fwsnort

gabsik · 04-08-2006, 02:07 PM

I have a debian sarge 3.1 stable 2.6.I got fwsnort which promises to translate snort rules into iptables rules does anyone ever used this prog ?To translate snort rules it needs a module called MATCH if i'm not wrong that reads --hexadecimals and is avialable in the iptables version i have but when i launch fwsnort it still says:

argo:~# fwsnort[*] It does not appear that string match support has been compiled into
Netfilter. Fwsnort will not be of very much use without this.
** NOTE: If you want to have fwsnort generate a Netfilter policy
anyway, specify the --no-ipt-test option. Exiting.

i called the modprobe ipt_MARK and the ipt_mac and the ipt_mark all related to --hex in my firewall script but still doesn't work i'm sure missing something please help ... cheeeeeeeers!

gabsik · 04-08-2006, 11:17 PM

fwsnort implements a patch against iptables-1.2.7a which adds a "--hex-string" option which will
accept content fields such as "|0d0a5b52504c5d3030320d0a|"

I have kernel 2.6 e iptables-1.2.11 when i run fwsnort i get this:

argo:~# fwsnort[*] It does not appear that string match support has been compiled into
Netfilter. Fwsnort will not be of very much use without this.
** NOTE: If you want to have fwsnort generate a Netfilter policy
anyway, specify the --no-ipt-test option. Exiting.

I modprobed the MATCH module in the iptables script but sill get the above error

I invite everybody give it a try and share expriences .With option no-ipt-test runs less than an alf of tha avialable snort rules but it can gives you an idea of what it does ,help !

Capt_Caveman · 04-09-2006, 12:22 AM

I don't believe the string matching module is usually included in default builds of iptables. You'll likely need to download the iptables source code and patch it using patch-O-matic. There is a HOWTO for using POM at the netfilter website. Modprobing ain't gonna help if the module isn't there to load.

unSpawn · 04-09-2006, 04:34 AM

Next to that using many string match rules could show a drop in performance.
Snort is designed to do this incomparably more efficient.
So make sure you really need to use Fwsnort instead of or in addition to using Snort.