LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   fwsnort (https://www.linuxquestions.org/questions/linux-security-4/fwsnort-433100/)

gabsik 04-08-2006 02:07 PM
fwsnort
 
I have a debian sarge 3.1 stable 2.6.I got fwsnort which promises to translate snort rules into iptables rules does anyone ever used this prog ?To translate snort rules it needs a module called MATCH if i'm not wrong that reads --hexadecimals and is avialable in the iptables version i have but when i launch fwsnort it still says:

argo:~# fwsnort[*] It does not appear that string match support has been compiled into
Netfilter. Fwsnort will not be of very much use without this.
** NOTE: If you want to have fwsnort generate a Netfilter policy
anyway, specify the --no-ipt-test option. Exiting.

i called the modprobe ipt_MARK and the ipt_mac and the ipt_mark all related to --hex in my firewall script but still doesn't work i'm sure missing something please help ... cheeeeeeeers!:Pengy: :Pengy: :Pengy: :scratch:

gabsik 04-08-2006 11:17 PM
fwsnort implements a patch against iptables-1.2.7a which adds a "--hex-string" option which will
accept content fields such as "|0d0a5b52504c5d3030320d0a|"

I have kernel 2.6 e iptables-1.2.11 when i run fwsnort i get this:

argo:~# fwsnort[*] It does not appear that string match support has been compiled into
Netfilter. Fwsnort will not be of very much use without this.
** NOTE: If you want to have fwsnort generate a Netfilter policy
anyway, specify the --no-ipt-test option. Exiting.

I modprobed the MATCH module in the iptables script but sill get the above error

I invite everybody give it a try and share expriences .With option no-ipt-test runs less than an alf of tha avialable snort rules but it can gives you an idea of what it does ,help !

Capt_Caveman 04-09-2006 12:22 AM
I don't believe the string matching module is usually included in default builds of iptables. You'll likely need to download the iptables source code and patch it using patch-O-matic. There is a HOWTO for using POM at the netfilter website. Modprobing ain't gonna help if the module isn't there to load.

unSpawn 04-09-2006 04:34 AM
Next to that using many string match rules could show a drop in performance.
Snort is designed to do this incomparably more efficient.
So make sure you really need to use Fwsnort instead of or in addition to using Snort.


All times are GMT -5. The time now is 04:58 PM.