1FWSNORT(8)                  System Manager's Manual                 FWSNORT(8)
2
3
4

NAME

6       fwsnort - Firewall Snort
7

SYNOPSIS

9       fwsnort [options]
10

DESCRIPTION

12       fwsnort translates SNORT rules into iptables rules on Linux systems and
13       generates a corresponding  iptables  policy  in  iptables-save  format.
14       This ruleset allows network traffic that matches Snort signatures (i.e.
15       attacks and other suspicious network  behavior)  to  be  logged  and/or
16       dropped  by iptables directly without putting an interface into promis‐
17       cuous mode or queuing packets from kernel to  user  space.   Note  that
18       fwsnort  can  also  build  an  iptables policy that combines the string
19       match extension with the NFQUEUE or QUEUE targets to allow  the  kernel
20       to  perform  preliminary  string  matches that are defined within Snort
21       rules before queuing  matching  packets  to  a  userspace  snort_inline
22       instance.   Because the bulk of network communications are not general‐
23       lly malicious, this should provide a speedup for snort_inline since the
24       majority  of  packets  do not then have to be copied from kernel memory
25       into user memory and subsequently inspected by snort_inline.  There  is
26       a  tradeoff  here  in  terms  of  signature  detection  however because
27       snort_inline when deployed in this way does not have the opportunity to
28       see  all  packets  associated  with a session, so stream reassembly and
29       signature comparisons against a reassembled buffer do  not  take  place
30       (the   stream   preprocessor   should  be  disabled  in  the  userspace
31       snort_inline instance).
32
33       As of fwsnort-1.5 all iptables rules built by fwsnort are  written  out
34       to  the  /var/lib/fwsnort/fwsnort.save  file  in  iptables-save format.
35       This allows a long fwsnort policy (which may contain thousands of ipta‐
36       bles  rules  translated from a large Snort signature set) to be quickly
37       instantiated via the  "iptables-restore"  command.   A  wrapper  script
38       /var/lib/fwsnort/fwsnort.sh  is  also  written  out  to make this easy.
39       Hence, the typical work flow for fwsnort is to: 1) run fwsnort, 2) note
40       the  Snort  rules  that fwsnort was able to successfully translate (the
41       number of such rules is printed to stdout), and  then  3)  execute  the
42       /var/lib/fwsnort/fwsnort.sh wrapper script to instantiate the policy in
43       the running kernel.
44
45       fwsnort (optionally) uses the IPTables::Parse CPAN module to parse  the
46       iptables  ruleset  on  the  machine  to determine which Snort rules are
47       applicable to the specific iptables policy.  After all, if iptables  is
48       blocking  all inbound http traffic from external addresses for example,
49       it is probably not of much use to try detecting inbound attacks against
50       against  tcp/80.   By default fwsnort generates iptables rules that log
51       Snort sid's within a --log-prefix to syslog where the messages  can  be
52       analyzed  with  a  log  analyzer  such  as psad (see http://www.cipher
53       dyne.org/psad/).  fwsnort relies on the iptables string match module to
54       match  Snort  content  fields in the application portion of ip traffic.
55       Since Snort rules can contain hex data  in  content  fields  (specified
56       between  pipe "|" characters), fwsnort implements a patch against ipta‐
57       bles (which has been accepted by the  Netfilter  project  as  of  ipta‐
58       bles-1.2.7a)  which  adds a "--hex-string" option.  This allow iptables
59       to   accept   content    fields    from    Snort    rules    such    as
60       "|0d0a5b52504c5d3030320d0a|" without any modification.  fwsnort is able
61       to translate approximately 60% of all rules from  the  Snort-2.3.3  IDS
62       into  equivalent iptables rules.  For more information about the trans‐
63       lation strategy as well as advantages/disadvantages of the method  used
64       by  fwsnort to obtain intrusion detection data, see the README included
65       with the fwsnort sources or browse  to:  http://www.cipherdyne.org/fws
66       nort/
67
68       fwsnort  is  able  to  apply Snort rules to IPv6 traffic by building an
69       ip6tables policy (see the "--ip6tables" command line argument).
70

OPTIONS

72       -c, --config <configuration file>
73              By default fwsnort makes use of the configuration file /etc/fws‐
74              nort/fwsnort.conf for almost all configuration parameters.  fws‐
75              nort can be made to override this path by specifying a different
76              file on the command line with the --config option.  When fwsnort
77              is not executed as root, then a path to a readable  fwsnort.conf
78              file is required.
79
80       --update-rules
81              Download    the    latest    Emerging    Threats    rules   from
82              http://www.emergingthreats.net This will overwrite  the   emerg‐
83              ing-all.rules  file  in the /etc/fwsnort/snort_rules/ directory.
84              Note  that  the  automatic  downloading  of  Snort  rules   from
85              http://www.snort.org/ as of March, 2005 is only offered as a pay
86              service.
87
88       --rules-url  <url>
89              Specify the URL to use when updating the Emerging  Threats  rule
90              set   (or   any   other   rule   set).    The  default  URL  is:
91              http://rules.emergingthreats.net/open/snort-2.9.0/emerging-
92              all.rules
93
94       -6, --ip6tables
95              Enable ip6tables mode so that the fwsnort rule set is built into
96              an ip6tables policy instead of the iptables policy.  This allows
97              fwsnort controls to apply to IPv6 traffic.
98
99       --include-type  <rules type>
100              Restrict  to  processing  snort  rules of <rules type>.  Example
101              rule types would include "ddos", "backdoor", and  "web-attacks".
102              This  option also supports a comma-separated list of types, e.g.
103              "ddos,backdoor".
104
105       --exclude-type  <rules type>
106              Exclude all Snort rules from  of  type  <rules  type>  from  the
107              translation  process.   For example, if you don't want any rules
108              from the file emerging-all.rules  to  be  translated,  then  use
109              "emerging-all"  as  the  argument to this option.  A comma-sepa‐
110              rated list of types to exclude can be specified.
111
112       --include-regex  <regex>
113              Only translate Snort rules  that  match  the  specified  regular
114              expression.  This  is useful to build fwsnort policies for Snort
115              rules that have a common characteristic (such as a string  match
116              on the word "Storm" for the Storm worm for example).
117
118       --exclude-regex  <regex>
119              Translate  all Snort rules except those that match the specified
120              regular expression.  This is useful to  omit  Snort  rules  from
121              fwsnort  policies  that  have a common characteristic (such as a
122              string match on "HTTP_PORTS" for example).
123
124       --include-re-caseless
125              Make  the  rule  matchine  regular  expression  specified   with
126              --include-regex match case insensitively.
127
128       --exclude-re-caseless
129              Make   the  rule  matchine  regular  expression  specified  with
130              --exclude-regex match case insensitively.
131
132       --snort-rdir <snort-rules-directory>
133              Manually specify the directory where the snort rules  files  are
134              located.   The  default  is  /etc/fwsnort/snort_rules.  Multiple
135              directories are supported as a comma-separated list.
136
137       --snort-rfile <snort-rules-file>
138              Manually specify a Snort rules file to translated into  iptables
139              rules.   Multiple  files are also supported as a comma-separated
140              list.
141
142       --snort-sid <sid>
143              Generate an iptables ruleset for a single snort  rule  specified
144              by <sid>.  A comma-separated list of sids can be specified, e.g.
145              "2001842,1834".
146
147       --exclude-sid <sid>
148              Provide a list of Snort ID's to be excluded from the translation
149              process.
150
151       --include-perl-triggers
152              Include  'perl  -e  print ... ' commands as comments in the fws‐
153              nort.sh script.  These commands allow payloads that are designed
154              to  trigger  snort  rules  to easily be built, and when combined
155              with netcat (or other software that  can  send  bytes  over  the
156              wire)  it  becomes  possible  to  test whether an fwsnort policy
157              appropriately triggers on matching traffic.
158
159       --ipt-script <script file>
160              Specify the path to the iptables script  generated  by  fwsnort.
161              The default location is /var/lib/fwsnort/fwsnort.sh.
162
163       --ipt-check-capabilities
164              Check iptables capabilities and exit.
165
166       --Last-cmd
167              Run fwsnort with the same command line arguments as the previous
168              execution.   This  is  a  convenient  way  of   rebuilding   the
169              /var/lib/fwsnort/fwsnort.sh  script  without  having to remember
170              what the last command line args were.
171
172       --NFQUEUE
173              Build an fwsnort policy that sends packets that match Snort con‐
174              tent  or uricontent fields to userspace via the iptables NFQUEUE
175              target for further analysis.  This is a mechanism  for  reducing
176              the  signature inspection load placed on snort_inline.  A paral‐
177              lel set of Snort rules  that  are  successfully  translated  are
178              placed  in  the  /etc/fwsnort/snort_rules_queue directory.  This
179              requires CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in the Linux
180              kernel.
181
182       --QUEUE
183              Same  as  the  --NFQUEUE  command  line argument except that the
184              older QUEUE target is used instead of the NFQUEUE target.   This
185              requires CONFIG_IP_NF_QUEUE support in the Linux kernel.
186
187       --queue-num <num>
188              Specify a queue number in --NFQUEUE mode.
189
190       --queue-pre-match-max <num>
191              In  --QUEUE  or  --NFQUEUE  mode,  limit  the  number of content
192              matches that are performed within the kernel  before  sending  a
193              matching  packet  to  a userspace Snort instance.  This allows a
194              level of tuning with respect to how much work the kernel does to
195              qualify  a packet based on a signature match before having Snort
196              do the same thing.  The default is to perform all specified con‐
197              tent  matches  in  the  signature  before  queuing the packet to
198              userspace because the  multiple  in-kernel  content  matches  is
199              probably  less  expensive  than sending a packet to userspace by
200              default.
201
202       --string-match-alg <alg>
203              Specify the string matching algorithm to use  with  the  kernel.
204              By  default,  this is 'bm' for the 'Boyer-Moore' string matching
205              algorithm, but 'kmp'  may  also  be  specified  (short  for  the
206              'Knuth–Morris–Pratt' algorithm).
207
208       --ipt-apply
209              Execute the iptables script generated by fwsnort.
210
211       --ipt-exec
212              Synonym for --ipt-apply.
213
214       --ipt-revert
215              Revert  to  a version of the iptables policy without any fwsnort
216              rules.  Note that this reverts to the iptables policy as it  was
217              when fwsnort was originally executed.  So, it is not recommended
218              to use this option if there is a large amount  of  time  between
219              when fwsnort is run to translate Snort rules vs. running it with
220              this option.  For most purposes it is better to use  the  --ipt-
221              flush option below.
222
223       --ipt-flush
224              Flush  all  fwsnort currently active iptables rules (flushes the
225              fwsnort chains).
226
227       --ipt-list
228              List all fwsnort currently active iptables rules (lists the fws‐
229              nort chains).
230
231       --ipt-drop
232              For  each  logging rule generated by fwsnort add a corresponding
233              DROP rule.  Note that for TCP sessions using  this  option  will
234              cause  retransmissions  as  packets that are part of established
235              sessions selectively dropped.  Remember that false positives are
236              common occurrences for intrusion detection systems, and so using
237              this or the --ipt-reject option may break things  on  your  net‐
238              work!  You have been warned.
239
240       --ipt-reject
241              For  each  logging rule generated by fwsnort add a corresponding
242              REJECT rule.  Reset packets will be generated for  TCP  sessions
243              through  the  use  of  the "--reject-with tcp-reset" option, and
244              ICMP port unreachable messages will be generated for UDP packets
245              through  the  use  of  the "--reject-with icmp-port-unreachable"
246              option.
247
248       -C, --Conntrack-state <state>
249              Specify a conntrack state in place of  the  "established"  state
250              that commonly accompanies the Snort "flow" keyword.  By default,
251              fwsnort uses the conntrack state of "ESTABLISHED" for this.   In
252              certain  corner  cases,  it  might  be  useful  to  use  "ESTAB‐
253              LISHED,RELATED" instead to apply application layer inspection to
254              things like ICMP port unreachable messages that are responses to
255              real attempted communications.
256
257       --no-ipt-log
258              By default fwsnort generates an iptables script that  implements
259              a  logging  rule  for  each  successfully translated snort rule.
260              This can be disabled with the --no-ipt-log  option,  but  --ipt-
261              drop must also be specified.
262
263       --no-ipt-sync
264              This  is  a  deprecated  option since the default behavior is to
265              translate as many Snort rules into iptables rules  as  possible.
266              With  fwsnort  able  to  produce iptables rules in iptables-save
267              format, it is extremely fast  to  instantiate  a  large  set  of
268              translated  Snort  rules  into an iptables policy.  A new --ipt-
269              sync option has been added to reverse this behavior (not  recom‐
270              mended).
271
272       --ipt-sync
273              Consult the iptables policy currently running on the machine for
274              applicable snort rules.
275
276       --no-ipt-test
277              Do not test the iptables build for existence of support for  the
278              LOG and REJECT targets, and ascii and hex string matching.
279
280       --no-ipt-jumps
281              Do  not  jump  packets from the built-in iptables INPUT, OUTPUT,
282              and FORWARD chains to the custom fwsnort chains.   This  options
283              is mostly useful to make it easy to manually alter the placement
284              of the jump rules in the iptables ruleset.
285
286       --no-ipt-rule-nums
287              By default fwsnort includes the rule number within  the  logging
288              prefix  for  each  of  the  rules it adds to the fwsnort chains.
289              E.g. the logging prefix for rule 34 would  look  something  like
290              "[34]  SID1242  ESTAB".  Use this option to not include the rule
291              number.
292
293       --no-ipt-comments
294              If the iptables "comment" match exists, then  fwsnort  puts  the
295              Snort  "msg",  "classtype",  "reference",  "priority", and "rev"
296              fields within a comment for each iptables rule.  Use this option
297              to disable this.
298
299       --no-ipt-INPUT
300              Do not jump packets from the iptables INPUT chain to the fwsnort
301              chains.
302
303       --no-ipt-OUTPUT
304              Do not jump packets from the iptables OUTPUT chain to  the  fws‐
305              nort chains.
306
307       --no-ipt-FORWARD
308              Do  not jump packets from the iptables FORWARD chain to the fws‐
309              nort chains.
310
311       --no-fast-pattern-ordering
312              Cause fwsnort to not try to reorder pattern matches  to  process
313              the  longest  pattern  first.  The Snort fast_pattern keyword is
314              also ignored if this option is specified.
315
316       -H, --Home-net <network/mask>
317              Specify the internal network instead of having fwsnort derive it
318              from  the  HOME_NET  keyword  in  the fwsnort.conf configuration
319              file.
320
321       -E, --External-net <network/mask>
322              Specify the external network instead of having fwsnort derive it
323              from  the EXTERNAL_NET keyword in the fwsnort.conf configuration
324              file.
325
326       --no-addresses
327              Disable all checks against the output of ifconfig for proper  IP
328              addresses.   This  is useful if fwsnort is running on a bridging
329              firewall.
330
331       --Dump-conf
332              Print the fwsnort configuration on STDOUT and exit.
333
334       --debug
335              Run in debug mode.  This will cause all parse errors  which  are
336              normally  written to the fwsnort logfile /var/log/fwsnort.log to
337              be written to STDOUT instead.
338
339       --strict
340              Run fwsnort in "strict" mode.  This will  prevent  fwsnort  from
341              translating  snort  rules  that  contain  the keywords "offset",
342              "uricontent", and "depth".
343
344       -U, --Ulog
345              Force the usage of the ULOG target for all log messages  instead
346              of the default LOG target.
347
348       --ulog-nlgroup
349              Specify  the  netlink group for ULOG rules.  Such rules are only
350              added for Snort rules that have an action of "log", or when fws‐
351              nort is run in --Ulog mode.
352
353       -l, --logfile <logfile>
354              By  default  fwsnort  logs  all  parse  errors  to  the  logfile
355              /var/log/fwsnort.log.  This path can be  manually  changed  with
356              the --logfile option.
357
358       -v, --verbose
359              Run fwsnort in verbose mode.  This will cause fwsnort to add the
360              original snort rule as a comment to the  fwsnort.sh  script  for
361              each successfully translated rule.
362
363       -V, --Version
364              Print the fwsnort version and exit.
365
366       -h, --help
367              Print usage information on STDOUT and exit.
368

FILES

370       /etc/fwnort/fwsnort.conf
371              The  fwsnort  configuration  file.  The path to this file can be
372              changed on the command line with --config.
373
374       /var/lib/fwnort/fwsnort.sh
375              The iptables script generated by fwsnort.  The path can be manu‐
376              ally specified on the command line with the --ipt-script option.
377

FWSNORT CONFIGURATION VARIABLES

379       This section describes what each of the more important fwsnort configu‐
380       ration variables do and how they can  be  tuned  to  meet  your  needs.
381       These variables are located in the fwsnort configuration file /etc/fws‐
382       nort/fwsnort.conf
383
384       HOME_NET
385              fwsnort uses the same HOME_NET  and  EXTERNAL_NET  variables  as
386              defined  in  Snort  rules, and the same semantics are supported.
387              I.e., individual IP addresses or networks  in  standard  dotted-
388              quad  or  CIDR  notation  can  be specified, and comma separated
389              lists are also supported.
390
391       EXTERNAL_NET
392              Defines the external network.  See  the  HOME_NET  variable  for
393              more information.
394

EXAMPLES

396       The following examples illustrate the command line arguments that could
397       be supplied to fwsnort in a few situations:
398
399       Script generation in logging mode, parse errors written to the  fwsnort
400       logfile,  and  iptables  policy checking are enabled by default without
401       having to specify any command line arguments:
402
403       # fwsnort
404
405       Generate ip6tables rules for attacks delivered over IPv6:
406
407       # fwsnort -6
408
409       Generate iptables rules for ddos and backdoor Snort rules only:
410
411       # fwsnort --include-type ddos,backdoor
412
413       Generate iptables rules for Snort ID's 2008475 and 2003268 (from emerg‐
414       ing-all.rules):
415
416       fwsnort --snort-sid 2008475,2003268
417
418       Generate  iptables rules for Snort ID's 1834 and 2001842 but queue them
419       to userspace via the NFQUEUE target and restrict exclude the INPUT  and
420       OUTPUT chains:
421
422       fwsnort --snort-sid 1834,2001842 --NFQUEUE --no-ipt-INPUT --no-ipt-OUT‐
423       PUT
424
425       Instruct fwsnort to only inspect traffic that traverses  the  eth0  and
426       eth1 interfaces:
427
428       # fwsnort --restrict-intf eth0,eth1
429
430       Generate  iptables  rules  for Snort rules that appear to be allowed by
431       the local iptables policy, and write original snort rules to the  ipta‐
432       bles script as a comment:
433
434       # fwsnort --ipt-sync --verbose
435

DEPENDENCIES

437       fwsnort requires that the iptables string match module be compiled into
438       the kernel (or as a loadable kernel module) in  order  to  be  able  to
439       match  snort  signatures  that make use of the "content" keyword.  Note
440       that the --no-opt-test option can be specified to have fwsnort generate
441       an iptables script even if the string match module is not compiled in.
442
443       fwsnort also requires the IPTables::Parse CPAN module in order to parse
444       iptables policies.  This module is bundled with the fwsnort sources  in
445       the deps/ directory for convenience.
446

DIAGNOSTICS

448       The --debug option can be used to display on STDOUT any errors that are
449       generated as fwsnort parses each snort rule.  Normally these errors are
450       written to the fwsnort logfile /var/log/fwsnort.log
451

SEE ALSO

453       psad(8), iptables(8), snort(8), nmap(1)
454

AUTHOR

456       Michael Rash <mbr@cipherdyne.org>
457

CONTRIBUTORS

459       Many  people  who are active in the open source community have contrib‐
460       uted to fwsnort; see the CREDITS file in the fwsnort sources, or  visit
461       http://www.cipherdyne.org/fwsnort/docs/contributors.html  to  view  the
462       online list of contributors.
463
464       fwsnort is based on  the  original  snort2iptables  script  written  by
465       William Stearns.
466

BUGS

468       Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are
469       always welcome as well.
470

DISTRIBUTION

472       fwsnort is distributed under the GNU General  Public  License  (GPLv2),
473       and  the  latest  version  may  be  downloaded  from http://www.cipher
474       dyne.org/ Snort is a registered trademark of Sourcefire, Inc.
475
476
477
478Linux                              Jan, 2011                        FWSNORT(8)
Impressum