CentOS 7: problem installing Module::IPTables-Parse (JSON::PP 2.27103)
 

Hi all,
I have installed snort 2.9.7(running as NIDS) on centos7 (desktop dell optiplex intel core i3) and now I have enabled IPTables and working on fwsnort so that it can parse snort rules to IPTables. I am facing problems executing ./fwsnort ::

Tried to install IPTables/Parse.pm vi cpanm as follows :: I am behind a proxy and I did exported proxy settings(http & https) before executing this
Downloaded tarball followed instruction and failed again ::
I tried & failed & cant make out how to get JSON::PP 2.27103, is there any way round ? Help is always appreciated.

regards,
nm

The module is called "IPTables::Parse": http://search.cpan.org/~mrash/IPTabl...ables/Parse.pm.


This module is called "JSON-PP-2.27103": http://search.cpan.org/~makamaka/JSON-PP-2.27103/

*What you get from this is:
0) query CPAN for the right name and
1) use "search.cpan.org" is you can't find it via the CLI.


Couple of ways to get this working, in no particular order:
0) Run 'cpan IPTables::Parse" properly,
1) Download the "perl-IPTables-Parse" source RPM from Fedora and build for your system,
2) Download PSAD from cipherdyne.com as it already includes "IPTables::Parse".
3) Download IPTables-Parse-1.1.tar.bz2 from cipherdyne.com.
*Note #2 and #3 are really not advisable since these packages are way old and have not been updated since 2012.

Dear Sir, I am trying to build an Intrusion Prevention System for my network, and I decided to implement iptables and supply rules from snort IDS with the help of IPTables::Parse to iptables. I am not implementing PSAD, but IPTables::Parse is what I need, if it is not being updated then would you please suggest any other implementation of IPS that best suits my network. I am trying to implement IPS in my intranet, which comprises of a proxy,dns, and around at least 1000 users.

regards,
nm

I gave you four options and you only talk about the last two. Are the first two not feasible then?:
0) Run 'cpan IPTables::Parse" properly,
1) Download the "perl-IPTables-Parse" source RPM from Fedora and build for your system,


What are the specifications of your network that we should factor in when offering suggestions?


Based on what criterion did you decide to implement fwsnort? And are you aware of the consequences, or phrased differently: how do you intend to mitigate fwsnorts pitfalls?

==================================================================================================== ===========
that log file ::
==================================================================================================== ==========

I work for an educational institute and like I wrote in my previous post that I am behind a proxy and have a dns server and nearly thousand users.And they want to implement IPS in Intranet.

Sir, honestly I don't have any idea about "fwsnort pitfalls", I read through many docs (for open source IPS) and found some solution, fwsnort is one of them which can be integrated with snort to parse its rules to IPTables, others are --snortsam,suricata. I selected fwsnort just because I have snort IDS working.

Would you please consider my request and tell me about fwsnort pitfalls.

regards,
nm

I told you how the exact module name and where to find it!


fwsnort "converts" Snort rules to be used as iptables rules. It does this by using iptables "string match" module. String matching is not good for performance and it won't be able to filter traffic as accurately as Snort does. Some Snort rules probably can't even be translated to iptables rules so the value of what you will be left with detection-wise will be questionable. In short: if there is no explicit and compelling reason to use fwsnort then choose Snort instead or Suricata.

Ok if I don't use fwsnort (because of that drawback), I dont have to install this JSON::PP module.


Ok if I choose snort , because I have already implemented it as an IDS and working fine, what other options do I have to make it work like an IPS ? I have tried to install Snortsam but I am stuck. If something can be done with the current implementation I would be more than happy!! If not then I will have to go for suricata.

regards,
nm

Please create a new thread and post detailed, exact information there:
- Linux distribution and release,
- which software + versions you installed,
- any steps you took to install software if they deviate from the software instructions, and
- the errors you got, and
- what you have tried to fix them.

yes Sir I will, actually I am stuck because I can't find binary of snort in my system. And Sir please consider my request an advise me commercially available software products for firewall, IPS/IDS, which you think are best for an Institutions network as we are growing fast and expecting 5000-10000 users or may be more in next 3-5 years.

best regards,
nm

Then I assert you haven't even tried searching see: https://www.snort.org/downloads


I'm sorry, Dave. I'm afraid I can't do that (as I am not a travelling salesman ;-p).

Apologies, I never meant to disrespect you.

Likewise I do not see you showing any disrespect. So, will you be continuing with fwsnort or will you move to Snort itself?

I am not going with fwsnort, I will try "snortsam" first, if it works all good, otherwise---suricata.

OK, good luck!

thanks!