ_CHECK'};
+        $iptables_prereq_check++;
+        $iptables_prereq_check = 1
+            if $iptables_prereq_check == $config{'IPTABLES_PREREQ_CHECK'};
     }
 
     ### add block rule for $ip unless it is already blocked
@@ -5843,7 +5843,7 @@ sub ipt_block() {
         my $dst = '';
 
         if ($config{'IPTABLES_PREREQ_CHECK'} == 1
-                or $netfilter_prereq_check == 1) {
+                or $iptables_prereq_check == 1) {
             print STDERR "[+] iptables chains and jump rule check.\n"
                 if $debug;
 

psad.8

@@ -811,7 +811,7 @@ address "10.1.1.1":
 .PP
 Generate graphs of scan data using AfterGlow:
 .PP
-.B # psad --CSV --CSV-fields "src dst dp" --CSV-max 1000 -m <iptables logfile> | perl afterglow.pl -c color.properties | neato -Tgif -o netfilter_graph.gif
+.B # psad --CSV --CSV-fields "src dst dp" --CSV-max 1000 -m <iptables logfile> | perl afterglow.pl -c color.properties | neato -Tgif -o iptables_graph.gif
 .PP
 The
 .B psad.conf,

psad.conf

@@ -160,7 +160,7 @@ IGNORE_PORTS                NONE;
 
 ### allow entire protocols to be ignored.  This keyword can accept
 ### a comma separated list of protocols.  Each protocol must match
-### the protocol that is specified in a Netfilter log message (case
+### the protocol that is specified in an iptables log message (case
 ### insensitively, so both "TCP" or "tcp" is ok).
 ### IGNORE_PROTOCOL             tcp,udp;
 IGNORE_PROTOCOLS            NONE;
@@ -191,7 +191,7 @@ ENABLE_INTF_LOCAL_NETS      Y;
 ### Include MAC addresses in email alert
 ENABLE_MAC_ADDR_REPORTING   N;
 
-### Look for the Netfilter logging rule (fwcheck_psad is executed)
+### Look for the iptables logging rule (fwcheck_psad is executed)
 ENABLE_FW_LOGGING_CHECK     Y;
 
 ### Send no more than this number of emails for a single
@@ -310,7 +310,7 @@ AUTO_BLOCK_TIMEOUT          3600;
 ### Enable regex checking on log prefixes for active response
 ENABLE_AUTO_IDS_REGEX       N;
 
-### Only block if the Netfilter log message matches the following regex
+### Only block if the iptables log message matches the following regex
 AUTO_BLOCK_REGEX            ESTAB;  ### from fwsnort logging prefixes
 
 ### Control whether "renew" auto-block emails get sent.  This is disabled
@@ -332,11 +332,11 @@ IPTABLES_BLOCK_METHOD       Y;
 ### to add an additional IPT_AUTO_CHAIN requirement. The format for this
 ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
 ###              <To_chain>,<Rule_position>.
-### "Target": Can be any legitimate Netfilter target, but should usually
+### "Target": Can be any legitimate iptables target, but should usually
 ###           just be "DROP".
 ### "Direction": Can be "src", "dst", or "both", which correspond to the
 ###              INPUT, OUTPUT, and FORWARD chains.
-### "Table": Can be any Netfilter table, but the default is "filter".
+### "Table": Can be any iptables table, but the default is "filter".
 ### "From_chain": Is the chain from which packets will be jumped.
 ### "Jump_rule_position": Defines the position within the From_chain where
 ###                       the jump rule is added.
@@ -489,7 +489,7 @@ PSADWATCHD_PID_FILE         $PSAD_RUN_DIR/psadwatchd.pid;
 AUTO_BLOCK_IPT_FILE         $PSAD_DIR/auto_blocked_iptables;
 AUTO_BLOCK_TCPWR_FILE       $PSAD_DIR/auto_blocked_tcpwr;
 
-### File used internally by psad to add Netfilter blocking
+### File used internally by psad to add iptables blocking
 ### rules to a running psad process
 AUTO_IPT_SOCK               $PSAD_RUN_DIR/auto_ipt.sock;
 

signatures

@@ -5,8 +5,8 @@
 #
 # Purpose: To provide a set of approximations to the Snort rule set for psad.
 #          These signatures are the closest representations to Snort rules
-#          that are possible given the Netfilter logging format.  Note that
-#          with the Netfilter string match extension, iptables along with
+#          that are possible given the iptables logging format.  Note that
+#          with the iptables string match extension, iptables along with
 #          fwsnort is able to detect (and optionally block) attacks based on
 #          application layer data, but this is not addressed within the
 #          signatures file itself.
@@ -22,7 +22,7 @@
 #                         average header sizes) and from the length field in
 #                         the UDP header for UDP packets.
 #          psad_ip_len: - This allows psad to test the length field in the IP
-#                         header (logged as "LEN") within Netfilter logs.
+#                         header (logged as "LEN") within iptables logs.
 #
 ##############################################################################
 #

snort_compat.pl

@@ -7,10 +7,10 @@
 # Purpose: To assist in the construction of a set of Snort rules that can be
 #          made compatible with psad.
 #
-# Methodology:  Psad exclusively uses Netfilter log messages as its source
+# Methodology:  Psad exclusively uses iptables log messages as its source
 #   of intrusion detection data.  This means that psad cannot accurately
 #   detect most Snort rules because payload data is not available (the
-#   Netfilter string match extension can provide string matching capabilities
+#   iptables string match extension can provide string matching capabilities
 #   against application layer data; see "fwsnort" at
 #   http://www.cipherdyne.org/fwsnort).  However, there are several backdoor
 #   programs, DDoS tools, and other suspect traffic that can be inferred from
@@ -29,11 +29,11 @@
 #   for example.  Each of the rules only applies to traffic over an
 #   established TCP session (see the "established" argument give to the
 #   "flow" keyword).  It is impossible to extract the same level of
-#   granularity from Netfilter logs alone.  However, if Netfilter logs a SYN
+#   granularity from iptables logs alone.  However, if iptables logs a SYN
 #   packet directed to TCP port 27665, it is a good bet that a Trin00 DDoS
 #   client is attempting to contact a Trin00 master client.  Hence psad will
 #   generate the alert "DDOS Trin00 Attacker to Master" upon monitoring such
-#   a packet in the Netfilter log.  Even if the Snort rules above are
+#   a packet in the iptables log.  Even if the Snort rules above are
 #   improved by the Snort community to use the more advanced features of the
 #   Snort rules language, the basic fact that SYN packets to TCP/27665 may
 #   be associated with the Trin00 DDoS remains.  This is the general