Bug#475822: ITP: fwsnort -- Fwsnort translates Snort rules into iptables rules.
Package: wnpp
Severity: wishlist
Owner: Franck Joncourt <franck.joncourt@wanadoo.fr>
* Package name : fwsnort
Version : 1.0.4
Upstream Author : Michael Rash <mbr@cipherdyne.org>
* URL : http://www.cipherdyne.org/fwsnort/
* License : GPL
Programming Lang: Perl
Description : Fwsnort translates Snort rules into iptables rules.
fwsnort translates Snort rules into iptables rules and generates a
Bourne shell script that implements the resulting iptables commands.
This ruleset allows network traffic that exhibits Snort signatures to
be logged and/or dropped by iptables directly without putting an
interface into promiscuous mode or queuing packets from kernel to user space.
Note that fwsnort can also build an iptables policy that combines the string
match extension with the NFQUEUE or QUEUE targets to allow the kernel to
perform preliminary string matches that are defined within Snort rules
before queuing matching packets to userspace. Because the bulk of
network communications are not malicious, this should provide a speedup
for snort_inline since the majority of packets do not then have to be
copied from kernel memory into user memory and subsequently inspected by
snort_inline. There is a tradeoff here in terms of signature detection
however because snort_inline does not have the opportunity to see all
packets associated with a session, so stream reassembly and signature
comparisons against a reassembled buffer do not take place (the stream
preprocessor - stream4, stream5, etc. - should be disabled).
Reply to: