1FWSNORT(8) System Manager's Manual FWSNORT(8)
2
6 fwsnort - Firewall Snort
7
9 fwsnort [options]
10
12 fwsnort translates SNORT rules into iptables rules on Linux systems and
13 generates a corresponding iptables policy in iptables-save format.
14 This ruleset allows network traffic that matches Snort signatures (i.e.
15 attacks and other suspicious network behavior) to be logged and/or
16 dropped by iptables directly without putting an interface into promis‐
17 cuous mode or queuing packets from kernel to user space. Note that
18 fwsnort can also build an iptables policy that combines the string
19 match extension with the NFQUEUE or QUEUE targets to allow the kernel
20 to perform preliminary string matches that are defined within Snort
21 rules before queuing matching packets to a userspace snort_inline
22 instance. Because the bulk of network communications are not general‐
23 lly malicious, this should provide a speedup for snort_inline since the
24 majority of packets do not then have to be copied from kernel memory
25 into user memory and subsequently inspected by snort_inline. There is
26 a tradeoff here in terms of signature detection however because
27 snort_inline when deployed in this way does not have the opportunity to
28 see all packets associated with a session, so stream reassembly and
29 signature comparisons against a reassembled buffer do not take place
30 (the stream preprocessor should be disabled in the userspace
31 snort_inline instance).
32 As of fwsnort-1.5 all iptables rules built by fwsnort are written out
34 to the /var/lib/fwsnort/fwsnort.save file in iptables-save format.
35 This allows a long fwsnort policy (which may contain thousands of ipta‐
36 bles rules translated from a large Snort signature set) to be quickly
37 instantiated via the "iptables-restore" command. A wrapper script
38 /var/lib/fwsnort/fwsnort.sh is also written out to make this easy.
39 Hence, the typical work flow for fwsnort is to: 1) run fwsnort, 2) note
40 the Snort rules that fwsnort was able to successfully translate (the
41 number of such rules is printed to stdout), and then 3) execute the
42 /var/lib/fwsnort/fwsnort.sh wrapper script to instantiate the policy in
43 the running kernel.
44 fwsnort (optionally) uses the IPTables::Parse CPAN module to parse the
46 iptables ruleset on the machine to determine which Snort rules are
47 applicable to the specific iptables policy. After all, if iptables is
48 blocking all inbound http traffic from external addresses for example,
49 it is probably not of much use to try detecting inbound attacks against
50 against tcp/80. By default fwsnort generates iptables rules that log
51 Snort sid's within a --log-prefix to syslog where the messages can be
52 analyzed with a log analyzer such as psad (see http://www.cipher‐
53 dyne.org/psad/). fwsnort relies on the iptables string match module to
54 match Snort content fields in the application portion of ip traffic.
55 Since Snort rules can contain hex data in content fields (specified
56 between pipe "|" characters), fwsnort implements a patch against ipta‐
57 bles (which has been accepted by the Netfilter project as of ipta‐
58 bles-1.2.7a) which adds a "--hex-string" option. This allow iptables
59 to accept content fields from Snort rules such as
60 "|0d0a5b52504c5d3030320d0a|" without any modification. fwsnort is able
61 to translate approximately 60% of all rules from the Snort-2.3.3 IDS
62 into equivalent iptables rules. For more information about the trans‐
63 lation strategy as well as advantages/disadvantages of the method used
64 by fwsnort to obtain intrusion detection data, see the README included
65 with the fwsnort sources or browse to: http://www.cipherdyne.org/fws‐
66 nort/
67 fwsnort is able to apply Snort rules to IPv6 traffic by building an
69 ip6tables policy (see the "--ip6tables" command line argument).
70
72 -c, --config <configuration file>
73 By default fwsnort makes use of the configuration file /etc/fws‐
74 nort/fwsnort.conf for almost all configuration parameters. fws‐
75 nort can be made to override this path by specifying a different
76 file on the command line with the --config option. When fwsnort
77 is not executed as root, then a path to a readable fwsnort.conf
78 file is required.
79 --update-rules
81 Download the latest Emerging Threats rules from
82 http://www.emergingthreats.net This will overwrite the emerg‐
83 ing-all.rules file in the /etc/fwsnort/snort_rules/ directory.
84 Note that the automatic downloading of Snort rules from
85 http://www.snort.org/ as of March, 2005 is only offered as a pay
86 service.
87 --rules-url <url>
89 Specify the URL to use when updating the Emerging Threats rule
90 set (or any other rule set). The default URL is:
91 http://rules.emergingthreats.net/open/snort-2.9.0/emerging-
92 all.rules
93 -6, --ip6tables
95 Enable ip6tables mode so that the fwsnort rule set is built into
96 an ip6tables policy instead of the iptables policy. This allows
97 fwsnort controls to apply to IPv6 traffic.
98 --include-type <rules type>
100 Restrict to processing snort rules of <rules type>. Example
101 rule types would include "ddos", "backdoor", and "web-attacks".
102 This option also supports a comma-separated list of types, e.g.
103 "ddos,backdoor".
104 --exclude-type <rules type>
106 Exclude all Snort rules from of type <rules type> from the
107 translation process. For example, if you don't want any rules
108 from the file emerging-all.rules to be translated, then use
109 "emerging-all" as the argument to this option. A comma-sepa‐
110 rated list of types to exclude can be specified.
111 --include-regex <regex>
113 Only translate Snort rules that match the specified regular
114 expression. This is useful to build fwsnort policies for Snort
115 rules that have a common characteristic (such as a string match
116 on the word "Storm" for the Storm worm for example).
117 --exclude-regex <regex>
119 Translate all Snort rules except those that match the specified
120 regular expression. This is useful to omit Snort rules from
121 fwsnort policies that have a common characteristic (such as a
122 string match on "HTTP_PORTS" for example).
123 --include-re-caseless
125 Make the rule matchine regular expression specified with
126 --include-regex match case insensitively.
127 --exclude-re-caseless
129 Make the rule matchine regular expression specified with
130 --exclude-regex match case insensitively.
131 --snort-rdir <snort-rules-directory>
133 Manually specify the directory where the snort rules files are
134 located. The default is /etc/fwsnort/snort_rules. Multiple
135 directories are supported as a comma-separated list.
136 --snort-rfile <snort-rules-file>
138 Manually specify a Snort rules file to translated into iptables
139 rules. Multiple files are also supported as a comma-separated
140 list.
141 --snort-sid <sid>
143 Generate an iptables ruleset for a single snort rule specified
144 by <sid>. A comma-separated list of sids can be specified, e.g.
145 "2001842,1834".
146 --exclude-sid <sid>
148 Provide a list of Snort ID's to be excluded from the translation
149 process.
150 --include-perl-triggers
152 Include 'perl -e print ... ' commands as comments in the fws‐
153 nort.sh script. These commands allow payloads that are designed
154 to trigger snort rules to easily be built, and when combined
155 with netcat (or other software that can send bytes over the
156 wire) it becomes possible to test whether an fwsnort policy
157 appropriately triggers on matching traffic.
158 --ipt-script <script file>
160 Specify the path to the iptables script generated by fwsnort.
161 The default location is /var/lib/fwsnort/fwsnort.sh.
162 --ipt-check-capabilities
164 Check iptables capabilities and exit.
165 --Last-cmd
167 Run fwsnort with the same command line arguments as the previous
168 execution. This is a convenient way of rebuilding the
169 /var/lib/fwsnort/fwsnort.sh script without having to remember
170 what the last command line args were.
171 --NFQUEUE
173 Build an fwsnort policy that sends packets that match Snort con‐
174 tent or uricontent fields to userspace via the iptables NFQUEUE
175 target for further analysis. This is a mechanism for reducing
176 the signature inspection load placed on snort_inline. A paral‐
177 lel set of Snort rules that are successfully translated are
178 placed in the /etc/fwsnort/snort_rules_queue directory. This
179 requires CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in the Linux
180 kernel.
181 --QUEUE
183 Same as the --NFQUEUE command line argument except that the
184 older QUEUE target is used instead of the NFQUEUE target. This
185 requires CONFIG_IP_NF_QUEUE support in the Linux kernel.
186 --queue-num <num>
188 Specify a queue number in --NFQUEUE mode.
189 --queue-pre-match-max <num>
191 In --QUEUE or --NFQUEUE mode, limit the number of content
192 matches that are performed within the kernel before sending a
193 matching packet to a userspace Snort instance. This allows a
194 level of tuning with respect to how much work the kernel does to
195 qualify a packet based on a signature match before having Snort
196 do the same thing. The default is to perform all specified con‐
197 tent matches in the signature before queuing the packet to
198 userspace because the multiple in-kernel content matches is
199 probably less expensive than sending a packet to userspace by
200 default.
201 --string-match-alg <alg>
203 Specify the string matching algorithm to use with the kernel.
204 By default, this is 'bm' for the 'Boyer-Moore' string matching
205 algorithm, but 'kmp' may also be specified (short for the
206 'Knuth–Morris–Pratt' algorithm).
207 --ipt-apply
209 Execute the iptables script generated by fwsnort.
210 --ipt-exec
212 Synonym for --ipt-apply.
213 --ipt-revert
215 Revert to a version of the iptables policy without any fwsnort
216 rules. Note that this reverts to the iptables policy as it was
217 when fwsnort was originally executed. So, it is not recommended
218 to use this option if there is a large amount of time between
219 when fwsnort is run to translate Snort rules vs. running it with
220 this option. For most purposes it is better to use the --ipt-
221 flush option below.
222 --ipt-flush
224 Flush all fwsnort currently active iptables rules (flushes the
225 fwsnort chains).
226 --ipt-list
228 List all fwsnort currently active iptables rules (lists the fws‐
229 nort chains).
230 --ipt-drop
232 For each logging rule generated by fwsnort add a corresponding
233 DROP rule. Note that for TCP sessions using this option will
234 cause retransmissions as packets that are part of established
235 sessions selectively dropped. Remember that false positives are
236 common occurrences for intrusion detection systems, and so using
237 this or the --ipt-reject option may break things on your net‐
238 work! You have been warned.
239 --ipt-reject
241 For each logging rule generated by fwsnort add a corresponding
242 REJECT rule. Reset packets will be generated for TCP sessions
243 through the use of the "--reject-with tcp-reset" option, and
244 ICMP port unreachable messages will be generated for UDP packets
245 through the use of the "--reject-with icmp-port-unreachable"
246 option.
247 -C, --Conntrack-state <state>
249 Specify a conntrack state in place of the "established" state
250 that commonly accompanies the Snort "flow" keyword. By default,
251 fwsnort uses the conntrack state of "ESTABLISHED" for this. In
252 certain corner cases, it might be useful to use "ESTAB‐
253 LISHED,RELATED" instead to apply application layer inspection to
254 things like ICMP port unreachable messages that are responses to
255 real attempted communications.
256 --no-ipt-log
258 By default fwsnort generates an iptables script that implements
259 a logging rule for each successfully translated snort rule.
260 This can be disabled with the --no-ipt-log option, but --ipt-
261 drop must also be specified.
262 --no-ipt-sync
264 This is a deprecated option since the default behavior is to
265 translate as many Snort rules into iptables rules as possible.
266 With fwsnort able to produce iptables rules in iptables-save
267 format, it is extremely fast to instantiate a large set of
268 translated Snort rules into an iptables policy. A new --ipt-
269 sync option has been added to reverse this behavior (not recom‐
270 mended).
271 --ipt-sync
273 Consult the iptables policy currently running on the machine for
274 applicable snort rules.
275 --no-ipt-test
277 Do not test the iptables build for existence of support for the
278 LOG and REJECT targets, and ascii and hex string matching.
279 --no-ipt-jumps
281 Do not jump packets from the built-in iptables INPUT, OUTPUT,
282 and FORWARD chains to the custom fwsnort chains. This options
283 is mostly useful to make it easy to manually alter the placement
284 of the jump rules in the iptables ruleset.
285 --no-ipt-rule-nums
287 By default fwsnort includes the rule number within the logging
288 prefix for each of the rules it adds to the fwsnort chains.
289 E.g. the logging prefix for rule 34 would look something like
290 "[34] SID1242 ESTAB". Use this option to not include the rule
291 number.
292 --no-ipt-comments
294 If the iptables "comment" match exists, then fwsnort puts the
295 Snort "msg", "classtype", "reference", "priority", and "rev"
296 fields within a comment for each iptables rule. Use this option
297 to disable this.
298 --no-ipt-INPUT
300 Do not jump packets from the iptables INPUT chain to the fwsnort
301 chains.
302 --no-ipt-OUTPUT
304 Do not jump packets from the iptables OUTPUT chain to the fws‐
305 nort chains.
306 --no-ipt-FORWARD
308 Do not jump packets from the iptables FORWARD chain to the fws‐
309 nort chains.
310 --no-fast-pattern-ordering
312 Cause fwsnort to not try to reorder pattern matches to process
313 the longest pattern first. The Snort fast_pattern keyword is
314 also ignored if this option is specified.
315 -H, --Home-net <network/mask>
317 Specify the internal network instead of having fwsnort derive it
318 from the HOME_NET keyword in the fwsnort.conf configuration
319 file.
320 -E, --External-net <network/mask>
322 Specify the external network instead of having fwsnort derive it
323 from the EXTERNAL_NET keyword in the fwsnort.conf configuration
324 file.
325 --no-addresses
327 Disable all checks against the output of ifconfig for proper IP
328 addresses. This is useful if fwsnort is running on a bridging
329 firewall.
330 --Dump-conf
332 Print the fwsnort configuration on STDOUT and exit.
333 --debug
335 Run in debug mode. This will cause all parse errors which are
336 normally written to the fwsnort logfile /var/log/fwsnort.log to
337 be written to STDOUT instead.
338 --strict
340 Run fwsnort in "strict" mode. This will prevent fwsnort from
341 translating snort rules that contain the keywords "offset",
342 "uricontent", and "depth".
343 -U, --Ulog
345 Force the usage of the ULOG target for all log messages instead
346 of the default LOG target.
347 --ulog-nlgroup
349 Specify the netlink group for ULOG rules. Such rules are only
350 added for Snort rules that have an action of "log", or when fws‐
351 nort is run in --Ulog mode.
352 -l, --logfile <logfile>
354 By default fwsnort logs all parse errors to the logfile
355 /var/log/fwsnort.log. This path can be manually changed with
356 the --logfile option.
357 -v, --verbose
359 Run fwsnort in verbose mode. This will cause fwsnort to add the
360 original snort rule as a comment to the fwsnort.sh script for
361 each successfully translated rule.
362 -V, --Version
364 Print the fwsnort version and exit.
365 -h, --help
367 Print usage information on STDOUT and exit.
368
370 /etc/fwnort/fwsnort.conf
371 The fwsnort configuration file. The path to this file can be
372 changed on the command line with --config.
373 /var/lib/fwnort/fwsnort.sh
375 The iptables script generated by fwsnort. The path can be manu‐
376 ally specified on the command line with the --ipt-script option.
377
379 This section describes what each of the more important fwsnort configu‐
380 ration variables do and how they can be tuned to meet your needs.
381 These variables are located in the fwsnort configuration file /etc/fws‐
382 nort/fwsnort.conf
383 HOME_NET
385 fwsnort uses the same HOME_NET and EXTERNAL_NET variables as
386 defined in Snort rules, and the same semantics are supported.
387 I.e., individual IP addresses or networks in standard dotted-
388 quad or CIDR notation can be specified, and comma separated
389 lists are also supported.
390 EXTERNAL_NET
392 Defines the external network. See the HOME_NET variable for
393 more information.
394
396 The following examples illustrate the command line arguments that could
397 be supplied to fwsnort in a few situations:
398 Script generation in logging mode, parse errors written to the fwsnort
400 logfile, and iptables policy checking are enabled by default without
401 having to specify any command line arguments:
402 # fwsnort
404 Generate ip6tables rules for attacks delivered over IPv6:
406 # fwsnort -6
408 Generate iptables rules for ddos and backdoor Snort rules only:
410 # fwsnort --include-type ddos,backdoor
412 Generate iptables rules for Snort ID's 2008475 and 2003268 (from emerg‐
414 ing-all.rules):
415 fwsnort --snort-sid 2008475,2003268
417 Generate iptables rules for Snort ID's 1834 and 2001842 but queue them
419 to userspace via the NFQUEUE target and restrict exclude the INPUT and
420 OUTPUT chains:
421 fwsnort --snort-sid 1834,2001842 --NFQUEUE --no-ipt-INPUT --no-ipt-OUT‐
423 PUT
424 Instruct fwsnort to only inspect traffic that traverses the eth0 and
426 eth1 interfaces:
427 # fwsnort --restrict-intf eth0,eth1
429 Generate iptables rules for Snort rules that appear to be allowed by
431 the local iptables policy, and write original snort rules to the ipta‐
432 bles script as a comment:
433 # fwsnort --ipt-sync --verbose
435
437 fwsnort requires that the iptables string match module be compiled into
438 the kernel (or as a loadable kernel module) in order to be able to
439 match snort signatures that make use of the "content" keyword. Note
440 that the --no-opt-test option can be specified to have fwsnort generate
441 an iptables script even if the string match module is not compiled in.
442 fwsnort also requires the IPTables::Parse CPAN module in order to parse
444 iptables policies. This module is bundled with the fwsnort sources in
445 the deps/ directory for convenience.
446
448 The --debug option can be used to display on STDOUT any errors that are
449 generated as fwsnort parses each snort rule. Normally these errors are
450 written to the fwsnort logfile /var/log/fwsnort.log
451
453 psad(8), iptables(8), snort(8), nmap(1)
454
456 Michael Rash <mbr@cipherdyne.org>
457
459 Many people who are active in the open source community have contrib‐
460 uted to fwsnort; see the CREDITS file in the fwsnort sources, or visit
461 http://www.cipherdyne.org/fwsnort/docs/contributors.html to view the
462 online list of contributors.
463 fwsnort is based on the original snort2iptables script written by
465 William Stearns.
466
468 Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are
469 always welcome as well.
470
472 fwsnort is distributed under the GNU General Public License (GPLv2),
473 and the latest version may be downloaded from http://www.cipher‐
474 dyne.org/ Snort is a registered trademark of Sourcefire, Inc.
475Linux Jan, 2011 FWSNORT(8)