fwsnort free download, fwsnort download on software download

	fwsnort Translates snort rules into an equivalent iptables ruleset.
Download

fwsnort Ranking & Summary

Rating:

License:
GPL

Price:
FREE

Publisher Name:
Michael Rash

Publisher web site:
http://www.cipherdyne.com/psad/

fwsnort Tags

Snort

translates

translates snort rules

equivalent iptables ruleset

iptables ruleset

fwsnort

fwsnort Description

Translates snort rules into an equivalent iptables ruleset. fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible. fwsnort accepts command line arguments to restrict processing to any particular class of snort rules such as "ddos", "backdoor", or "web-attacks". Processing can even be restricted to a specific snort rule as identified by its "snort id" or "sid".fwsnort utilizes the iptables string match module (together with a custom patch that adds a --hex-string option to the iptables user space code) to detect application level signatures.fwsnort (optionally) makes use of the IPTables::Parse module (to be submitted to CPAN) to translate snort rules for which matching traffic could potentially be passed through the existing iptables ruleset. Here are some key features of "fwsnort": · Detection for tcp syn, fin, null, and xmas scans as well as udp scans. · Detection of many signature rules from the snort intrusion detection system. · Forensics mode iptables logfile analysis (useful as a forensics tool for extracting scan information from old iptables logfiles). · Passive operating system fingerprinting via tcp syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy. · Email alerts that contain tcp/udp/icmp scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more. · Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the iptables string match extension and fwsnort. · Icmp type and code header field validation. · Configurable scan thresholds and danger level assignments. · Iptables ruleset parsing to verify "default drop" policy stance. · IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks). · DShield alerts. · Auto-blocking of scanning IP addresses via iptables and/or tcpwrappers based on scan danger level. (This is NOT enabled by default.) · Status mode that displays a summary of current scan information with associated packet counts, iptables chains, and danger levels. What's New in This Release: · (Franck Joncourt) Updated fwsnort to use the "! syntax instead of the older " ! for the iptables command line. · (Franck Joncourt) For the --hex-string and --string matches, if the argument exceeds 128 bytes (iptables 1.4.2) then iptables fails with an error "iptables v1.4.2: STRING too long". Fixes this with a patch that adds a new variable in fwsnort.conf "MAX_STRING_LEN", so that the size of the content can be limited. If the content (null terminated string) is more than MAX_STRING_LEN chars, fwsnort throws the rule away. · Bug fix to allow fwsnort to properly translate snort rules that have "content" fields with embedded escaped semicolons (e.g. ";"). This allows fwsnort to translate about 58 additional rules from the Emerging Threats rule set. · Bug fix to allow case insensitive matches to work properly with the --include-re-caseless and --exclude-re-caseless arguments. · Bug fix to move the 'rawbytes' keyword to the list of keywords that are ignored since iptables does a raw match anyway as it doesn't run any preprocessors in the Snort sense. · Added the --snort-rfile argument so that a specific Snort rules file (or list of files separated by commas) is parsed. · Added a small hack to choose the first port from a port list until the iptables 'multiport' match is supported. · Updated to consolidate spaces in hex matches in the fwsnort.sh script since the spaces are not part of patterns to be searched anyway. · Updated to the latest complete rule set from Emerging Threats (see http://www.emergingthreats.net/). · Added the "fwsnort-nobuildreqs.spec" file for building fwsnort on systems (such as Debian) that do not install/upgrade software via RPM. This file omits the "BuildRequires: perl-ExtUtils-MakeMaker" directive, and this fixes errors like the following on an Ubuntu system when building fwsnort with rpmbuild: rpm: To install rpm packages on Debian systems, use alien. See README.Debian. · error: cannot open Packages index using db3 - No such file or directory (2) · error: cannot open Packages database in /var/lib/rpm

fwsnort Related Software