Man Linux: Main Page and Category List


       fwsnort - Firewall Snort


       fwsnort [options]


       fwsnort  translates  SNORT  rules  into  iptables rules and generates a
       shell script that implements the  resulting  iptables  commands.   This
       ruleset  allows  network  traffic  that  matches Snort signatures (i.e.
       attacks and other suspicious network  behavior)  to  be  logged  and/or
       dropped   by  iptables  directly  without  putting  an  interface  into
       promiscuous mode or queuing packets from kernel to  user  space.   Note
       that fwsnort can also build an iptables policy that combines the string
       match extension with the NFQUEUE or QUEUE targets to allow  the  kernel
       to  perform  preliminary  string  matches that are defined within Snort
       rules before queuing matching packets to userspace.  Because  the  bulk
       of  network  communications  are  not  malicious, this should provide a
       speedup for snort_inline since the majority of packets do not then have
       to  be  copied  from  kernel  memory  into user memory and subsequently
       inspected by snort_inline.  There  is  a  tradeoff  here  in  terms  of
       signature  detection however because snort_inline when deployed in this
       way does not have the opportunity to see all packets associated with  a
       session,  so  stream  reassembly  and  signature  comparisons against a
       reassembled buffer  do  not  take  place  (the  stream  preprocessor  -
       stream4, stream5, etc. - should be disabled).

       fwsnort  (optionally)  uses  the  IPTables::Parse  module  to parse the
       iptables ruleset on the machine to  determine  which  Snort  rules  are
       applicable  to the specific iptables policy.  After all, if iptables is
       blocking all inbound  http  traffic  from  external  addresses,  it  is
       probably  not  of  much  use  to  try detecting inbound attacks against
       against tcp/80.  By default fwsnort generates iptables rules  that  log
       Snort  sid’s  within a --log-prefix to syslog where the messages can be
       analyzed    with    a    log    analyzer    such    as    psad     (see    fwsnort  relies  on  the  iptables
       string match module to match Snort content fields  in  the  application
       portion  of  ip  traffic.   Since  Snort  rules can contain hex data in
       content  fields  (specified  between  pipe  "|"  characters),   fwsnort
       implements  a  patch  against  iptables (which has been accepted by the
       Netfilter project as of iptables-1.2.7a) which  adds  a  "--hex-string"
       option.   This allow iptables to accept content fields from Snort rules
       such as "|0d0a5b52504c5d3030320d0a|" without any modification.  fwsnort
       is   able  to  translate  approximately  60%  of  all  rules  from  the
       Snort-2.3.3 IDS into equivalent iptables rules.  For  more  information
       about  the  translation strategy as well as advantages/disadvantages of
       the method used by fwsnort to obtain intrusion detection data, see  the
       README    included   with   the   fwsnort   sources   or   browse   to:


       -c, --config <configuration file>
              By  default  fwsnort  makes  use  of  the   configuration   file
              /etc/fwsnort/fwsnort.conf    for    almost   all   configuration
              parameters.  fwsnort can  be  made  to  override  this  path  by
              specifying  a  different  file  on  the  command  line  with the
              --config option.

              Download   the    latest    Emerging    Threats    rules    from
        This    will   overwrite   the
              emerging-all.rules   file   in   the   /etc/fwsnort/snort_rules/
              directory.   Note  that the automatic downloading of Snort rules
              from as of March, 2005 is only offered  as
              a pay service.

       -6, --ip6tables
              Enable ip6tables mode so that the fwsnort rule set is built into
              an ip6tables policy instead of the iptables policy.  This allows
              fwsnort controls to apply to IPv6 traffic.

       --include-type  <rules type>
              Restrict  to  processing  snort  rules of <rules type>.  Example
              rule types would include "ddos", "backdoor", and  "web-attacks".
              This  option also supports a comma-separated list of types, e.g.

       --exclude-type  <rules type>
              Exclude all Snort rules from  of  type  <rules  type>  from  the
              translation  process.   For example, if you don’t want any rules
              from the file emerging-all.rules  to  be  translated,  then  use
              "emerging-all"  as  the  argument  to  this  option.   A  comma-
              separated list of types to exclude can be specified.

       --include-regex  <regex>
              Only translate Snort rules  that  match  the  specified  regular
              expression.  This  is useful to build fwsnort policies for Snort
              rules that have a common characteristic (such as a string  match
              on the word "Storm" for the Storm worm for example).

       --exclude-regex  <regex>
              Translate  all Snort rules except those that match the specified
              regular expression.  This is useful to  omit  Snort  rules  from
              fwsnort  policies  that  have a common characteristic (such as a
              string match on "HTTP_PORTS" for example).

              Make  the  rule  matchine  regular  expression  specified   with
              --include-regex match case insensitively.

              Make   the  rule  matchine  regular  expression  specified  with
              --exclude-regex match case insensitively.

       --snort-rdir <snort-rules-directory>
              Manually specify the directory where the snort rules  files  are
              located.   The  default  is  /etc/fwsnort/snort_rules.  Multiple
              directories are supported as a comma-separated list.

       --snort-rfile <snort-rules-file>
              Manually specify a Snort rules file to translated into  iptables
              rules.   Multiple  files are also supported as a comma-separated

       --snort-sid <sid>
              Generate an iptables ruleset for a single snort  rule  specified
              by <sid>.  A comma-separated list of sids can be specified, e.g.

       --exclude-sid <sid>
              Provide a list of Snort ID’s to be excluded from the translation

              Include  perl  -e  print  ...    commands  as  comments in the
     script.   These  commands  allow  payloads  that  are
              designed  to  trigger  snort  rules to easily be built, and when
              combined with netcat (or other software that can send bytes over
              the  wire) it becomes possible to test whether an fwsnort policy
              appropriately triggers on matching traffic.

       --ipt-script <script file>
              Specify the path to the iptables script  generated  by  fwsnort.
              The default location is /etc/fwsnort/

              Run fwsnort with the same command line arguments as the previous
              execution.   This  is  a  convenient  way  of   rebuilding   the
              /etc/fwsnort/  script  without having to remember what
              the last command line args were.

              Build an fwsnort policy that  sends  packets  that  match  Snort
              content  or  uricontent  fields  to  userspace  via the iptables
              NFQUEUE target for further analysis.  This is  a  mechanism  for
              reducing  the  signature inspection load placed on snort_inline.
              A parallel set of Snort rules that are  successfully  translated
              are  placed  in  the  /etc/fwsnort/snort_rules_queue  directory.
              This requires CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in  the
              Linux kernel.

              Same  as  the  --NFQUEUE  command  line argument except that the
              older QUEUE target is used instead of the NFQUEUE target.   This
              requires CONFIG_IP_NF_QUEUE support in the Linux kernel.

       --queue-num <num>
              Specify a queue number in --NFQUEUE mode.

              Execute the iptables script generated by fwsnort.

              Flush  all  fwsnort currently active iptables rules (flushes the
              fwsnort chains).

              List all fwsnort currently  active  iptables  rules  (lists  the
              fwsnort chains).

              For  each  logging rule generated by fwsnort add a corresponding
              DROP rule.  Note that for TCP sessions using  this  option  will
              cause  retransmissions  as  packets that are part of established
              sessions selectively dropped.  Remember that false positives are
              common occurrences for intrusion detection systems, and so using
              this or  the  --ipt-reject  option  may  break  things  on  your
              network!  You have been warned.

              For  each  logging rule generated by fwsnort add a corresponding
              REJECT rule.  Reset packets will be generated for  TCP  sessions
              through  the  use  of  the "--reject-with tcp-reset" option, and
              ICMP port unreachable messages will be generated for UDP packets
              through  the  use  of  the "--reject-with icmp-port-unreachable"

              By default fwsnort generates an iptables script that  implements
              a  logging  rule  for  each  successfully translated snort rule.
              This can be disabled with the --no-ipt-log  option,  but  --ipt-
              drop must also be specified.

              Do  not  consult  the  iptables  policy currently running on the
              machine for applicable snort rules.   Unless  limited  with  the
              --include-type  or  --snort-sid  options  this  can  result in a
     script that contains several thousand iptables rules.

              Do  not test the iptables build for existence of support for the
              LOG and REJECT targets, and ascii and hex string matching.

              Do not jump packets from the built-in  iptables  INPUT,  OUTPUT,
              and  FORWARD  chains to the custom fwsnort chains.  This options
              is mostly useful to make it easy to manually alter the placement
              of the jump rules in the iptables ruleset.

              By  default  fwsnort includes the rule number within the logging
              prefix for each of the rules it  adds  to  the  fwsnort  chains.
              E.g.  the  logging  prefix for rule 34 would look something like
              "[34] SID1242 ESTAB".  Use this option to not include  the  rule

              If  the  iptables  "comment" match exists, then fwsnort puts the
              Snort "msg", "classtype",  "reference",  "priority",  and  "rev"
              fields within a comment for each iptables rule.  Use this option
              to disable this.

              Do not jump packets from the iptables INPUT chain to the fwsnort

              Do  not  jump  packets  from  the  iptables  OUTPUT chain to the
              fwsnort chains.

              Do not jump packets from  the  iptables  FORWARD  chain  to  the
              fwsnort chains.

       -H, --Home-net <network/mask>
              Specify the internal network instead of having fwsnort derive it
              from the HOME_NET  keyword  in  the  fwsnort.conf  configuration

       -E, --External-net <network/mask>
              Specify the external network instead of having fwsnort derive it
              from the EXTERNAL_NET keyword in the fwsnort.conf  configuration

              Disable  all checks against the output of ifconfig for proper IP
              addresses.  This is useful if fwsnort is running on  a  bridging

              Print the fwsnort configuration on STDOUT and exit.

              Run  in  debug mode.  This will cause all parse errors which are
              normally written to the fwsnort logfile /var/log/fwsnort.log  to
              be written to STDOUT instead.

              Run  fwsnort  in  "strict" mode.  This will prevent fwsnort from
              translating snort rules  that  contain  the  keywords  "offset",
              "uricontent", and "depth".

       -U, --Ulog
              Force  the usage of the ULOG target for all log messages instead
              of the default LOG target.

              Specify the netlink group for ULOG rules.  Such rules  are  only
              added  for  Snort  rules  that  have an action of "log", or when
              fwsnort is run in --Ulog mode.

       -l, --logfile <logfile>
              By  default  fwsnort  logs  all  parse  errors  to  the  logfile
              /var/log/fwsnort.log.   This  path  can be manually changed with
              the --logfile option.

       -v, --verbose
              Run fwsnort in verbose mode.  This will cause fwsnort to add the
              original  snort  rule  as a comment to the script for
              each successfully translated rule.

       -V, --Version
              Print the fwsnort version and exit.

       -h, --help
              Print usage information on STDOUT and exit.


              The fwsnort configuration file.  The path to this  file  can  be
              changed on the command line with --config.

              The  iptables  script  generated  by  fwsnort.   The path can be
              manually specified on the command  line  with  the  --ipt-script


       This  section  describes  what  each  of  the  more  important  fwsnort
       configuration variables do and how they  can  be  tuned  to  meet  your
       needs.   These  variables are located in the fwsnort configuration file

              fwsnort uses the same HOME_NET  and  EXTERNAL_NET  variables  as
              defined  in  Snort  rules, and the same semantics are supported.
              I.e., individual IP addresses or networks  in  standard  dotted-
              quad  or  CIDR  notation  can  be specified, and comma separated
              lists are also supported.

              Defines the external network.  See  the  HOME_NET  variable  for
              more information.


       The following examples illustrate the command line arguments that could
       be supplied to fwsnort in a few situations:

       Script generation in logging mode, parse errors written to the  fwsnort
       logfile,  and  iptables  policy checking are enabled by default without
       having to specify any command line arguments:

       # fwsnort

       Generate ip6tables rules for attacks delivered over IPv6:

       # fwsnort -6

       Generate iptables rules for ddos and backdoor Snort rules only:

       # fwsnort --include-type ddos,backdoor

       Generate iptables rules  for  Snort  ID’s  2008475  and  2003268  (from

       fwsnort --snort-sid 2008475,2003268

       Generate  iptables rules for Snort ID’s 1834 and 2001842 but queue them
       to userspace via the NFQUEUE target and restrict exclude the INPUT  and
       OUTPUT chains:

       fwsnort  --snort-sid  1834,2001842  --NFQUEUE  --no-ipt-INPUT --no-ipt-

       Instruct fwsnort to only inspect traffic that traverses  the  eth0  and
       eth1 interfaces:

       # fwsnort --restrict-intf eth0,eth1

       Generate  iptables  rules for all Snort rules, and write original snort
       rule to the iptables script as a comment:

       # fwsnort --no-ipt-sync --verbose


       fwsnort requires that the iptables string match module be compiled into
       the  kernel  (or  as  a  loadable kernel module) in order to be able to
       match snort signatures that make use of the  "content"  keyword.   Note
       that the --no-opt-test option can be specified to have fwsnort generate
       an iptables script even if the string match module is not compiled  in.

       fwsnort  also  requires  the  IPTables::Parse  module in order to parse
       iptables policies.


       The --debug option can be used to display on STDOUT any errors that are
       generated as fwsnort parses each snort rule.  Normally these errors are
       written to the fwsnort logfile /var/log/fwsnort.log


       psad(8), iptables(8), snort(8), nmap(1)


       Michael Rash <>


       Many  people  who  are  active  in  the  open  source  community   have
       contributed to fwsnort; see the CREDITS file in the fwsnort sources, or
       visit to  view
       the online list of contributors.

       fwsnort  is  based  on  the  original  snort2iptables script written by
       William Stearns.


       Send bug reports to Suggestions and/or comments are
       always welcome as well.


       fwsnort  is distributed under the GNU General Public License (GPL), and
       the latest version may be  downloaded  from
       Snort is a registered trademark of Sourcefire, Inc.