fwsnort is an open source command-line application written in C and designed to parse the rules files that are included in the Snort intrusion detection software. It also generates equivalent iptables rulesets.
Features at a glance
Key features include support for detecting TCP SYN, NULL, FIN, XMAS scans and UDP scans, several signature rules for Snort, a forensics mode for the analysis of iptables log files, passive operating system fingerprinting through TCP SYN packets, two different fingerprinting strategies, email alerts, and content-based alerts.
Additionally, the application supports validation of code header and icmp type field, configurable danger level and scan thresholds assignments, iptables ruleset parsing, IP/network danger level auto-assignment, DShield alerts, auto-blocking of scanning IP addresses, and a comprehensive status mode.
Among its command-line options, we can mention the ability to restrict the Snort parser to translate only specified rules into iptables rules, support for printing the iptables script to a specified script instream of the default location, support fo executing the fwsnort.sh script, and support for reverting to a different iptables version without using any fwsnort rules.
In addition, you will be able to read iptables policy from a file, to add the --log-tcp-sequence option to iptables, to generate an equivalent iptables rule for a specific Snort ID, to read Snort specific variables out of the program’s configuration file, to translate single or multiple rules file, to check iptables capabilities, as well as to exclude a list of sids from translation.
Getting started with fwsnort
After installing fwsnort using either the pre-built binary packages found in the main software repositories of your Linux distribution or by using the native installers provided by the project for RPM-based distros, you can simply run the ‘fwsnort’ command in a terminal emulator, as root (system administrator) to use the software.