fwsnort - firewall Snort - Tool that translates Snort rules into iptables rules
sudo apt-get install fwsnort
Next copy Snort rules into fwsnort rules directory:
sudo cp /etc/snort/rules/*.rules /etc/fwsnort/snort_rules
You can run the application by issuing command below:
sudo fwsnort --no-ipt-sync (in the older Ubuntu versions, ex. 12.04)
--no-ipt-sync option makes fwsnort to translate all rules regardles of in the current iptables policy
they are blocked or not.
Or in the newer Ubuntu versions (ex. >=15.10)
In the case --no-ipt-sync option is obsolete and in further fwsnort releases it will be unavailable.
The default behavior of the fwsnort will be the same as the option would be turned on.
As a result of the command above will be following file (containing iptables rules) generated:
and the second file:
which is responsible for loading iptables rules into current firewall policy.
In the older Ubuntu versions (ex. 12.04)the following files will be generated:
The commands that translate snort rules into iptables rules should be executed after each change to the firewall policy.
Translated rules we can load in the following way:
or in the older Ubuntu versions (ex. 12.04):
To revert changes made by fwsnort run the command:
sudo /var/lib/fwsnort/fwsnort.sh -r
To revert changes in the older Ubuntu versions (ex. 12.04) you have to do it by hand, ex:
ipatbles -F FWSNORT_INPUT ipatbles -F FWSNORT_INPUT_ESTAB ipatbles -F FWSNORT_FORWARD ipatbles -F FWSNORT_FORWARD_ESTAB ipatbles -F FWSNORT_OUTPUT ipatbles -F FWSNORT_OUTPUT_ESTAB iptables -D INPUT 1 (if reference to FWSNORT_INPUT chain is located at different number, you should specify the number) iptables -D FORWARD 1 (if reference to FWSNORT_FORWARD chain is located at different number, you should specify the number) iptables -D OUTPUT 1 (if reference to FWSNORT_OUTPUT chain is located at different number, you should specify the number) ipatbles -X FWSNORT_INPUT ipatbles -X FWSNORT_INPUT_ESTAB ipatbles -X FWSNORT_FORWARD ipatbles -X FWSNORT_FORWARD_ESTAB ipatbles -X FWSNORT_OUTPUT ipatbles -X FWSNORT_OUTPUT_ESTAB
Configuration file for fwsnort is located here:
To translate single Snort rule and drop it besides the logging you should run command:
sudo fwsnort --snort-sid 800400 --ipt-reject
To flush all iptables rules from all chains created by fwsnort.sh (the chains itself are not removed), run command: