Linux Firewalls - Michael Rash [107]
100%[======================================>] 292,192 109.94K/s
22:01:17 (109.77 KB/s) - 'bleeding-all.rules' saved [292,192/292,192]
[+] Copying all rules files to /etc/fwsnort/snort_rules
[+] Installing snmp.rules
[+] Installing finger.rules
[+] Installing info.rules
[+] Installing ddos.rules
[+] Installing virus.rules
[+] Installing icmp.rules
[+] Installing dns.rules
[+] Installing rpc.rules
[+] Installing backdoor.rules
[+] Installing scan.rules
[+] Installing shellcode.rules
[+] Installing web-client.rules
[+] Installing web-cgi.rules
[+] Installing exploit.rules
[+] Installing attack-responses.rules
[+] Installing web-attacks.rules
[+] Installing fwsnort.8 man page as /usr/share/man/man8/fwsnort.8
[+] Compressing manpage /usr/share/man/man8/fwsnort.8
[+] Copying fwsnort.conf -> /etc/fwsnort/fwsnort.conf
[+] Copying fwsnort -> /usr/sbin/fwsnort
[+] fwsnort will generate an iptables script located at:
/etc/fwsnort/fwsnort.sh when executed.
[+] fwsnort has been successfully installed!
Running fwsnort
With fwsnort installed on a system that offers string-match support in the kernel, we can now put fwsnort to work for us. Without further ado, we fire up fwsnort from the command line. Normally, fwsnort is executed as root because by default it queries iptables in order to determine which extensions are available in the running kernel, and then it tailors the translation process accordingly[59] (some output below is abbreviated):
[iptablesfw]# fwsnort
Snort Rules File Success Fail Ipt_apply Total
[+] attack-responses.rules 15 2 0 17
[+] backdoor.rules 62 7 1 69
[+] bad-traffic.rules 10 3 0 13
[+] bleeding-all.rules 1076 573 5 1649
[+] exploit.rules 31 43 0 74
[+] web-cgi.rules 286 62 0 348
[+] web-client.rules 7 10 0 17
[+] web-coldfusion.rules 35 0 0 35
[+] web-frontpage.rules 34 1 0 35
[+] web-iis.rules 103 11 0 114
[+] web-misc.rules 265 61 0 326
[+] web-php.rules 78 48 0 126
[+] x11.rules 2 0 0 2
2725 1761 91 4486
[+] Generated iptables rules for 2725 out of 4486 signatures: 60.74%
[+] Found 91 applicable snort rules to your current iptables policy.
[+] Logfile: /var/log/fwsnort.log
[+] Iptables script: /etc/fwsnort/fwsnort.sh
One of the first things to notice about the fwsnort output is that for each Snort rules file, counters are printed for the number of successfully and unsuccessfully translated rules (Success and Fail), the number of rules that are applicable to the running iptables policy (Ipt_apply), and the total number of Snort rules in the rules file (Total).
At the end of the output above, fwsnort prints the total number of Snort rules that could be successfully translated (2,725 out of 4,486). The 60 percent translation rate is obtainable on any Linux system whose kernel has been compiled with support for the iptables string, length, tos, ttl, and ipv4options matches.
You'll also see printed at the end of the fwsnort output the sentence Found 91 applicable snort rules to your current iptables policy. This message indicates that fwsnort has parsed the iptables ruleset that is currently running on the system in order to throw away those Snort rules that iptables would not allow through in the first place. For example, if the iptables policy does not allow connections to an internal HTTP server, then it is of little use to translate Snort rules that deal with inbound HTTP connections initiated from the external network; hence, fwsnort omits such rules from the translation process.
Note
Because the policies constructed by iptables commands can be complex and tricky to parse, fwsnort may not always correctly determine whether an arbitrary type of traffic will be allowed through. You can use the fwsnort --no-ipt-sync command-line option to force the translation of as many Snort rules as possible without referencing the underlying iptables policy.
Finally, the fwsnort output displays two file paths: /var/log/fwsnort.log and /etc/fwsnort/fwsnort.sh.
The fwsnort.log file contains information about the translation process and can be used to determine