Linux Firewalls - Michael Rash [105]
fragbits
This option allows Snort to perform tests against the fragmentation bits in the IP header. Although iptables can apply match criteria to determine whether a packet has been fragmented (via the -f argument), this capability is not nearly as powerful as the Snort implementation. In addition, if connection tracking is enabled in the Linux kernel, packets are automatically defragmented before iptables sees them. This is a requirement for connection tracking to work, because only complete packets can be classified as either belonging to a connection or not. This is an advantage in the sense that networks protected by such kernels automatically stop most IDS evasion attempts that rely on fragmented packets.
isdataat
This option instructs Snort to test simply whether data exists at a particular offset. The offset may be specified in absolute terms (e.g., 30) or may be derived from a previous pattern match (e.g., 30,relative).
pcre
This stands for Perl Compatible Regular Expression and allows Snort to apply complex regular expressions (that may include back references and other intensive operations) to packet data. Putting this functionality directly into the Linux kernel is risky from a stability standpoint; it makes more sense to perform these sorts of operations in a userland application.
rpc
This allows Snort to decode the application, procedure, and program version contained within Remote Procedure Call (RPC) traffic. The iptables rpc extension allows procedure call numbers to be matched within an iptables policy, but this module is only available for pre-2.6 kernels and is not yet supported by fwsnort.
* * *
[52] 5 The ulog project is an infrastructure built on top of netlink sockets that allows entire packets to be sent from the kernel to a userland daemon process ulogd, where packets can be logged in various formats from PCAP, or even to a MySQL database. See http://www.netfilter.org/projects/ulogd/index.html for more information.
[53] 6 The iptables u32 extension can allow iptables to match arbitrary bytes within IP packets and apply numeric tests to them (so even though there is no IP ID match, for example, you could emulate one with the u32 extension), but it is not officially integrated with the 2.6 kernel.
[54] * See the L7-filter packet classifier project at http://l7-filter.sourceforge.net.
[55] 7 Technically, the iptables --from and --to arguments to the string match apply at the beginning of the data link layer MAC fields on Ethernet networks.
[56] 8 There are some technicalities here. For example, the average header length of TCP ACK packets is substantially less than the header length of a TCP SYN packet because connection initialization parameters such as the Maximum Segment Size (MSS) are not re-advertised within an established TCP connection. TCP ACKs sometimes only contain the timestamp option and perhaps a couple of NOPs.
[57] 9 The Snort community usually refers to specific versions of the stream preprocessor such as stream4 or stream5, but such distinctions are not generally necessary here.
[58] 10 TCP connection hijacking can sometimes be used to compromise systems as well, but this type of attack is esoteric and generally foiled by the use of application layer encryption.
Concluding Thoughts
At this point in the discussion, we have a good feel for how closely iptables can emulate many of the packet-matching options in the Snort IDS, but we have yet to see a complete ruleset built by fwsnort in action. This is precisely what we'll cover in the next chapter. Appendix B also contains a complete iptables ruleset built by fwsnort.
Chapter 10. DEPLOYING FWSNORT
With the theoretical discussion in Chapter 9 on the emulation of Snort rule options within iptables behind us, we'll talk in this chapter about how to get fwsnort to actually do something! Namely, we'll