fwsnort - Firewall Snort
fwsnort translates SNORT rules into iptables rules and generates a
shell script that implements the resulting iptables commands. This
ruleset allows network traffic that matches Snort signatures (i.e.
attacks and other suspicious network behavior) to be logged and/or
dropped by iptables directly without putting an interface into
promiscuous mode or queuing packets from kernel to user space. Note
that fwsnort can also build an iptables policy that combines the string
match extension with the NFQUEUE or QUEUE targets to allow the kernel
to perform preliminary string matches that are defined within Snort
rules before queuing matching packets to userspace. Because the bulk
of network communications are not malicious, this should provide a
speedup for snort_inline since the majority of packets do not then have
to be copied from kernel memory into user memory and subsequently
inspected by snort_inline. There is a tradeoff here in terms of
signature detection however because snort_inline when deployed in this
way does not have the opportunity to see all packets associated with a
session, so stream reassembly and signature comparisons against a
reassembled buffer do not take place (the stream preprocessor -
stream4, stream5, etc. - should be disabled).
fwsnort (optionally) uses the IPTables::Parse module to parse the
iptables ruleset on the machine to determine which Snort rules are
applicable to the specific iptables policy. After all, if iptables is
blocking all inbound http traffic from external addresses, it is
probably not of much use to try detecting inbound attacks against
against tcp/80. By default fwsnort generates iptables rules that log
Snort sid’s within a --log-prefix to syslog where the messages can be
analyzed with a log analyzer such as psad (see
http://www.cipherdyne.org/psad/). fwsnort relies on the iptables
string match module to match Snort content fields in the application
portion of ip traffic. Since Snort rules can contain hex data in
content fields (specified between pipe "|" characters), fwsnort
implements a patch against iptables (which has been accepted by the
Netfilter project as of iptables-1.2.7a) which adds a "--hex-string"
option. This allow iptables to accept content fields from Snort rules
such as "|0d0a5b52504c5d3030320d0a|" without any modification. fwsnort
is able to translate approximately 60% of all rules from the
Snort-2.3.3 IDS into equivalent iptables rules. For more information
about the translation strategy as well as advantages/disadvantages of
the method used by fwsnort to obtain intrusion detection data, see the
README included with the fwsnort sources or browse to:
-c, --config <configuration file>
By default fwsnort makes use of the configuration file
/etc/fwsnort/fwsnort.conf for almost all configuration
parameters. fwsnort can be made to override this path by
specifying a different file on the command line with the
Download the latest Emerging Threats rules from
http://www.emergingthreats.net This will overwrite the
emerging-all.rules file in the /etc/fwsnort/snort_rules/
directory. Note that the automatic downloading of Snort rules
from http://www.snort.org/ as of March, 2005 is only offered as
a pay service.
Enable ip6tables mode so that the fwsnort rule set is built into
an ip6tables policy instead of the iptables policy. This allows
fwsnort controls to apply to IPv6 traffic.
--include-type <rules type>
Restrict to processing snort rules of <rules type>. Example
rule types would include "ddos", "backdoor", and "web-attacks".
This option also supports a comma-separated list of types, e.g.
--exclude-type <rules type>
Exclude all Snort rules from of type <rules type> from the
translation process. For example, if you don’t want any rules
from the file emerging-all.rules to be translated, then use
"emerging-all" as the argument to this option. A comma-
separated list of types to exclude can be specified.
Only translate Snort rules that match the specified regular
expression. This is useful to build fwsnort policies for Snort
rules that have a common characteristic (such as a string match
on the word "Storm" for the Storm worm for example).
Translate all Snort rules except those that match the specified
regular expression. This is useful to omit Snort rules from
fwsnort policies that have a common characteristic (such as a
string match on "HTTP_PORTS" for example).
Make the rule matchine regular expression specified with
--include-regex match case insensitively.
Make the rule matchine regular expression specified with
--exclude-regex match case insensitively.
Manually specify the directory where the snort rules files are
located. The default is /etc/fwsnort/snort_rules. Multiple
directories are supported as a comma-separated list.
Manually specify a Snort rules file to translated into iptables
rules. Multiple files are also supported as a comma-separated
Generate an iptables ruleset for a single snort rule specified
by <sid>. A comma-separated list of sids can be specified, e.g.
Provide a list of Snort ID’s to be excluded from the translation
Include perl -e print ... commands as comments in the
fwsnort.sh script. These commands allow payloads that are
designed to trigger snort rules to easily be built, and when
combined with netcat (or other software that can send bytes over
the wire) it becomes possible to test whether an fwsnort policy
appropriately triggers on matching traffic.
--ipt-script <script file>
Specify the path to the iptables script generated by fwsnort.
The default location is /etc/fwsnort/fwsnort.sh.
Run fwsnort with the same command line arguments as the previous
execution. This is a convenient way of rebuilding the
/etc/fwsnort/fwsnort.sh script without having to remember what
the last command line args were.
Build an fwsnort policy that sends packets that match Snort
content or uricontent fields to userspace via the iptables
NFQUEUE target for further analysis. This is a mechanism for
reducing the signature inspection load placed on snort_inline.
A parallel set of Snort rules that are successfully translated
are placed in the /etc/fwsnort/snort_rules_queue directory.
This requires CONFIG_NETFILTER_XT_TARGET_NFQUEUE support in the
Same as the --NFQUEUE command line argument except that the
older QUEUE target is used instead of the NFQUEUE target. This
requires CONFIG_IP_NF_QUEUE support in the Linux kernel.
Specify a queue number in --NFQUEUE mode.
Execute the iptables script generated by fwsnort.
Flush all fwsnort currently active iptables rules (flushes the
List all fwsnort currently active iptables rules (lists the
For each logging rule generated by fwsnort add a corresponding
DROP rule. Note that for TCP sessions using this option will
cause retransmissions as packets that are part of established
sessions selectively dropped. Remember that false positives are
common occurrences for intrusion detection systems, and so using
this or the --ipt-reject option may break things on your
network! You have been warned.
For each logging rule generated by fwsnort add a corresponding
REJECT rule. Reset packets will be generated for TCP sessions
through the use of the "--reject-with tcp-reset" option, and
ICMP port unreachable messages will be generated for UDP packets
through the use of the "--reject-with icmp-port-unreachable"
By default fwsnort generates an iptables script that implements
a logging rule for each successfully translated snort rule.
This can be disabled with the --no-ipt-log option, but --ipt-
drop must also be specified.
Do not consult the iptables policy currently running on the
machine for applicable snort rules. Unless limited with the
--include-type or --snort-sid options this can result in a
fwsnort.sh script that contains several thousand iptables rules.
Do not test the iptables build for existence of support for the
LOG and REJECT targets, and ascii and hex string matching.
Do not jump packets from the built-in iptables INPUT, OUTPUT,
and FORWARD chains to the custom fwsnort chains. This options
is mostly useful to make it easy to manually alter the placement
of the jump rules in the iptables ruleset.
By default fwsnort includes the rule number within the logging
prefix for each of the rules it adds to the fwsnort chains.
E.g. the logging prefix for rule 34 would look something like
" SID1242 ESTAB". Use this option to not include the rule
If the iptables "comment" match exists, then fwsnort puts the
Snort "msg", "classtype", "reference", "priority", and "rev"
fields within a comment for each iptables rule. Use this option
to disable this.
Do not jump packets from the iptables INPUT chain to the fwsnort
Do not jump packets from the iptables OUTPUT chain to the
Do not jump packets from the iptables FORWARD chain to the
-H, --Home-net <network/mask>
Specify the internal network instead of having fwsnort derive it
from the HOME_NET keyword in the fwsnort.conf configuration
-E, --External-net <network/mask>
Specify the external network instead of having fwsnort derive it
from the EXTERNAL_NET keyword in the fwsnort.conf configuration
Disable all checks against the output of ifconfig for proper IP
addresses. This is useful if fwsnort is running on a bridging
Print the fwsnort configuration on STDOUT and exit.
Run in debug mode. This will cause all parse errors which are
normally written to the fwsnort logfile /var/log/fwsnort.log to
be written to STDOUT instead.
Run fwsnort in "strict" mode. This will prevent fwsnort from
translating snort rules that contain the keywords "offset",
"uricontent", and "depth".
Force the usage of the ULOG target for all log messages instead
of the default LOG target.
Specify the netlink group for ULOG rules. Such rules are only
added for Snort rules that have an action of "log", or when
fwsnort is run in --Ulog mode.
-l, --logfile <logfile>
By default fwsnort logs all parse errors to the logfile
/var/log/fwsnort.log. This path can be manually changed with
the --logfile option.
Run fwsnort in verbose mode. This will cause fwsnort to add the
original snort rule as a comment to the fwsnort.sh script for
each successfully translated rule.
Print the fwsnort version and exit.
Print usage information on STDOUT and exit.
The fwsnort configuration file. The path to this file can be
changed on the command line with --config.
The iptables script generated by fwsnort. The path can be
manually specified on the command line with the --ipt-script
FWSNORT CONFIGURATION VARIABLES
This section describes what each of the more important fwsnort
configuration variables do and how they can be tuned to meet your
needs. These variables are located in the fwsnort configuration file
fwsnort uses the same HOME_NET and EXTERNAL_NET variables as
defined in Snort rules, and the same semantics are supported.
I.e., individual IP addresses or networks in standard dotted-
quad or CIDR notation can be specified, and comma separated
lists are also supported.
Defines the external network. See the HOME_NET variable for
The following examples illustrate the command line arguments that could
be supplied to fwsnort in a few situations:
Script generation in logging mode, parse errors written to the fwsnort
logfile, and iptables policy checking are enabled by default without
having to specify any command line arguments:
Generate ip6tables rules for attacks delivered over IPv6:
# fwsnort -6
Generate iptables rules for ddos and backdoor Snort rules only:
# fwsnort --include-type ddos,backdoor
Generate iptables rules for Snort ID’s 2008475 and 2003268 (from
fwsnort --snort-sid 2008475,2003268
Generate iptables rules for Snort ID’s 1834 and 2001842 but queue them
to userspace via the NFQUEUE target and restrict exclude the INPUT and
fwsnort --snort-sid 1834,2001842 --NFQUEUE --no-ipt-INPUT --no-ipt-
Instruct fwsnort to only inspect traffic that traverses the eth0 and
# fwsnort --restrict-intf eth0,eth1
Generate iptables rules for all Snort rules, and write original snort
rule to the iptables script as a comment:
# fwsnort --no-ipt-sync --verbose
fwsnort requires that the iptables string match module be compiled into
the kernel (or as a loadable kernel module) in order to be able to
match snort signatures that make use of the "content" keyword. Note
that the --no-opt-test option can be specified to have fwsnort generate
an iptables script even if the string match module is not compiled in.
fwsnort also requires the IPTables::Parse module in order to parse
The --debug option can be used to display on STDOUT any errors that are
generated as fwsnort parses each snort rule. Normally these errors are
written to the fwsnort logfile /var/log/fwsnort.log
psad(8), iptables(8), snort(8), nmap(1)
Michael Rash <email@example.com>
Many people who are active in the open source community have
contributed to fwsnort; see the CREDITS file in the fwsnort sources, or
visit http://www.cipherdyne.org/fwsnort/docs/contributors.html to view
the online list of contributors.
fwsnort is based on the original snort2iptables script written by
Send bug reports to firstname.lastname@example.org. Suggestions and/or comments are
always welcome as well.
fwsnort is distributed under the GNU General Public License (GPL), and
the latest version may be downloaded from http://www.cipherdyne.org/
Snort is a registered trademark of Sourcefire, Inc.