Laboratorium Komputerowe Progmar
Marcin Załęczny

We are using cookies in the page. If you use the page you agree for the cookies.      Close

Fwsnort - firewall Snort

fwsnort - firewall Snort - Tool that translates Snort rules into iptables rules

Installation: sudo apt-get install fwsnort

Next copy Snort rules into fwsnort rules directory: sudo cp /etc/snort/rules/*.rules /etc/fwsnort/snort_rules

You can run the application by issuing command below: sudo fwsnort --no-ipt-sync (in the older Ubuntu versions, ex. 12.04) --no-ipt-sync option makes fwsnort to translate all rules regardles of in the current iptables policy they are blocked or not.
Or in the newer Ubuntu versions (ex. >=15.10) sudo fwsnort In the case --no-ipt-sync option is obsolete and in further fwsnort releases it will be unavailable. The default behavior of the fwsnort will be the same as the option would be turned on.
As a result of the command above will be following file (containing iptables rules) generated: /var/lib/fwsnort/fwsnort.save and the second file: /var/lib/fwsnort/fwsnort.sh which is responsible for loading iptables rules into current firewall policy.
In the older Ubuntu versions (ex. 12.04)the following files will be generated: /etc/fwsnort/fwsnort.save and: /etc/fwsnort/fwsnort.sh Warning!
The commands that translate snort rules into iptables rules should be executed after each change to the firewall policy.

Translated rules we can load in the following way: sudo /var/lib/fwsnort/fwsnort.sh or in the older Ubuntu versions (ex. 12.04): sudo /etc/fwsnort/fwsnort.sh

To revert changes made by fwsnort run the command: sudo /var/lib/fwsnort/fwsnort.sh -r To revert changes in the older Ubuntu versions (ex. 12.04) you have to do it by hand, ex: 

ipatbles -F FWSNORT_INPUT
ipatbles -F FWSNORT_INPUT_ESTAB
ipatbles -F FWSNORT_FORWARD
ipatbles -F FWSNORT_FORWARD_ESTAB
ipatbles -F FWSNORT_OUTPUT
ipatbles -F FWSNORT_OUTPUT_ESTAB
iptables -D INPUT 1 (if reference to FWSNORT_INPUT chain is located at different number, you should specify the number)
iptables -D FORWARD 1 (if reference to FWSNORT_FORWARD chain is located at different number, you should specify the number)
iptables -D OUTPUT 1 (if reference to FWSNORT_OUTPUT chain is located at different number, you should specify the number)
ipatbles -X FWSNORT_INPUT
ipatbles -X FWSNORT_INPUT_ESTAB
ipatbles -X FWSNORT_FORWARD
ipatbles -X FWSNORT_FORWARD_ESTAB
ipatbles -X FWSNORT_OUTPUT
ipatbles -X FWSNORT_OUTPUT_ESTAB

Configuration file for fwsnort is located here: /etc/fwsnort/fwsnort.conf

To translate single Snort rule and drop it besides the logging you should run command: sudo fwsnort --snort-sid 800400 --ipt-reject

To flush all iptables rules from all chains created by fwsnort.sh (the chains itself are not removed), run command: fwsnort --ipt-flush