fwsnort
fwsnort translates snort rules into an equivalent iptables ruleset. By making use of the iptables string match module, fwsnort can detect application layer signatures which exist in many snort rules. fwsnort adds a --hex-string option to iptables, which allows snort rules that contain hex characters to be input directly into iptables rulesets without modification. In addition, fwsnort makes use of the IPTables::Parse Perl module in order to (optionally) restrict the snort rule translation to only those rules that specify traffic that could potentially be allowed through an existing iptables policy.
| Tags | Logging Monitoring Networking Firewalls |
|---|---|
| Licenses | GPL |
| Operating Systems | POSIX Linux |
| Implementation | C Perl Unix Shell |
Recent releases
- 31 May 2009 08:40
Changes: A bug was fixed to allow fwsnort to properly translate snort rules that have "content" fields with embedded escaped semicolons (e.g. "\;"). This allows fwsnort to translate about 58 additional rules from the Emerging Threats rule set. A bug was fixed to allow case insensitive matches to work properly with the --include-re-caseless and --exclude re-caseless arguments. The code was updated to the latest complete rule set from Emerging Threats. The --snort-rfile argument was added so that a specific Snort rules file (or list of files separated by commas) is parsed.
- 22 Aug 2008 14:25
Changes: This release replaces the bleeding-all.rules file with the emerging-all.rules file because Matt Jonkman now releases his rule sets at emergingthreats.net. Restructured Perl module paths make it easy to introduce a "nodeps" distribution of fwsnort that does not contain any Perl modules, allowing better integration with systems that already have all necessary modules installed (including the IPTables::ChainMgr and IPTables::Parse modules). This release adds support for multiple Snort rule directories as a comma-separated list for the argument to --snort-rdir.
- 22 Jan 2008 23:28
Changes: This version was updated to exclude loopback interfaces from iptables allow rules parsing. This behavior can be reversed with the existing --no-exclude-loopback command line argument. IPTables::Parse was updated to take into account iptables policy output that contains "0" instead of "all" to represent any protocol. IPTables::Parse was updated to set sport and dport to "0:0" if the protocol is "all". A bug was fixed to allow negated networks to be specified within iptables allow rules or within the fwsnort.conf file. install.pl was updated to set the LC_ALL environment variable to "C".
- 23 Nov 2007 15:31
Changes: A major signature update from Bleeding Threats. This update includes a large number of new signatures with PCRE statements, with an emphasis on detecting SQL injection attacks directed at internal Web servers from external sources. The ability to interpret PCRE statements that include simple string matches separated by ".*" and ".+" as multiple iptables string matches has been added. The asn1 keyword has been added to the unsupported list.
- 27 Aug 2007 19:43
Changes: A bugfix to make sure to add in header lengths for depth and offset values, since the string match extension starts comparing bytes from the start of the data link header. A bugfix for the ipt_rule_test() function name. The ability to automatically resolve command paths if any commands cannot be found at the locations specified in the fwsnort.conf file.
