Hi, [...] >>>> Fwsnort translates Snort rules into iptables rule approximations and >>>> generates a Bourne shell script that implements the resulting iptables >>>> commands. >>> When you say "iptables rule approximations", are they in fact only >>> approximate or should it be "equivalent iptables rules"? >>> >>> (It's possible that the pedantically correct term is "Netfilter >>> rules", or even "Xtables rules"...) [...] > Saying that the translated iptables rules are equivalent is probably > best in the sense that traffic that triggers a Snort rule will also be > matched by a translated iptables rule [...] > But, most users will not know about this distinction and so from a > practical standpoint "equivalent" is probably best - though I should > perhaps document the above better in the fwsnort man page. ? Yes, I think it would be nice. [...] > "iptables rules" is correct. Here is an excerpt from an email I > received from Pablo Neira Ayuso about the distinction between > "Netfilter and iptables" (this is in reference to my book): [...] >>> What does it mean these days to say something is a _Bourne_ shell >>> script? After all, it'll probably be dash that executes it... >> You are right. >> So, "generates a shell script that implements" should be better. > Agreed. I will fix this in the fwsnort man page as well. >>>> This ruleset allows network traffic that exhibits Snort signatures >>>> to be logged and/or dropped by iptables directly without putting any >>>> interface into promiscuous mode or queuing packets from kernel to >>>> user space. >>> What ruleset is "This ruleset" referring to? The simplest fix would >>> be to take out the word "ruleset" and leave a vague "this" pointing >>> at the whole previous paragraph. >>> >>> Saying that traffic "exhibits" signatures seems obscure; couldn't it >>> just say it "matches" them? >> "This allows network traffic that matches Snort signatures" >> I would say that does not sound bad :p! >> I do not have any ideas that could go against your proposition. > Agreed. Saying "This allows network traffic that matches Snort > signatures..." is better. I will change this as well in the fwsnort man > page. Here is the result: Description: Snort-to-iptables rule translator Fwsnort translates Snort rules into equivalent iptables rules and generates a shell script that implements the resulting iptables commands. . This allows network traffic that matches Snort signatures to be logged and/or dropped by iptables directly without putting any interface into promiscuous mode or queuing packets from kernel to user space. Regards, -- Franck Joncourt http://debian.org - http://smhteam.info/wiki/ Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: OpenPGP digital signature