Configuration File for fwsnort

The main configuration file for fwsnort, /etc/fwsnort/fwsnort.conf, defines networks, port numbers, paths to system binaries (such as the path to iptables), and other key pieces of information needed for proper execution.

As with psad, the fwsnort.conf file follows a simple key/value format, and many of the keywords and semantics are identical to those found in Snort's own configuration file. For example, both the HOME_NET and EXTERNAL_NET keywords are defaulted to the wildcard value any, and lists of IP addresses and/or networks can be enclosed within braces. (Nearly all Snort rules use some combination of the HOME_NET and EXTERNAL_NET keywords.) The notion of variable resolution is also supported; that is, HTTP_SERVERS maps to $HOME_NET, which in turn maps to a specific network (or networks) or the wildcard value any, for example.

You'll find a complete example fwsnort.conf file below (and at http:// www.cipherdyne.org/LinuxFirewalls), and all fwsnort usage examples in this book will reference this configuration file. In this case, the network protected by the iptables firewall on which fwsnort is deployed is the Class C network 192.168.10.0/24 (see Figure 1-2), so we set HOME_NET accordingly.

[iptablesfw]# cat /etc/fwsnort/fwsnort.conf

# This is the configuration file for fwsnort. There are some similarities

# between this file and the configuration file for Snort.

### fwsnort treats all traffic directed to / originating from the local ### machine as going to / coming from the HOME_NET in Snort rule parlance. ### If there is only one interface on the local system, then there will be ### no rules processed via the FWSNORT_FORWARD chain because no traffic ### would make it into the iptables FORWARD chain. HOME_NET 192.168.10.0/24;

EXTERNAL_NET any;

### List of servers. fwsnort supports the same variable resolution as Snort.

HTTP_SERVERS $HOME_NET;

SMTP_SERVERS $HOME_NET;

DNS_SERVERS $HOME_NET;

SOL_SERVERS $HOME_NET;

TELNET_SERVERS $HOME_NET;

AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24,

64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];

### Configurable port numbers

SSH_PORTS 22;

HTTP_PORTS 80;

SHELLCODE_PORTS !80;

ORACLE_PORTS 1521;

### Define average packet lengths and maximum frame length. This is used ### for iptables length match emulation of the Snort dsize option. © AVG_IP_HEADER_LEN 20; ### IP options are not usually used.

AVG_TCP_HEADER_LEN 40; ### Includes options MAX_FRAME_LEN 1500;

### Use the WHITELIST variable to define a list of hosts/networks that ### should be completely ignored by fwsnort. For example, if you want ### to whitelist the IP address 192.168.10.1 and the network 10.1.1.0/24, ### you will use (note that you can also specify multiple WHITELIST ### variables, one per line): #WHITELIST 192.168.10.1, 10.1.1.0/24;

WHITELIST NONE;

### Use the BLACKLIST variable to define a list of hosts/networks ### that for which fwsnort should DROP or REJECT all traffic. For ### example, to DROP all traffic from the 192.168.10.0/24 network, ### you can use:

### To have fwsnort REJECT all traffic from 192.168.10.0/24, ### you would use:

### BLACKLIST 192.168.10.0/24 REJECT;

BLACKLIST NONE;

### Define the jump position in the built-in chains to jump to

FWSNORT_INPUT_JUMP 1;

FWSNORT_OUTPUT_JUMP 1;

FWSNORT_FORWARD_JUMP 1;

### iptables chains (these do not normally need to be changed) FWSNORT_INPUT FWSNORT_INPUT;

FWSNORT_INPUT_ESTAB FWSNORT_INPUT_ESTAB; FWSNORT_OUTPUT FWSNORT_OUTPUT;

FWSNORT_OUTPUT_ESTAB FWSNORT_OUTPUT_ESTAB; FWSNORT_FORWARD FWSNORT_FORWARD;

FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB; ### System binaries shCmd echoCmd tarCmd wgetCmd unameCmd ifconfigCmd iptablesCmd

/bin/echo;

/usr/bin/wget;

/usr/bin/uname;

/sbin/ifconfig;

/sbin/iptables;

At O above, the fwsnort.conf file sets the average length for the IP and TCP headers. This is necessary because the iptables length match begins at the IP header, whereas the Snort dsize option applies only the application layer data associated with a packet. By specifying the average header lengths, fwsnort can approximate the dsize option to assist in the translation process.

At © we can add a whitelist and a blacklist; see "Setting Up Whitelists and Blacklists" on page 191.

At © the position of the jump rule into the fwsnort chains within each of the built-in chains is defined. By default the jump rule position is the very first rule within each of these chains, but you can alter this to your liking by changing these variables around. This is not usually necessary unless you have an iptables policy that has inspection or filtering requirements that must be met before fwsnort has a chance to inspect packets.

Was this article helpful?

0 0

Post a comment