Linux Firewalls - Michael Rash [106]
Installing fwsnort
Like psad, fwsnort comes bundled with its own installation program install.pl. This program handles all aspects of installation, including preserving configurations from a previous installation of fwsnort, the installation of two Perl modules (Net::IPv4Addr and IPTables::Parse), and the (optional) downloading of the latest Bleeding Snort signature set from http://www.bleedingsnort.com. You can also install fwsnort from the RPM if you are running an RPM-based Linux distribution.
Note
As of March 2005, the Snort signature ruleset is only available as part of a for-pay service. Before that date, the Snort rules were available for free from the Snort website (http://www.snort.org). Many security applications (including fwsnort) took advantage of the free rules by providing an automatic update feature to synchronize with the latest Snort rules. While automatically updating in this way is no longer possible, as of this writing the latest Snort rulesets distributed by the Bleeding Snort project are still available for (free) download.
The fwsnort installer places the Net::IPvAddr and IPTables::Parse Perl modules within the directory /usr/lib/fwsnort so as to not clutter the system Perl library tree. (This is similar to the installation strategy implemented by psad, as discussed in Chapter 5.)
In order to use fwsnort, you will need to be able to use the iptables string-matching capability. If you are running kernel version 2.6.14 or later, string matching may already be compiled into your kernel.
An easy way to check to see if the running kernel supports the string-matching extension is to attempt to create a string-matching iptables rule against a nonexistent IP address (so that any real network communications are not disrupted), like so:
[iptablesfw]# iptables -D INPUT 1 -i lo -d 127.0.0.2 -m string --string "testing "
--algo bm -j ACCEPT
If the error iptables: no chain/target/match by that name is returned, then the extension is not available in the running kernel. This can be fixed by enabling the CONFIG_NETFILTER_XT_MATCH_STRING option in the kernel configuration file, recompiling, and then booting into the new kernel (see "Kernel Configuration" on page 14 for recommended iptables kernel compilation options). If the command above succeeds, then iptables string matching is compatible with your kernel, and you should delete the new rule:
[iptablesfw]# iptables -D INPUT 1
To install fwsnort-1.0, execute the following commands. (This installer output is somewhat abbreviated but shows the various files that partition the original Snort ruleset, such as backdoor.rules and web-cgi.rules.)
[iptablesfw]$ cd /usr/local/src
[iptablesfw]$ wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.tar.bz2
[iptablesfw]$ wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.tar.bz2.md5
[iptablesfw]$ wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.tar.bz2.asc
[iptablesfw]$ md5sum -c fwsnort-1.0.tar.bz2.md5
gpg --verify fwsnort-1.0.tar.bz2.asc
gpg: Signature made Sat 21 Apr 2007 09:29:02 AM EDT using DSA key ID A742839F
gpg: Good signature from "Michael Rash gpg: aka "Michael Rash fwsnort-1.0.tar.bz2: OK [iptablesfw]$ tar xfj fwsnort-1.0.tar.bz2 [iptablesfw]$ su - Password: [iptablesfw]# cd /usr/local/src/fwsnort-1.0 [iptablesfw]# ./install.pl [+] mkdir /etc/fwsnort [+] mkdir /etc/fwsnort/snort_rules [+] Installing the Net::IPv4Addr Perl module [+] Installing the IPTables::Parse Perl module [+] Would you like to download the latest Snort rules from http://www.bleedingsnort.com? ([y]/n)? y --22:01:11-- http://www.bleedingsnort.com/bleeding-all.rules => 'bleeding-all.rules' Resolving www.bleedingsnort.com... 69.44.153.29 Connecting to www.bleedingsnort.com[69.44.153.29]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 292,192 [text/plain]