Linux Firewalls - Michael Rash [165]
To create the fwsnort.sh script and have it contain iptables commands for the seven Snort rules mentioned above, execute fwsnort as follows:
[iptablesfw]# fwsnort --snort-sid 1332,1336,1338,1339,1341,1342,1360
[+] Parsing Snort rules files...
[+] Found sid: 1332 in web-attacks.rules
Successful translation.
[+] Found sid: 1336 in web-attacks.rules
Successful translation.
[+] Found sid: 1338 in web-attacks.rules
Successful translation.
...
[+] Logfile: /var/log/fwsnort.log
[+] Iptables script: /etc/fwsnort/fwsnort.sh
The output above indicates that the Snort rules are correctly translated into iptables rules (some output was abbreviated), and the fwsnort.sh script exists in the /etc/fwsnort directory. It is displayed below in its complete, unabbreviated form.
[iptablesfw]# cat /etc/fwsnort/fwsnort.sh
#!/bin/sh
#
########################################################################
#
# File: /etc/fwsnort/fwsnort.sh
#
# Purpose: This script was auto-generated by fwsnort and implements an
# iptables ruleset based upon Snort rules. For more information,
# see the fwsnort man page or the documentation available at
# http://www.cipherdyne.org/fwsnort.
#
❶ # Generated with: fwsnort --snort-sid 1332,1336,1338,1339,1341,1342,1360
# Generated on host: iptablesfw
# Generated at: Wed Jul 18 18:26:19 2007
#
# Generated on host: iptables
#
# Author: Michael Rash # # Version: 1.0 (file revision: 381) # ######################################################################## # #==================== config ==================== ECHO=/bin/echo IPTABLES=/sbin/iptables #================== end config ================== ### ############ Create fwsnort iptables chains. ############ ### ❷ $IPTABLES -N FWSNORT_FORWARD 2> /dev/null $IPTABLES -F FWSNORT_FORWARD $IPTABLES -N FWSNORT_FORWARD_ESTAB 2> /dev/null $IPTABLES -F FWSNORT_FORWARD_ESTAB $IPTABLES -N FWSNORT_INPUT 2> /dev/null $IPTABLES -F FWSNORT_INPUT $IPTABLES -N FWSNORT_INPUT_ESTAB 2> /dev/null $IPTABLES -F FWSNORT_INPUT_ESTAB $IPTABLES -N FWSNORT_OUTPUT 2> /dev/null $IPTABLES -F FWSNORT_OUTPUT $IPTABLES -N FWSNORT_OUTPUT_ESTAB 2> /dev/null $IPTABLES -F FWSNORT_OUTPUT_ESTAB ### ############ Inspect ESTABLISHED tcp connections. ############ ### ❸ $IPTABLES -A FWSNORT_FORWARD -p tcp -m state --state ESTABLISHED -j FWSNORT_FORWARD_ ESTAB $IPTABLES -A FWSNORT_INPUT -p tcp -m state --state ESTABLISHED -j FWSNORT_INPUT_ESTAB $IPTABLES -A FWSNORT_OUTPUT -p tcp -m state --state ESTABLISHED -j FWSNORT_OUTPUT_ ESTAB ### ############ web-attacks.rules ############ ### ### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/ bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid: 1332; rev:5;) ❹ $IPTABLES -A FWSNORT_FORWARD_ESTAB -d 192.168.10.0/24 -p tcp --dport 80 -m string --string "/usr/bin/id " --algo bm -m comment --comment "msg: WEB-ATTACKS /usr/bin/id command attempt; classtype: web-application-attack; rev: 5; FWS:0.9.0;" -j LOG --log- ip- options --log-tcp-options --log-prefix "[1] SID1332 ESTAB " $IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/id" --algo bm -m comment --comment "msg: WEB-ATTACKS /usr/bin/id command attempt; classtype: web-application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] SID1332 ESTAB " ### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype: web-application-attack; sid:1336; rev:5;) $IPTABLES -A FWSNORT_FORWARD_ESTAB -d 192.168.10.0/24