Provided by: fwsnort_1.6.8-1_all 
NAME
fwsnort - Firewall Snort
SYNOPSIS
fwsnort [options]
DESCRIPTION
fwsnort translates SNORT rules into iptables rules on Linux systems and generates a
corresponding iptables policy in iptables-save format. This ruleset allows network
traffic that matches Snort signatures (i.e. attacks and other suspicious network
behavior) to be logged and/or dropped by iptables directly without putting an interface
into promiscuous mode or queuing packets from kernel to user space. Note that fwsnort can
also build an iptables policy that combines the string match extension with the NFQUEUE or
QUEUE targets to allow the kernel to perform preliminary string matches that are defined
within Snort rules before queuing matching packets to a userspace snort_inline instance.
Because the bulk of network communications are not generally malicious, this should
provide a speedup for snort_inline since the majority of packets do not then have to be
copied from kernel memory into user memory and subsequently inspected by snort_inline.
There is a tradeoff here in terms of signature detection however because snort_inline when
deployed in this way does not have the opportunity to see all packets associated with a
session, so stream reassembly and signature comparisons against a reassembled buffer do
not take place (the stream preprocessor should be disabled in the userspace snort_inline
instance).
As of fwsnort-1.5 all iptables rules built by fwsnort are written out to the
/var/lib/fwsnort/fwsnort.save file in iptables-save format. This allows a long fwsnort
policy (which may contain thousands of iptables rules translated from a large Snort
signature set) to be quickly instantiated via the "iptables-restore" command. A wrapper
script /var/lib/fwsnort/fwsnort.sh is also written out to make this easy. Hence, the
typical work flow for fwsnort is to: 1) run fwsnort, 2) note the Snort rules that fwsnort
was able to successfully translate (the number of such rules is printed to stdout), and
then 3) execute the /var/lib/fwsnort/fwsnort.sh wrapper script to instantiate the policy
in the running kernel.
fwsnort (optionally) uses the IPTables::Parse CPAN module to parse the iptables ruleset on
the machine to determine which Snort rules are applicable to the specific iptables policy.
After all, if iptables is blocking all inbound http traffic from external addresses for
example, it is probably not of much use to try detecting inbound attacks against against
tcp/80. By default fwsnort generates iptables rules that log Snort sid's within a --log-
prefix to syslog where the messages can be analyzed with a log analyzer such as psad (see
http://www.cipherdyne.org/psad/). fwsnort relies on the iptables string match module to
match Snort content fields in the application portion of ip traffic. Since Snort rules
can contain hex data in content fields (specified between pipe "|" characters), fwsnort
implements a patch against iptables (which has been accepted by the Netfilter project as
of iptables-1.2.7a) which adds a "--hex-string" option. This allow iptables to accept
content fields from Snort rules such as "|0d0a5b52504c5d3030320d0a|" without any
modification. fwsnort is able to translate approximately 60% of all rules from the
Snort-2.3.3 IDS into equivalent iptables rules. For more information about the
translation strategy as well as advantages/disadvantages of the method used by fwsnort to
obtain intrusion detection data, see the README included with the fwsnort sources or
browse to: http://www.cipherdyne.org/fwsnort/
fwsnort is able to apply Snort rules to IPv6 traffic by building an ip6tables policy (see
the "--ip6tables" command line argument).
OPTIONS
-c, --config <configuration file>
By default fwsnort makes use of the configuration file /etc/fwsnort/fwsnort.conf
for almost all configuration parameters. fwsnort can be made to override this path
by specifying a different file on the command line with the --config option. When
fwsnort is not executed as root, then a path to a readable fwsnort.conf file is
required.
--update-rules
Download the latest Emerging Threats rules from http://www.emergingthreats.net This
will overwrite the emerging-all.rules file in the /etc/fwsnort/snort_rules/
directory. Note that the automatic downloading of Snort rules from
http://www.snort.org/ as of March, 2005 is only offered as a pay service.
--rules-url <url>
Specify the URL to use when updating the Emerging Threats rule set (or any other
rule set). The default URL is:
http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules
-6, --ip6tables
Enable ip6tables mode so that the fwsnort rule set is built into an ip6tables
policy instead of the iptables policy. This allows fwsnort controls to apply to
IPv6 traffic.
--include-type <rules type>
Restrict to processing snort rules of <rules type>. Example rule types would
include "ddos", "backdoor", and "web-attacks". This option also supports a comma-
separated list of types, e.g. "ddos,backdoor".
--exclude-type <rules type>
Exclude all Snort rules from of type <rules type> from the translation process.
For example, if you don't want any rules from the file emerging-all.rules to be
translated, then use "emerging-all" as the argument to this option. A comma-
separated list of types to exclude can be specified.
--include-regex <regex>
Only translate Snort rules that match the specified regular expression. This is
useful to build fwsnort policies for Snort rules that have a common characteristic
(such as a string match on the word "Storm" for the Storm worm for example).
--exclude-regex <regex>
Translate all Snort rules except those that match the specified regular expression.
This is useful to omit Snort rules from fwsnort policies that have a common
characteristic (such as a string match on "HTTP_PORTS" for example).
--include-re-caseless
Make the rule matching regular expression specified with --include-regex match case
insensitively.
--exclude-re-caseless
Make the rule matching regular expression specified with --exclude-regex match case
insensitively.
--snort-rdir <snort-rules-directory>
Manually specify the directory where the snort rules files are located. The
default is /etc/fwsnort/snort_rules. Multiple directories are supported as a
comma-separated list.
--snort-rfile <snort-rules-file>
Manually specify a Snort rules file to translated into iptables rules. Multiple
files are also supported as a comma-separated list.
--snort-sid <sid>
Generate an iptables ruleset for a single snort rule specified by <sid>. A comma-
separated list of sids can be specified, e.g. "2001842,1834".
--exclude-sid <sid>
Provide a list of Snort ID's to be excluded from the translation process.
--include-perl-triggers
Include 'perl -e print ... ' commands as comments in the fwsnort.sh script. These
commands allow payloads that are designed to trigger snort rules to easily be
built, and when combined with netcat (or other software that can send bytes over
the wire) it becomes possible to test whether an fwsnort policy appropriately
triggers on matching traffic.
--ipt-script <script file>
Specify the path to the iptables script generated by fwsnort. The default location
is /var/lib/fwsnort/fwsnort.sh.
--ipt-check-capabilities
Check iptables capabilities and exit.
--Last-cmd
Run fwsnort with the same command line arguments as the previous execution. This
is a convenient way of rebuilding the /var/lib/fwsnort/fwsnort.sh script without
having to remember what the last command line args were.
--NFQUEUE
Build an fwsnort policy that sends packets that match Snort content or uricontent
fields to userspace via the iptables NFQUEUE target for further analysis. This is
a mechanism for reducing the signature inspection load placed on snort_inline. A
parallel set of Snort rules that are successfully translated are placed in the
/etc/fwsnort/snort_rules_queue directory. This requires
CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in the Linux kernel.
--QUEUE
Same as the --NFQUEUE command line argument except that the older QUEUE target is
used instead of the NFQUEUE target. This requires CONFIG_IP_NF_QUEUE support in
the Linux kernel.
--queue-num <num>
Specify a queue number in --NFQUEUE mode.
--queue-pre-match-max <num>
In --QUEUE or --NFQUEUE mode, limit the number of content matches that are
performed within the kernel before sending a matching packet to a userspace Snort
instance. This allows a level of tuning with respect to how much work the kernel
does to qualify a packet based on a signature match before having Snort do the same
thing. The default is to perform all specified content matches in the signature
before queuing the packet to userspace because the multiple in-kernel content
matches is probably less expensive than sending a packet to userspace by default.
--string-match-alg <alg>
Specify the string matching algorithm to use with the kernel. By default, this is
'bm' for the 'Boyer-Moore' string matching algorithm, but 'kmp' may also be
specified (short for the 'Knuth–Morris–Pratt' algorithm).
--ipt-apply
Execute the iptables script generated by fwsnort.
--ipt-exec
Synonym for --ipt-apply.
--ipt-revert
Revert to a version of the iptables policy without any fwsnort rules. Note that
this reverts to the iptables policy as it was when fwsnort was originally executed.
So, it is not recommended to use this option if there is a large amount of time
between when fwsnort is run to translate Snort rules vs. running it with this
option. For most purposes it is better to use the --ipt-flush option below.
--ipt-flush
Flush all fwsnort currently active iptables rules (flushes the fwsnort chains).
--ipt-list
List all fwsnort currently active iptables rules (lists the fwsnort chains).
--ipt-drop
For each logging rule generated by fwsnort add a corresponding DROP rule. Note
that for TCP sessions using this option will cause retransmissions as packets that
are part of established sessions selectively dropped. Remember that false
positives are common occurrences for intrusion detection systems, and so using this
or the --ipt-reject option may break things on your network! You have been warned.
--ipt-reject
For each logging rule generated by fwsnort add a corresponding REJECT rule. Reset
packets will be generated for TCP sessions through the use of the "--reject-with
tcp-reset" option, and ICMP port unreachable messages will be generated for UDP
packets through the use of the "--reject-with icmp-port-unreachable" option.
-C, --Conntrack-state <state>
Specify a conntrack state in place of the "established" state that commonly
accompanies the Snort "flow" keyword. By default, fwsnort uses the conntrack state
of "ESTABLISHED" for this. In certain corner cases, it might be useful to use
"ESTABLISHED,RELATED" instead to apply application layer inspection to things like
ICMP port unreachable messages that are responses to real attempted communications.
--no-ipt-log
By default fwsnort generates an iptables script that implements a logging rule for
each successfully translated snort rule. This can be disabled with the --no-ipt-
log option, but --ipt-drop must also be specified.
--no-ipt-sync
This is a deprecated option since the default behavior is to translate as many
Snort rules into iptables rules as possible. With fwsnort able to produce iptables
rules in iptables-save format, it is extremely fast to instantiate a large set of
translated Snort rules into an iptables policy. A new --ipt-sync option has been
added to reverse this behavior (not recommended).
--ipt-sync
Consult the iptables policy currently running on the machine for applicable snort
rules.
--no-ipt-test
Do not test the iptables build for existence of support for the LOG and REJECT
targets, and ascii and hex string matching.
--no-ipt-jumps
Do not jump packets from the built-in iptables INPUT, OUTPUT, and FORWARD chains to
the custom fwsnort chains. This options is mostly useful to make it easy to
manually alter the placement of the jump rules in the iptables ruleset.
--no-ipt-rule-nums
By default fwsnort includes the rule number within the logging prefix for each of
the rules it adds to the fwsnort chains. E.g. the logging prefix for rule 34 would
look something like "[34] SID1242 ESTAB". Use this option to not include the rule
number.
--no-ipt-comments
If the iptables "comment" match exists, then fwsnort puts the Snort "msg",
"classtype", "reference", "priority", and "rev" fields within a comment for each
iptables rule. Use this option to disable this.
--no-ipt-INPUT
Do not jump packets from the iptables INPUT chain to the fwsnort chains.
--no-ipt-OUTPUT
Do not jump packets from the iptables OUTPUT chain to the fwsnort chains.
--no-ipt-FORWARD
Do not jump packets from the iptables FORWARD chain to the fwsnort chains.
--no-fast-pattern-ordering
Cause fwsnort to not try to reorder pattern matches to process the longest pattern
first. The Snort fast_pattern keyword is also ignored if this option is specified.
-H, --Home-net <network/mask>
Specify the internal network instead of having fwsnort derive it from the HOME_NET
keyword in the fwsnort.conf configuration file.
-E, --External-net <network/mask>
Specify the external network instead of having fwsnort derive it from the
EXTERNAL_NET keyword in the fwsnort.conf configuration file.
--no-addresses
Disable all checks against the output of ifconfig for proper IP addresses. This is
useful if fwsnort is running on a bridging firewall.
--Dump-conf
Print the fwsnort configuration on STDOUT and exit.
--debug
Run in debug mode. This will cause all parse errors which are normally written to
the fwsnort logfile /var/log/fwsnort.log to be written to STDOUT instead.
--strict
Run fwsnort in "strict" mode. This will prevent fwsnort from translating snort
rules that contain the keywords "offset", "uricontent", and "depth".
-U, --Ulog
Force the usage of the ULOG target for all log messages instead of the default LOG
target.
--ulog-nlgroup
Specify the netlink group for ULOG rules. Such rules are only added for Snort
rules that have an action of "log", or when fwsnort is run in --Ulog mode.
-l, --logfile <logfile>
By default fwsnort logs all parse errors to the logfile /var/log/fwsnort.log. This
path can be manually changed with the --logfile option.
-v, --verbose
Run fwsnort in verbose mode. This will cause fwsnort to add the original snort
rule as a comment to the fwsnort.sh script for each successfully translated rule.
-V, --Version
Print the fwsnort version and exit.
-h, --help
Print usage information on STDOUT and exit.
FILES
/etc/fwnort/fwsnort.conf
The fwsnort configuration file. The path to this file can be changed on the
command line with --config.
/var/lib/fwnort/fwsnort.sh
The iptables script generated by fwsnort. The path can be manually specified on
the command line with the --ipt-script option.
FWSNORT CONFIGURATION VARIABLES
This section describes what each of the more important fwsnort configuration variables do
and how they can be tuned to meet your needs. These variables are located in the fwsnort
configuration file /etc/fwsnort/fwsnort.conf
HOME_NET
fwsnort uses the same HOME_NET and EXTERNAL_NET variables as defined in Snort
rules, and the same semantics are supported. I.e., individual IP addresses or
networks in standard dotted-quad or CIDR notation can be specified, and comma
separated lists are also supported.
EXTERNAL_NET
Defines the external network. See the HOME_NET variable for more information.
EXAMPLES
The following examples illustrate the command line arguments that could be supplied to
fwsnort in a few situations:
Script generation in logging mode, parse errors written to the fwsnort logfile, and
iptables policy checking are enabled by default without having to specify any command line
arguments:
# fwsnort
Generate ip6tables rules for attacks delivered over IPv6:
# fwsnort -6
Generate iptables rules for ddos and backdoor Snort rules only:
# fwsnort --include-type ddos,backdoor
Generate iptables rules for Snort ID's 2008475 and 2003268 (from emerging-all.rules):
fwsnort --snort-sid 2008475,2003268
Generate iptables rules for Snort ID's 1834 and 2001842 but queue them to userspace via
the NFQUEUE target and restrict exclude the INPUT and OUTPUT chains:
fwsnort --snort-sid 1834,2001842 --NFQUEUE --no-ipt-INPUT --no-ipt-OUTPUT
Instruct fwsnort to only inspect traffic that traverses the eth0 and eth1 interfaces:
# fwsnort --restrict-intf eth0,eth1
Generate iptables rules for Snort rules that appear to be allowed by the local iptables
policy, and write original snort rules to the iptables script as a comment:
# fwsnort --ipt-sync --verbose
DEPENDENCIES
fwsnort requires that the iptables string match module be compiled into the kernel (or as
a loadable kernel module) in order to be able to match snort signatures that make use of
the "content" keyword. Note that the --no-opt-test option can be specified to have
fwsnort generate an iptables script even if the string match module is not compiled in.
fwsnort also requires the IPTables::Parse CPAN module in order to parse iptables policies.
This module is bundled with the fwsnort sources in the deps/ directory for convenience.
DIAGNOSTICS
The --debug option can be used to display on STDOUT any errors that are generated as
fwsnort parses each snort rule. Normally these errors are written to the fwsnort logfile
/var/log/fwsnort.log
SEE ALSO
psad(8), iptables(8), snort(8), nmap(1)
AUTHOR
Michael Rash <mbr@cipherdyne.org>
CONTRIBUTORS
Many people who are active in the open source community have contributed to fwsnort; see
the CREDITS file in the fwsnort sources, or visit
http://www.cipherdyne.org/fwsnort/docs/contributors.html to view the online list of
contributors.
fwsnort is based on the original snort2iptables script written by William Stearns.
BUGS
Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are always welcome as
well.
DISTRIBUTION
fwsnort is distributed under the GNU General Public License (GPLv2), and the latest
version may be downloaded from http://www.cipherdyne.org/ Snort is a registered trademark
of Sourcefire, Inc.