From: Michael Rash <cipherdyne@ya...> - 2003-04-21 03:14:45
Hi all -
Over the past couple of months I have translated the
snort2iptables script written by William Stearns into
perl and added a few things:
-A custom patch to iptables itself that adds a
--hex-string option to the iptables string match
module. Using this patch it is possible to take the
content fields directly from snort rules and put them
into iptables rulesets without any modification. (A
prelminary version of this patch has been accepted by
the iptables maintainers for iptables-1.2.8). For
iptables -A FORWARD -p tcp --dport 80 -m string
--hex-string "|2e 2e 2e 2e 2f|" --log-prefix "SID966 "
-fwsnort uses the IPTables::Parse module to only
generate iptables rules for snort signatures the
firewall might actually allow through.
-fwsnort can be used to translate a single snort rule
with the --snort-sid option.
The psad-1.1 release will generate alerts for any log
messages generated by fwsnort, and the alerts will
include the matched content data. For example:
-=-=-=-=-=-=-= Sun Apr 20 22:42:39 2003 -=-=-=-=-=-=-=
-**- psad: Suspicious traffic detected against orthanc
Source DNS: xxx.netnation.com
Danger level:  (out of 5)
Current interval: Sun Apr 20 22:42:38 2003
Sun Apr 20 22:42:39 2003 (end)
ICMP packets: 
Overall stats since: Sun Apr 20 22:42:38 2003
Total TCP packets: 0
Total UDP packets: 0
Total ICMP packets: 3
---- ICMP scan signatures ----
"ICMP PING BSDtype"
content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12
13 14 15 16 17|"
The code is here:
NOTE: fwsnort is meant to make it possible to detect
as many snort rules possible by using just iptables
rules. However, does not have several of the advanced
features of snort such as stream reassembly, and
preproccessor support, etc.
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo