[Bug 551857] New: Review Request: fwsnort - Translates Snort rules into equivalent iptables rules

bugzilla at redhat.com bugzilla at redhat.com
Sat Jan 2 15:45:25 UTC 2010 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

Summary: Review Request: fwsnort - Translates Snort rules into equivalent iptables rules

https://bugzilla.redhat.com/show_bug.cgi?id=551857

           Summary: Review Request: fwsnort - Translates Snort rules into
                    equivalent iptables rules
           Product: Fedora
           Version: rawhide
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: medium
          Priority: low
         Component: Package Review
        AssignedTo: nobody at fedoraproject.org
        ReportedBy: guillermo.gomez at gmail.com
         QAContact: extras-qa at fedoraproject.org
                CC: notting at redhat.com, fedora-package-review at redhat.com
   Estimated Hours: 0.0
    Classification: Fedora


Spec URL: http://gomix.fedorapeople.org/fwsnort/fwsnort.spec
SRPM URL: http://gomix.fedorapeople.org/fwsnort/fwsnort-1.0.6-1.fc12.src.rpm

Description: 

fwsnort translates Snort rules into equivalent iptables rules and generates
a Bourne shell script that implements the resulting iptables commands. This
ruleset allows network traffic that exhibits Snort signatures to be logged
and/or dropped by iptables directly without putting any interface into
promiscuous mode or queuing packets from kernel to user space. In addition,
fwsnort (optionally) uses the IPTables::Parse module to parse the iptables
ruleset on the machine to determine which Snort rules are applicable to the
specific iptables policy.  After all, if iptables is blocking all inbound
http traffic from external addresses, it is probably not of much use to try
detecting inbound attacks against against tcp/80. By default fwsnort
generates iptables rules that log Snort sid's with --log-prefix to klogd
where the messages can be analyzed with a log watcher such as logwatch or
psad (see http://www.cipherdyne.org/psad). fwsnort relies on the iptables
string match module to match Snort content fields in the application portion
of ip traffic. Since Snort rules can contain hex data in content fields,
fwsnort implements a patch against iptables-1.2.7a which adds a
"--hex-string" option which will accept content fields such as
"|0d0a5b52504c5d3030320d0a|". fwsnort is able to translate approximately 60%
of all rules from the Snort-2.3.3 IDS into equivalent iptables rules. For
more information about the translation strategy as well as
advantages/disadvantages of the method used by fwsnort to obtain intrusion
detection data, see the README included with the fwsnort sources or browse
to: http://www.cipherdyne.org/fwsnort/

Also via git at fedorapeople.org

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the Fedora-package-review mailing list