Provided by: fwsnort_1.6.7-3_all bug


       fwsnort - Firewall Snort


       fwsnort [options]


       fwsnort  translates  SNORT  rules  into  iptables  rules  on Linux systems and generates a
       corresponding iptables policy  in  iptables-save  format.   This  ruleset  allows  network
       traffic  that  matches  Snort  signatures  (i.e.   attacks  and  other  suspicious network
       behavior) to be logged and/or dropped by iptables directly without  putting  an  interface
       into promiscuous mode or queuing packets from kernel to user space.  Note that fwsnort can
       also build an iptables policy that combines the string match extension with the NFQUEUE or
       QUEUE  targets  to allow the kernel to perform preliminary string matches that are defined
       within Snort rules before queuing matching packets to a userspace  snort_inline  instance.
       Because  the  bulk  of  network  communications  are  not generally malicious, this should
       provide a speedup for snort_inline since the majority of packets do not then  have  to  be
       copied  from  kernel  memory  into user memory and subsequently inspected by snort_inline.
       There is a tradeoff here in terms of signature detection however because snort_inline when
       deployed  in  this  way does not have the opportunity to see all packets associated with a
       session, so stream reassembly and signature comparisons against a  reassembled  buffer  do
       not  take  place (the stream preprocessor should be disabled in the userspace snort_inline

       As  of  fwsnort-1.5  all  iptables  rules  built  by  fwsnort  are  written  out  to   the
       /var/lib/fwsnort/  file  in  iptables-save format.  This allows a long fwsnort
       policy (which may contain thousands of  iptables  rules  translated  from  a  large  Snort
       signature  set)  to be quickly instantiated via the "iptables-restore" command.  A wrapper
       script /var/lib/fwsnort/ is also written out to  make  this  easy.   Hence,  the
       typical  work flow for fwsnort is to: 1) run fwsnort, 2) note the Snort rules that fwsnort
       was able to successfully translate (the number of such rules is printed  to  stdout),  and
       then  3)  execute the /var/lib/fwsnort/ wrapper script to instantiate the policy
       in the running kernel.

       fwsnort (optionally) uses the IPTables::Parse CPAN module to parse the iptables ruleset on
       the machine to determine which Snort rules are applicable to the specific iptables policy.
       After all, if iptables is blocking all inbound http traffic from  external  addresses  for
       example,  it  is probably not of much use to try detecting inbound attacks against against
       tcp/80.  By default fwsnort generates iptables rules that log Snort sid's within a  --log-
       prefix  to syslog where the messages can be analyzed with a log analyzer such as psad (see  fwsnort relies on the iptables string match  module  to
       match  Snort  content  fields in the application portion of ip traffic.  Since Snort rules
       can contain hex data in content fields (specified between pipe  "|"  characters),  fwsnort
       implements  a  patch against iptables (which has been accepted by the Netfilter project as
       of iptables-1.2.7a) which adds a "--hex-string" option.  This  allow  iptables  to  accept
       content   fields  from  Snort  rules  such  as  "|0d0a5b52504c5d3030320d0a|"  without  any
       modification.  fwsnort is able to translate  approximately  60%  of  all  rules  from  the
       Snort-2.3.3   IDS  into  equivalent  iptables  rules.   For  more  information  about  the
       translation strategy as well as advantages/disadvantages of the method used by fwsnort  to
       obtain  intrusion  detection  data,  see  the  README included with the fwsnort sources or
       browse to:

       fwsnort is able to apply Snort rules to IPv6 traffic by building an ip6tables policy  (see
       the "--ip6tables" command line argument).


       -c, --config <configuration file>
              By  default  fwsnort  makes use of the configuration file /etc/fwsnort/fwsnort.conf
              for almost all configuration parameters.  fwsnort can be made to override this path
              by  specifying a different file on the command line with the --config option.  When
              fwsnort is not executed as root, then a path to a  readable  fwsnort.conf  file  is

              Download the latest Emerging Threats rules from This
              will  overwrite  the   emerging-all.rules  file  in  the  /etc/fwsnort/snort_rules/
              directory.    Note   that   the   automatic   downloading   of   Snort  rules  from
     as of March, 2005 is only offered as a pay service.

       --rules-url  <url>
              Specify the URL to use when updating the Emerging Threats rule set  (or  any  other
              rule            set).             The           default           URL           is:

       -6, --ip6tables
              Enable ip6tables mode so that the fwsnort rule  set  is  built  into  an  ip6tables
              policy  instead  of  the iptables policy.  This allows fwsnort controls to apply to
              IPv6 traffic.

       --include-type  <rules type>
              Restrict to processing snort rules of  <rules  type>.   Example  rule  types  would
              include  "ddos", "backdoor", and "web-attacks".  This option also supports a comma-
              separated list of types, e.g. "ddos,backdoor".

       --exclude-type  <rules type>
              Exclude all Snort rules from of type <rules type>  from  the  translation  process.
              For  example,  if  you  don't want any rules from the file emerging-all.rules to be
              translated, then use "emerging-all" as the  argument  to  this  option.   A  comma-
              separated list of types to exclude can be specified.

       --include-regex  <regex>
              Only  translate  Snort  rules  that match the specified regular expression. This is
              useful to build fwsnort policies for Snort rules that have a common  characteristic
              (such as a string match on the word "Storm" for the Storm worm for example).

       --exclude-regex  <regex>
              Translate all Snort rules except those that match the specified regular expression.
              This is useful to omit Snort  rules  from  fwsnort  policies  that  have  a  common
              characteristic (such as a string match on "HTTP_PORTS" for example).

              Make the rule matchine regular expression specified with --include-regex match case

              Make the rule matchine regular expression specified with --exclude-regex match case

       --snort-rdir <snort-rules-directory>
              Manually  specify  the  directory  where  the  snort  rules files are located.  The
              default is /etc/fwsnort/snort_rules.   Multiple  directories  are  supported  as  a
              comma-separated list.

       --snort-rfile <snort-rules-file>
              Manually  specify  a  Snort rules file to translated into iptables rules.  Multiple
              files are also supported as a comma-separated list.

       --snort-sid <sid>
              Generate an iptables ruleset for a single snort rule specified by <sid>.  A  comma-
              separated list of sids can be specified, e.g. "2001842,1834".

       --exclude-sid <sid>
              Provide a list of Snort ID's to be excluded from the translation process.

              Include  'perl -e print ... ' commands as comments in the script.  These
              commands allow payloads that are designed to  trigger  snort  rules  to  easily  be
              built,  and  when  combined with netcat (or other software that can send bytes over
              the wire) it becomes possible to  test  whether  an  fwsnort  policy  appropriately
              triggers on matching traffic.

       --ipt-script <script file>
              Specify the path to the iptables script generated by fwsnort.  The default location
              is /var/lib/fwsnort/

              Check iptables capabilities and exit.

              Run fwsnort with the same command line arguments as the previous  execution.   This
              is  a  convenient  way of rebuilding the /var/lib/fwsnort/ script without
              having to remember what the last command line args were.

              Build an fwsnort policy that sends packets that match Snort content  or  uricontent
              fields  to userspace via the iptables NFQUEUE target for further analysis.  This is
              a mechanism for reducing the signature inspection load placed on  snort_inline.   A
              parallel  set  of  Snort  rules  that are successfully translated are placed in the
              /etc/fwsnort/snort_rules_queue          directory.           This          requires
              CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in the Linux kernel.

              Same  as  the --NFQUEUE command line argument except that the older QUEUE target is
              used instead of the NFQUEUE target.  This requires  CONFIG_IP_NF_QUEUE  support  in
              the Linux kernel.

       --queue-num <num>
              Specify a queue number in --NFQUEUE mode.

       --queue-pre-match-max <num>
              In  --QUEUE  or  --NFQUEUE  mode,  limit  the  number  of  content matches that are
              performed within the kernel before sending a matching packet to a  userspace  Snort
              instance.   This  allows a level of tuning with respect to how much work the kernel
              does to qualify a packet based on a signature match before having Snort do the same
              thing.   The  default  is to perform all specified content matches in the signature
              before queuing the packet to  userspace  because  the  multiple  in-kernel  content
              matches is probably less expensive than sending a packet to userspace by default.

       --string-match-alg <alg>
              Specify  the string matching algorithm to use with the kernel.  By default, this is
              'bm' for the 'Boyer-Moore'  string  matching  algorithm,  but  'kmp'  may  also  be
              specified (short for the 'Knuth–Morris–Pratt' algorithm).

              Execute the iptables script generated by fwsnort.

              Synonym for --ipt-apply.

              Revert  to  a  version of the iptables policy without any fwsnort rules.  Note that
              this reverts to the iptables policy as it was when fwsnort was originally executed.
              So,  it  is  not  recommended to use this option if there is a large amount of time
              between when fwsnort is run to translate Snort  rules  vs.  running  it  with  this
              option.  For most purposes it is better to use the --ipt-flush option below.

              Flush all fwsnort currently active iptables rules (flushes the fwsnort chains).

              List all fwsnort currently active iptables rules (lists the fwsnort chains).

              For  each  logging  rule  generated by fwsnort add a corresponding DROP rule.  Note
              that for TCP sessions using this option will cause retransmissions as packets  that
              are  part  of  established  sessions  selectively  dropped.   Remember  that  false
              positives are common occurrences for intrusion detection systems, and so using this
              or the --ipt-reject option may break things on your network!  You have been warned.

              For  each logging rule generated by fwsnort add a corresponding REJECT rule.  Reset
              packets will be generated for TCP sessions through the use  of  the  "--reject-with
              tcp-reset"  option,  and  ICMP  port unreachable messages will be generated for UDP
              packets through the use of the "--reject-with icmp-port-unreachable" option.

       -C, --Conntrack-state <state>
              Specify a conntrack state  in  place  of  the  "established"  state  that  commonly
              accompanies the Snort "flow" keyword.  By default, fwsnort uses the conntrack state
              of "ESTABLISHED" for this.  In certain corner cases, it  might  be  useful  to  use
              "ESTABLISHED,RELATED"  instead to apply application layer inspection to things like
              ICMP port unreachable messages that are responses to real attempted communications.

              By default fwsnort generates an iptables script that implements a logging rule  for
              each  successfully  translated snort rule.  This can be disabled with the --no-ipt-
              log option, but --ipt-drop must also be specified.

              This is a deprecated option since the default behavior  is  to  translate  as  many
              Snort rules into iptables rules as possible.  With fwsnort able to produce iptables
              rules in iptables-save format, it is extremely fast to instantiate a large  set  of
              translated  Snort  rules into an iptables policy.  A new --ipt-sync option has been
              added to reverse this behavior (not recommended).

              Consult the iptables policy currently running on the machine for  applicable  snort

              Do  not  test  the  iptables  build for existence of support for the LOG and REJECT
              targets, and ascii and hex string matching.

              Do not jump packets from the built-in iptables INPUT, OUTPUT, and FORWARD chains to
              the  custom  fwsnort  chains.   This  options  is  mostly useful to make it easy to
              manually alter the placement of the jump rules in the iptables ruleset.

              By default fwsnort includes the rule number within the logging prefix for  each  of
              the rules it adds to the fwsnort chains.  E.g. the logging prefix for rule 34 would
              look something like "[34] SID1242 ESTAB".  Use this option to not include the  rule

              If  the  iptables  "comment"  match  exists,  then  fwsnort  puts  the Snort "msg",
              "classtype", "reference", "priority", and "rev" fields within a  comment  for  each
              iptables rule.  Use this option to disable this.

              Do not jump packets from the iptables INPUT chain to the fwsnort chains.

              Do not jump packets from the iptables OUTPUT chain to the fwsnort chains.

              Do not jump packets from the iptables FORWARD chain to the fwsnort chains.

              Cause  fwsnort to not try to reorder pattern matches to process the longest pattern
              first.  The Snort fast_pattern keyword is also ignored if this option is specified.

       -H, --Home-net <network/mask>
              Specify the internal network instead of having fwsnort derive it from the  HOME_NET
              keyword in the fwsnort.conf configuration file.

       -E, --External-net <network/mask>
              Specify  the  external  network  instead  of  having  fwsnort  derive  it  from the
              EXTERNAL_NET keyword in the fwsnort.conf configuration file.

              Disable all checks against the output of ifconfig for proper IP addresses.  This is
              useful if fwsnort is running on a bridging firewall.

              Print the fwsnort configuration on STDOUT and exit.

              Run  in debug mode.  This will cause all parse errors which are normally written to
              the fwsnort logfile /var/log/fwsnort.log to be written to STDOUT instead.

              Run fwsnort in "strict" mode.  This will prevent  fwsnort  from  translating  snort
              rules that contain the keywords "offset", "uricontent", and "depth".

       -U, --Ulog
              Force  the usage of the ULOG target for all log messages instead of the default LOG

              Specify the netlink group for ULOG rules.  Such rules  are  only  added  for  Snort
              rules that have an action of "log", or when fwsnort is run in --Ulog mode.

       -l, --logfile <logfile>
              By default fwsnort logs all parse errors to the logfile /var/log/fwsnort.log.  This
              path can be manually changed with the --logfile option.

       -v, --verbose
              Run fwsnort in verbose mode.  This will cause fwsnort to  add  the  original  snort
              rule as a comment to the script for each successfully translated rule.

       -V, --Version
              Print the fwsnort version and exit.

       -h, --help
              Print usage information on STDOUT and exit.


              The  fwsnort  configuration  file.   The  path  to  this file can be changed on the
              command line with --config.

              The iptables script generated by fwsnort.  The path can be  manually  specified  on
              the command line with the --ipt-script option.


       This  section describes what each of the more important fwsnort configuration variables do
       and how they can be tuned to meet your needs.  These variables are located in the  fwsnort
       configuration file /etc/fwsnort/fwsnort.conf

              fwsnort  uses  the  same  HOME_NET  and  EXTERNAL_NET variables as defined in Snort
              rules, and the same semantics are supported.   I.e.,  individual  IP  addresses  or
              networks  in  standard  dotted-quad  or  CIDR  notation can be specified, and comma
              separated lists are also supported.

              Defines the external network.  See the HOME_NET variable for more information.


       The following examples illustrate the command line arguments that  could  be  supplied  to
       fwsnort in a few situations:

       Script  generation  in  logging  mode,  parse  errors  written to the fwsnort logfile, and
       iptables policy checking are enabled by default without having to specify any command line

       # fwsnort

       Generate ip6tables rules for attacks delivered over IPv6:

       # fwsnort -6

       Generate iptables rules for ddos and backdoor Snort rules only:

       # fwsnort --include-type ddos,backdoor

       Generate iptables rules for Snort ID's 2008475 and 2003268 (from emerging-all.rules):

       fwsnort --snort-sid 2008475,2003268

       Generate  iptables  rules  for Snort ID's 1834 and 2001842 but queue them to userspace via
       the NFQUEUE target and restrict exclude the INPUT and OUTPUT chains:

       fwsnort --snort-sid 1834,2001842 --NFQUEUE --no-ipt-INPUT --no-ipt-OUTPUT

       Instruct fwsnort to only inspect traffic that traverses the eth0 and eth1 interfaces:

       # fwsnort --restrict-intf eth0,eth1

       Generate iptables rules for Snort rules that appear to be allowed by  the  local  iptables
       policy, and write original snort rules to the iptables script as a comment:

       # fwsnort --ipt-sync --verbose


       fwsnort  requires that the iptables string match module be compiled into the kernel (or as
       a loadable kernel module) in order to be able to match snort signatures that make  use  of
       the  "content"  keyword.   Note  that  the  --no-opt-test  option can be specified to have
       fwsnort generate an iptables script even if the string match module is not compiled in.

       fwsnort also requires the IPTables::Parse CPAN module in order to parse iptables policies.
       This module is bundled with the fwsnort sources in the deps/ directory for convenience.


       The  --debug  option  can  be  used  to display on STDOUT any errors that are generated as
       fwsnort parses each snort rule.  Normally these errors are written to the fwsnort  logfile


       psad(8), iptables(8), snort(8), nmap(1)


       Michael Rash <>


       Many  people  who are active in the open source community have contributed to fwsnort; see
       the      CREDITS      file      in      the      fwsnort      sources,      or       visit   to  view  the  online  list  of

       fwsnort is based on the original snort2iptables script written by William Stearns.


       Send bug reports to Suggestions and/or comments are always welcome  as


       fwsnort  is  distributed  under  the  GNU  General  Public License (GPLv2), and the latest
       version may be downloaded from Snort is a registered  trademark
       of Sourcefire, Inc.