fwsnort - translate Snort rules into iptables rules 1.6.5
fwsnort translates SNORT rules into iptables rules on Linux systems and generates a corresponding iptables policy in iptables-save format. This ruleset allows network traffic that matches Snort signatures (i.e. attacks and other suspicious network behavior) to be logged and/or dropped by iptables directly without putting an interface into promiscuous mode or queuing packets from kernel to user space. Note that fwsnort can also build an iptables policy that combines the string match extension with the NFQUEUE or QUEUE targets to allow the kernel to perform preliminary string matches that are defined within Snort rules before queuing matching packets to a userspace snort_inline instance. Because the bulk of network communications are not generallly malicious, this should provide a speedup for snort_inline since the majority of packets do not then have to be copied from kernel memory into user memory and subsequently inspected by snort_inline. There is a tradeoff here in terms of signature detection however because snort_inline when deployed in this way does not have the opportunity to see all packets associated with a session, so stream reassembly and signature comparisons against a reassembled buffer do not take place (the stream preprocessor should be disabled in the userspace snort_inline instance).
Tags | snort linux perl ids ips iptables netfilter |
---|---|
License | GNU GPL |
State | stable |