Running fwsnort

With fwsnort installed on a system that offers string-match support in the kernel, we can now put fwsnort to work for us. Without further ado, we fire up fwsnort from the command line. Normally, fwsnort is executed as root because by default it queries iptables in order to determine which extensions are available in the running kernel, and then it tailors the translation process accordingly1 (some output below is abbreviated):

[iptablesfw]# fwsnort

Snort Rules File

Success

Fail

Ipt_

apply Total

+]

attack-responses.rules

15

2

0

17

+]

backdoor.rules

62

7

1

69

+]

bad-traffic.rules

10

3

0

13

+]

bleeding-all.rules

1076

573

5

1649

+]

exploit.rules

31

43

0

74

+]

web-cgi.rules

286

62

0

348

+]

web-client.rules

7

10

0

17

+]

web-coldfusion.rules

35

0

0

35

+]

web-frontpage.rules

34

1

0

35

+]

web-iis.rules

103

11

0

114

+]

web-misc.rules

265

61

0

326

+]

web-php.rules

78

48

0

126

+]

x11.rules

2

0

0

2

2725

1761

91

4486

[+] Generated iptables rules for 2725 out of 4486 signatures: 60.74%

[+] Found 91 applicable snort rules to your current iptables policy.

[+] Iptables script: /etc/fwsnort/fwsnort.sh

[+] Generated iptables rules for 2725 out of 4486 signatures: 60.74%

[+] Found 91 applicable snort rules to your current iptables policy.

[+] Iptables script: /etc/fwsnort/fwsnort.sh

One of the first things to notice about the fwsnort output is that for each Snort rules file, counters are printed for the number of successfully and unsuccessfully translated rules (Success and Fail), the number of rules that are applicable to the running iptables policy (Ipt_apply), and the total number of Snort rules in the rules file (Total).

At the end of the output above, fwsnort prints the total number of Snort rules that could be successfully translated (2,725 out of 4,486). The 60 percent translation rate is obtainable on any Linux system whose kernel has been compiled with support for the iptables string, length, tos, ttl, and ipv4options matches.

You'll also see printed at the end of the fwsnort output the sentence Found 91 applicable snort rules to your current iptables policy. This message indicates that fwsnort has parsed the iptables ruleset that is currently running on the system in order to throw away those Snort rules that iptables would not allow through in the first place. For example, if the iptables policy does not allow connections to an internal HTTP server, then it is of little use to translate Snort rules that deal with inbound HTTP connections initiated from the external network; hence, fwsnort omits such rules from the translation process.

1 Note that any non-root user with the CAP_NET_ADMIN capability can also execute iptables commands.

NOTE Because the policies constructed by iptables commands can be complex and tricky to parse, fwsnort may not always correctly determine whether an arbitrary type of traffic will be allowed through. You can use the fwsnort --no-ipt-sync command-line option to force the translation of as many Snort rules as possible without referencing the underlying iptables policy.

Finally, the fwsnort output displays two file paths: /var/log/fwsnort.log and /etc/fwsnort/fwsnort.sh.

The fwsnort.log file contains information about the translation process and can be used to determine the reason for the unsuccessful translation of particular Snort rules. For example, the Snort rule identified by SID 2003306 within the bleeding-all.rules file contains the Snort pcre option and is therefore incompatible with iptables. The incompatibility is noted in a log entry within the fwsnort.log file:

[-] SID: 2003306 Unsupported option: "pcre" at line: 120. Skipping rule.

NOTE The fwsnort.sh script is the real "meat and potatoes" of fwsnort; it's a Bourne shell script generated by fwsnort that is responsible for implementing the necessary iptables commands to construct the equivalent iptables policy. The internals of this script are discussed in "Structure of fwsnort.sh" on page 179, and a complete fwsnort.sh script can be found in Appendix B.

Was this article helpful?

0 0

Post a comment