Re: [RFR] fwsnort package

To: Michael Rash <mbr@cipherdyne.org>
Cc: debian-l10n-english@lists.debian.org
Subject: Re: [RFR] fwsnort package
From: Franck Joncourt <franck.mail@dthconnex.com>
Date: Wed, 22 Oct 2008 00:02:07 +0200
Message-id: <[🔎] 48FE515F.80504@dthconnex.com>
In-reply-to: <[🔎] 20081021053545.GA20788@cipherdyne.org>
References: <[🔎] 48FCBCB9.1040908@dthconnex.com> <[🔎] 20081020183308.GA4698@xibalba.demon.co.uk> <[🔎] 48FCE1F6.3020603@dthconnex.com> <[🔎] 20081021053545.GA20788@cipherdyne.org>

Hi,

[...]
>>>>  Fwsnort translates Snort rules into iptables rule approximations and
>>>>  generates a Bourne shell script that implements the resulting iptables
>>>>  commands.

>>> When you say "iptables rule approximations", are they in fact only
>>> approximate or should it be "equivalent iptables rules"?
>>>
>>> (It's possible that the pedantically correct term is "Netfilter
>>> rules", or even "Xtables rules"...)

[...]
> Saying that the translated iptables rules are equivalent is probably
> best in the sense that traffic that triggers a Snort rule will also be
> matched by a translated iptables rule
[...]
> But, most users will not know about this distinction and so from a
> practical standpoint "equivalent" is probably best - though I should
> perhaps document the above better in the fwsnort man page.  ?

Yes, I think it would be nice.

[...]
> "iptables rules" is correct.  Here is an excerpt from an email I
> received from Pablo Neira Ayuso about the distinction between
> "Netfilter and iptables" (this is in reference to my book):

[...]
>>> What does it mean these days to say something is a _Bourne_ shell
>>> script?  After all, it'll probably be dash that executes it...
>> You are right.

>> So, "generates a shell script that implements" should be better.

> Agreed.  I will fix this in the fwsnort man page as well.

>>>>  This ruleset allows network traffic that exhibits Snort signatures
>>>>  to be logged and/or dropped by iptables directly without putting any
>>>>  interface into promiscuous mode or queuing packets from kernel to
>>>>  user space.

>>> What ruleset is "This ruleset" referring to?  The simplest fix would
>>> be to take out the word "ruleset" and leave a vague "this" pointing
>>> at the whole previous paragraph.
>>>
>>> Saying that traffic "exhibits" signatures seems obscure; couldn't it
>>> just say it "matches" them?
>>  "This allows network traffic that matches Snort signatures"

>> I would say that does not sound bad :p!
>> I do not have any ideas that could go against your proposition.

> Agreed.  Saying "This allows network traffic that matches Snort
> signatures..." is better.  I will change this as well in the fwsnort man
> page.

Here is the result:

Description: Snort-to-iptables rule translator
 Fwsnort translates Snort rules into equivalent iptables rules and
 generates a shell script that implements the resulting iptables
 commands.
 .
 This allows network traffic that matches Snort signatures to be logged
 and/or dropped by iptables directly without putting any interface into
 promiscuous mode or queuing packets from kernel to user space.

Regards,

-- 
Franck Joncourt
http://debian.org - http://smhteam.info/wiki/
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- [RFR] fwsnort package
  - From: Franck Joncourt <franck.mail@dthconnex.com>
- Re: [RFR] fwsnort package
  - From: Justin B Rye <jbr@edlug.org.uk>
- Re: [RFR] fwsnort package
  - From: Franck Joncourt <franck.mail@dthconnex.com>
- Re: [RFR] fwsnort package
  - From: Michael Rash <mbr@cipherdyne.org>

Prev by Date: Re: Please review latest issue of the Debian Project News
Next by Date: [RFR] gpgdir package
Previous by thread: Re: [RFR] fwsnort package
Next by thread: [RFR] gpgdir package
Index(es):
- Date
- Thread