Provided by: fwsnort_1.6.5-1_all bug


       fwsnort - Firewall Snort


       fwsnort [options]


       fwsnort translates SNORT rules into iptables rules on Linux systems and
       generates a corresponding  iptables  policy  in  iptables-save  format.
       This ruleset allows network traffic that matches Snort signatures (i.e.
       attacks and other suspicious network  behavior)  to  be  logged  and/or
       dropped   by  iptables  directly  without  putting  an  interface  into
       promiscuous mode or queuing packets from kernel to  user  space.   Note
       that fwsnort can also build an iptables policy that combines the string
       match extension with the NFQUEUE or QUEUE targets to allow  the  kernel
       to  perform  preliminary  string  matches that are defined within Snort
       rules before queuing  matching  packets  to  a  userspace  snort_inline
       instance.    Because   the  bulk  of  network  communications  are  not
       generallly malicious, this should provide a  speedup  for  snort_inline
       since the majority of packets do not then have to be copied from kernel
       memory into user memory and  subsequently  inspected  by  snort_inline.
       There  is  a  tradeoff  here  in  terms  of signature detection however
       because snort_inline when deployed  in  this  way  does  not  have  the
       opportunity  to  see  all  packets associated with a session, so stream
       reassembly and signature comparisons against a  reassembled  buffer  do
       not  take  place  (the  stream  preprocessor  should be disabled in the
       userspace snort_inline instance).

       As of fwsnort-1.5 all iptables rules built by fwsnort are  written  out
       to  the  /var/lib/fwsnort/  file  in  iptables-save format.
       This allows a long fwsnort  policy  (which  may  contain  thousands  of
       iptables  rules  translated  from  a  large  Snort signature set) to be
       quickly instantiated via the  "iptables-restore"  command.   A  wrapper
       script  /var/lib/fwsnort/  is  also  written out to make this
       easy.  Hence, the typical work flow for fwsnort is to: 1) run  fwsnort,
       2) note the Snort rules that fwsnort was able to successfully translate
       (the number of such rules is printed to stdout), and  then  3)  execute
       the  /var/lib/fwsnort/  wrapper  script  to  instantiate  the
       policy in the running kernel.

       fwsnort (optionally) uses the IPTables::Parse CPAN module to parse  the
       iptables  ruleset  on  the  machine  to determine which Snort rules are
       applicable to the specific iptables policy.  After all, if iptables  is
       blocking  all inbound http traffic from external addresses for example,
       it is probably not of much use to try detecting inbound attacks against
       against  tcp/80.   By default fwsnort generates iptables rules that log
       Snort sid's within a --log-prefix to syslog where the messages  can  be
       analyzed     with    a    log    analyzer    such    as    psad    (see   fwsnort  relies  on  the   iptables
       string  match  module  to match Snort content fields in the application
       portion of ip traffic.  Since Snort  rules  can  contain  hex  data  in
       content   fields  (specified  between  pipe  "|"  characters),  fwsnort
       implements a patch against iptables (which has  been  accepted  by  the
       Netfilter  project  as  of iptables-1.2.7a) which adds a "--hex-string"
       option.  This allow iptables to accept content fields from Snort  rules
       such as "|0d0a5b52504c5d3030320d0a|" without any modification.  fwsnort
       is  able  to  translate  approximately  60%  of  all  rules  from   the
       Snort-2.3.3  IDS  into equivalent iptables rules.  For more information
       about the translation strategy as well as  advantages/disadvantages  of
       the  method used by fwsnort to obtain intrusion detection data, see the
       README   included   with   the   fwsnort   sources   or   browse    to:

       fwsnort  is  able  to  apply Snort rules to IPv6 traffic by building an
       ip6tables policy (see the "--ip6tables" command line argument).


       -c, --config <configuration file>
              By  default  fwsnort  makes  use  of  the   configuration   file
              /etc/fwsnort/fwsnort.conf    for    almost   all   configuration
              parameters.  fwsnort can  be  made  to  override  this  path  by
              specifying  a  different  file  on  the  command  line  with the
              --config option.  When fwsnort is not executed as root,  then  a
              path to a readable fwsnort.conf file is required.

              Download    the    latest    Emerging    Threats    rules   from
       This   will    overwrite    the
              emerging-all.rules   file   in   the   /etc/fwsnort/snort_rules/
              directory.  Note that the automatic downloading of  Snort  rules
              from as of March, 2005 is only offered as
              a pay service.

       --rules-url  <url>
              Specify the URL to use when updating the Emerging  Threats  rule
              set   (or   any   other   rule   set).    The  default  URL  is:

       -6, --ip6tables
              Enable ip6tables mode so that the fwsnort rule set is built into
              an ip6tables policy instead of the iptables policy.  This allows
              fwsnort controls to apply to IPv6 traffic.

       --include-type  <rules type>
              Restrict  to  processing  snort  rules of <rules type>.  Example
              rule types would include "ddos", "backdoor", and  "web-attacks".
              This  option also supports a comma-separated list of types, e.g.

       --exclude-type  <rules type>
              Exclude all Snort rules from  of  type  <rules  type>  from  the
              translation  process.   For example, if you don't want any rules
              from the file emerging-all.rules  to  be  translated,  then  use
              "emerging-all"  as  the  argument  to  this  option.   A  comma-
              separated list of types to exclude can be specified.

       --include-regex  <regex>
              Only translate Snort rules  that  match  the  specified  regular
              expression.  This  is useful to build fwsnort policies for Snort
              rules that have a common characteristic (such as a string  match
              on the word "Storm" for the Storm worm for example).

       --exclude-regex  <regex>
              Translate  all Snort rules except those that match the specified
              regular expression.  This is useful to  omit  Snort  rules  from
              fwsnort  policies  that  have a common characteristic (such as a
              string match on "HTTP_PORTS" for example).

              Make  the  rule  matchine  regular  expression  specified   with
              --include-regex match case insensitively.

              Make   the  rule  matchine  regular  expression  specified  with
              --exclude-regex match case insensitively.

       --snort-rdir <snort-rules-directory>
              Manually specify the directory where the snort rules  files  are
              located.   The  default  is  /etc/fwsnort/snort_rules.  Multiple
              directories are supported as a comma-separated list.

       --snort-rfile <snort-rules-file>
              Manually specify a Snort rules file to translated into  iptables
              rules.   Multiple  files are also supported as a comma-separated

       --snort-sid <sid>
              Generate an iptables ruleset for a single snort  rule  specified
              by <sid>.  A comma-separated list of sids can be specified, e.g.

       --exclude-sid <sid>
              Provide a list of Snort ID's to be excluded from the translation

              Include  'perl  -e  print  ...  '  commands  as  comments in the
     script.   These  commands  allow  payloads  that  are
              designed  to  trigger  snort  rules to easily be built, and when
              combined with netcat (or other software that can send bytes over
              the  wire) it becomes possible to test whether an fwsnort policy
              appropriately triggers on matching traffic.

       --ipt-script <script file>
              Specify the path to the iptables script  generated  by  fwsnort.
              The default location is /var/lib/fwsnort/

              Check iptables capabilities and exit.

              Run fwsnort with the same command line arguments as the previous
              execution.   This  is  a  convenient  way  of   rebuilding   the
              /var/lib/fwsnort/  script  without  having to remember
              what the last command line args were.

              Build an fwsnort policy that  sends  packets  that  match  Snort
              content  or  uricontent  fields  to  userspace  via the iptables
              NFQUEUE target for further analysis.  This is  a  mechanism  for
              reducing  the  signature inspection load placed on snort_inline.
              A parallel set of Snort rules that are  successfully  translated
              are  placed  in  the  /etc/fwsnort/snort_rules_queue  directory.
              This requires CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in  the
              Linux kernel.

              Same  as  the  --NFQUEUE  command  line argument except that the
              older QUEUE target is used instead of the NFQUEUE target.   This
              requires CONFIG_IP_NF_QUEUE support in the Linux kernel.

       --queue-num <num>
              Specify a queue number in --NFQUEUE mode.

       --queue-pre-match-max <num>
              In  --QUEUE  or  --NFQUEUE  mode,  limit  the  number of content
              matches that are performed within the kernel  before  sending  a
              matching  packet  to  a userspace Snort instance.  This allows a
              level of tuning with respect to how much work the kernel does to
              qualify  a packet based on a signature match before having Snort
              do the same thing.  The default  is  to  perform  all  specified
              content  matches  in  the signature before queuing the packet to
              userspace because the  multiple  in-kernel  content  matches  is
              probably  less  expensive  than sending a packet to userspace by

       --string-match-alg <alg>
              Specify the string matching algorithm to use  with  the  kernel.
              By  default,  this is 'bm' for the 'Boyer-Moore' string matching
              algorithm, but 'kmp'  may  also  be  specified  (short  for  the
              'Knuth–Morris–Pratt' algorithm).

              Execute the iptables script generated by fwsnort.

              Synonym for --ipt-apply.

              Revert  to  a version of the iptables policy without any fwsnort
              rules.  Note that this reverts to the iptables policy as it  was
              when fwsnort was originally executed.  So, it is not recommended
              to use this option if there is a large amount  of  time  between
              when fwsnort is run to translate Snort rules vs. running it with
              this option.  For most purposes it is better to use  the  --ipt-
              flush option below.

              Flush  all  fwsnort currently active iptables rules (flushes the
              fwsnort chains).

              List all fwsnort currently  active  iptables  rules  (lists  the
              fwsnort chains).

              For  each  logging rule generated by fwsnort add a corresponding
              DROP rule.  Note that for TCP sessions using  this  option  will
              cause  retransmissions  as  packets that are part of established
              sessions selectively dropped.  Remember that false positives are
              common occurrences for intrusion detection systems, and so using
              this or  the  --ipt-reject  option  may  break  things  on  your
              network!  You have been warned.

              For  each  logging rule generated by fwsnort add a corresponding
              REJECT rule.  Reset packets will be generated for  TCP  sessions
              through  the  use  of  the "--reject-with tcp-reset" option, and
              ICMP port unreachable messages will be generated for UDP packets
              through  the  use  of  the "--reject-with icmp-port-unreachable"

       -C, --Conntrack-state <state>
              Specify a conntrack state in place of  the  "established"  state
              that commonly accompanies the Snort "flow" keyword.  By default,
              fwsnort uses the conntrack state of "ESTABLISHED" for this.   In
              certain    corner   cases,   it   might   be   useful   to   use
              "ESTABLISHED,RELATED"  instead  to   apply   application   layer
              inspection  to  things  like ICMP port unreachable messages that
              are responses to real attempted communications.

              By default fwsnort generates an iptables script that  implements
              a  logging  rule  for  each  successfully translated snort rule.
              This can be disabled with the --no-ipt-log  option,  but  --ipt-
              drop must also be specified.

              This  is  a  deprecated  option since the default behavior is to
              translate as many Snort rules into iptables rules  as  possible.
              With  fwsnort  able  to  produce iptables rules in iptables-save
              format, it is extremely fast  to  instantiate  a  large  set  of
              translated  Snort  rules  into an iptables policy.  A new --ipt-
              sync option  has  been  added  to  reverse  this  behavior  (not

              Consult the iptables policy currently running on the machine for
              applicable snort rules.

              Do not test the iptables build for existence of support for  the
              LOG and REJECT targets, and ascii and hex string matching.

              Do  not  jump  packets from the built-in iptables INPUT, OUTPUT,
              and FORWARD chains to the custom fwsnort chains.   This  options
              is mostly useful to make it easy to manually alter the placement
              of the jump rules in the iptables ruleset.

              By default fwsnort includes the rule number within  the  logging
              prefix  for  each  of  the  rules it adds to the fwsnort chains.
              E.g. the logging prefix for rule 34 would  look  something  like
              "[34]  SID1242  ESTAB".  Use this option to not include the rule

              If the iptables "comment" match exists, then  fwsnort  puts  the
              Snort  "msg",  "classtype",  "reference",  "priority", and "rev"
              fields within a comment for each iptables rule.  Use this option
              to disable this.

              Do not jump packets from the iptables INPUT chain to the fwsnort

              Do not jump packets  from  the  iptables  OUTPUT  chain  to  the
              fwsnort chains.

              Do  not  jump  packets  from  the  iptables FORWARD chain to the
              fwsnort chains.

              Cause fwsnort to not try to reorder pattern matches  to  process
              the  longest  pattern  first.  The Snort fast_pattern keyword is
              also ignored if this option is specified.

       -H, --Home-net <network/mask>
              Specify the internal network instead of having fwsnort derive it
              from  the  HOME_NET  keyword  in  the fwsnort.conf configuration

       -E, --External-net <network/mask>
              Specify the external network instead of having fwsnort derive it
              from  the EXTERNAL_NET keyword in the fwsnort.conf configuration

              Disable all checks against the output of ifconfig for proper  IP
              addresses.   This  is useful if fwsnort is running on a bridging

              Print the fwsnort configuration on STDOUT and exit.

              Run in debug mode.  This will cause all parse errors  which  are
              normally  written to the fwsnort logfile /var/log/fwsnort.log to
              be written to STDOUT instead.

              Run fwsnort in "strict" mode.  This will  prevent  fwsnort  from
              translating  snort  rules  that  contain  the keywords "offset",
              "uricontent", and "depth".

       -U, --Ulog
              Force the usage of the ULOG target for all log messages  instead
              of the default LOG target.

              Specify  the  netlink group for ULOG rules.  Such rules are only
              added for Snort rules that have an  action  of  "log",  or  when
              fwsnort is run in --Ulog mode.

       -l, --logfile <logfile>
              By  default  fwsnort  logs  all  parse  errors  to  the  logfile
              /var/log/fwsnort.log.  This path can be  manually  changed  with
              the --logfile option.

       -v, --verbose
              Run fwsnort in verbose mode.  This will cause fwsnort to add the
              original snort rule as a comment to the  script  for
              each successfully translated rule.

       -V, --Version
              Print the fwsnort version and exit.

       -h, --help
              Print usage information on STDOUT and exit.


              The  fwsnort  configuration  file.  The path to this file can be
              changed on the command line with --config.

              The iptables script generated  by  fwsnort.   The  path  can  be
              manually  specified  on  the  command line with the --ipt-script


       This  section  describes  what  each  of  the  more  important  fwsnort
       configuration  variables  do  and  how  they  can be tuned to meet your
       needs.  These variables are located in the fwsnort  configuration  file

              fwsnort  uses  the  same  HOME_NET and EXTERNAL_NET variables as
              defined in Snort rules, and the same  semantics  are  supported.
              I.e.,  individual  IP  addresses or networks in standard dotted-
              quad or CIDR notation can  be  specified,  and  comma  separated
              lists are also supported.

              Defines  the  external  network.   See the HOME_NET variable for
              more information.


       The following examples illustrate the command line arguments that could
       be supplied to fwsnort in a few situations:

       Script  generation in logging mode, parse errors written to the fwsnort
       logfile, and iptables policy checking are enabled  by  default  without
       having to specify any command line arguments:

       # fwsnort

       Generate ip6tables rules for attacks delivered over IPv6:

       # fwsnort -6

       Generate iptables rules for ddos and backdoor Snort rules only:

       # fwsnort --include-type ddos,backdoor

       Generate  iptables  rules  for  Snort  ID's  2008475  and 2003268 (from

       fwsnort --snort-sid 2008475,2003268

       Generate iptables rules for Snort ID's 1834 and 2001842 but queue  them
       to  userspace via the NFQUEUE target and restrict exclude the INPUT and
       OUTPUT chains:

       fwsnort --snort-sid  1834,2001842  --NFQUEUE  --no-ipt-INPUT  --no-ipt-

       Instruct  fwsnort  to  only inspect traffic that traverses the eth0 and
       eth1 interfaces:

       # fwsnort --restrict-intf eth0,eth1

       Generate iptables rules for Snort rules that appear to  be  allowed  by
       the  local  iptables  policy,  and  write  original  snort rules to the
       iptables script as a comment:

       # fwsnort --ipt-sync --verbose


       fwsnort requires that the iptables string match module be compiled into
       the  kernel  (or  as  a  loadable kernel module) in order to be able to
       match snort signatures that make use of the  "content"  keyword.   Note
       that the --no-opt-test option can be specified to have fwsnort generate
       an iptables script even if the string match module is not compiled in.

       fwsnort also requires the IPTables::Parse CPAN module in order to parse
       iptables  policies.  This module is bundled with the fwsnort sources in
       the deps/ directory for convenience.


       The --debug option can be used to display on STDOUT any errors that are
       generated as fwsnort parses each snort rule.  Normally these errors are
       written to the fwsnort logfile /var/log/fwsnort.log


       psad(8), iptables(8), snort(8), nmap(1)


       Michael Rash <>


       Many  people  who  are  active  in  the  open  source  community   have
       contributed to fwsnort; see the CREDITS file in the fwsnort sources, or
       visit to  view
       the online list of contributors.

       fwsnort  is  based  on  the  original  snort2iptables script written by
       William Stearns.


       Send bug reports to Suggestions and/or comments are
       always welcome as well.


       fwsnort  is  distributed  under the GNU General Public License (GPLv2),
       and    the    latest     version     may     be     downloaded     from   Snort   is   a   registered  trademark  of
       Sourcefire, Inc.