Installing fwsnort

Like psad, fwsnort comes bundled with its own installation program install.pl. This program handles all aspects of installation, including preserving configurations from a previous installation of fwsnort, the installation of two Perl modules (Net: :IPv4Addr and IPTables: :Parse), and the (optional) downloading of the latest Bleeding Snort signature set from http://www.bleedingsnort.com. You can also install fwsnort from the RPM if you are running an RPM-based Linux distribution.

NOTE As of March 2005, the Snort signature ruleset is only available as part of a for-pay service. Before that date, the Snort rules were available for free from the Snort website (http://wmw.snort.org). Many security applications (including fwsnort) took advantage of the free rules by providing an automatic update feature to synchronize with the latest Snort rules. While automatically updating in this way is no longer possible, as of this writing the latest Snort rulesets distributed by the Bleeding Snort project are still available for (free) download.

The fwsnort installer places the Net::IPvAddr and IPTables::Parse Perl modules within the directory /usr/lib/fwsnort so as to not clutter the system Perl library tree. (This is similar to the installation strategy implemented by psad, as discussed in Chapter 5.)

In order to use fwsnort, you will need to be able to use the iptables string-matching capability. If you are running kernel version 2.6.14 or later, string matching may already be compiled into your kernel.

An easy way to check to see if the running kernel supports the string-matching extension is to attempt to create a string-matching iptables rule against a nonexistent IP address (so that any real network communications are not disrupted), like so:

[iptablesfw]# iptables -D INPUT 1 -i lo -d 127.0.0.2 -m string --string "testing " --algo bm -j ACCEPT

If the error iptables: no chain/target/match by that name is returned, then the extension is not available in the running kernel. This can be fixed by enabling the CONFIG_NETFILTER_XT_MATCH_STRING option in the kernel configuration file, recompiling, and then booting into the new kernel (see "Kernel Configuration" on page 14 for recommended iptables kernel compilation options). If the command above succeeds, then iptables string matching is compatible with your kernel, and you should delete the new rule:

[iptablesfw]# iptables -D INPUT 1

To install fwsnort-1.0, execute the following commands. (This installer output is somewhat abbreviated but shows the various files that partition the original Snort ruleset, such as backdoor.rules and web-cgi.rules.)

[iptablesfw]$ cd /usr/local/src

[iptablesfw]$ wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.tar.bz2 [iptablesfw]$ wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.tar.bz2.md5

[iptablesfw]$ wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.tar.bz2.asc

[iptablesfw]$ md5sum -c fwsnort-1.0.tar.bz2.md5 gpg --verify fwsnort-1.0.tar.bz2.asc gpg: Signature made Sat 21 Apr 2007 09:29:02 AM EDT using DSA key ID A742839F gpg: Good signature from "Michael Rash <[email protected]>" gpg: aka "Michael Rash <[email protected]>"

fwsnort-l.0.tar.bz2: OK

[iptablesfw]$ tar xfj fwsnort-l.0.tar.bz2

Password:

[iptablesfw]# cd /usr/local/src/fwsnort-1.0 [iptablesfw]# ./install.pl [+] mkdir /etc/fwsnort [+] mkdir /etc/fwsnort/snort_rules [+] Installing the Net::IPv4Addr Perl module [+] Installing the IPTables::Parse Perl module [+] Would you like to download the latest Snort rules from http://www.bleedingsnort.com? ([y]/n)? y

--22:01:11-- http://www.bleedingsnort.com/bleeding-all.rules

=> 'bleeding-all.rules' Resolving www.bleedingsnort.com... 69.44.153.29 Connecting to www.bleedingsnort.com[69.44.153.29]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 292,192 [text/plain]

100%[======================================>] 292,192 109.94K/s

22:01:17 (109.77 KB/s) - 'bleeding-all.rules' saved [292,192/292,192] [+] Copying all rules files to /etc/fwsnort/snort_rules

[+]

Insta

ling

snmp.rules

[+]

Insta

ling

finger.rules

[+]

Insta

ling

info.rules

[+]

Insta

ling

ddos.rules

[+]

Insta

ling

virus.rules

[+]

Insta

ling

icmp.rules

[+]

Insta

ling

dns.rules

[+]

Insta

ling

rpc.rules

[+]

Insta

ling

backdoor.rules

[+]

Insta

ling

scan.rules

[+]

Insta

ling

shellcode.rules

[+]

Insta

ling

web-client.rules

[+]

Insta

ling

web-cgi.rules

[+]

Insta

ling

exploit.rules

[+]

Insta

ling

attack-responses.rules

[+]

Insta

ling

web-attacks.rules

[+]

Insta

ling

fwsnort.8 man page as /usr/share/man/man8/fwsnort

[+] Compressing manpage /usr/share/man/man8/fwsnort.8 [+] Copying fwsnort.conf -> /etc/fwsnort/fwsnort.conf [+] Copying fwsnort -> /usr/sbin/fwsnort [+] fwsnort will generate an iptables script located at:

/etc/fwsnort/fwsnort.sh when executed. [+] fwsnort has been successfully installed!

Was this article helpful?

0 0

Post a comment