fwsnort 0.8.1 review

by rbytes.net on

fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many

License: GPL (GNU General Public License)
File size: 156K
Developer: Michael Rash
0 stars award from rbytes.net

fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible.

fwsnort accepts command line arguments to restrict processing to any particular class of snort rules such as "ddos", "backdoor", or "web-attacks". Processing can even be restricted to a specific snort rule as identified by its "snort id" or "sid".

fwsnort utilizes the iptables string match module (together with a custom patch that adds a --hex-string option to the iptables user space code) to detect application level signatures.

fwsnort (optionally) makes use of the IPTables::Parse module (to be submitted to CPAN) to translate snort rules for which matching traffic could potentially be passed through the existing iptables ruleset.

Here are some key features of "fwsnort":
Detection for tcp syn, fin, null, and xmas scans as well as udp scans.
Detection of many signature rules from the snort intrusion detection system.
Forensics mode iptables logfile analysis (useful as a forensics tool for extracting scan information from old iptables logfiles).
Passive operating system fingerprinting via tcp syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy.
Email alerts that contain tcp/udp/icmp scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the iptables string match extension and fwsnort.
Icmp type and code header field validation.
Configurable scan thresholds and danger level assignments.
Iptables ruleset parsing to verify "default drop" policy stance.
IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
DShield alerts.
Auto-blocking of scanning IP addresses via iptables and/or tcpwrappers based on scan danger level. (This is NOT enabled by default.)
Status mode that displays a summary of current scan information with associated packet counts, iptables chains, and danger levels.

What's New in This Release:
Updated to use the string match extension "--algo bm" argument if fwsnort is being run on a 2.6.14 (or greater) kernel.
Updated to handle the Snort "offset" and "depth" keywords via the --from and --to options to the string match extension in the 2.6.14 kernel.
An RPM package has been created.
There are minor man page updates.

fwsnort 0.8.1 search tags