[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFR] fwsnort package


So that Michael can understand what we are talking about :)
If you answer to this email, please CC Michael as well.

Justin B Rye wrote:
> Franck Joncourt wrote:
>> ---- debian/control file
>> Description: makes use of Snort rules in an iptables-based firewall
> That's a perfectly good verb phrase (saying what the package does);
> but synopsis lines should be noun phrases (saying what it is).
> Something like:
>   Description: Snort rules converter for iptables
>   Description: firewall builder using Snort rules
>   Description: Snort-to-iptables rule translator

I think I will take the third description :)

>>  Fwsnort translates Snort rules into iptables rule approximations and
>>  generates a Bourne shell script that implements the resulting iptables
>>  commands.
> When you say "iptables rule approximations", are they in fact only
> approximate or should it be "equivalent iptables rules"?
> (It's possible that the pedantically correct term is "Netfilter
> rules", or even "Xtables rules"...)

According to me, they are equivalent. However my knowledge in writing
snort rules is not good enough to trust me about that. So if Michael
could answer to this question, that would make it clear.

From my point of view, I would talk about Netfilter layout with the
different hooks, and Xtables add-ons that add new targets to iptables,
and thus I think "iptables rules" is fine.

Am I mistaken Michael ?

> What does it mean these days to say something is a _Bourne_ shell
> script?  After all, it'll probably be dash that executes it...

You are right.
So, "generates a shell script that implements" should be better.

>>  This ruleset allows network traffic that exhibits Snort signatures
>>  to be logged and/or dropped by iptables directly without putting any
>>  interface into promiscuous mode or queuing packets from kernel to
>>  user space.
> What ruleset is "This ruleset" referring to?  The simplest fix would
> be to take out the word "ruleset" and leave a vague "this" pointing
> at the whole previous paragraph.
> Saying that traffic "exhibits" signatures seems obscure; couldn't it
> just say it "matches" them?

 "This allows network traffic that matches Snort signatures"

I would say that does not sound bad :p!
I do not have any ideas that could go against your proposition.

>> ---- debian/README.Debian
> ...
>> ---- debian/fwsnort.templates
> These look fine to me.



Franck Joncourt
http://debian.org - http://smhteam.info/wiki/
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: