Chapter 10: Deploying fwsnort
The tedious task of translating Snort signatures into iptables rules has been automated by the fwsnort project, and this chapter shows you how it is done. Deploying fwsnort endows your iptables policy with true intrusion detection abilities.Chapter 10 discusses the configuration file for fwsnort, and you can download the default config file here (or see below). This file is bundled with the fwsnort project.
#
###########################################################################
#
# This is the configuration file for fwsnort. There are some similarities
# between this file and the configuration file for Snort.
#
###########################################################################
#
# $Id: index.html 2980 2011-01-09 15:27:41Z mbr $
#
### Fwsnort treats all traffic directed to / originating from the local
### machine as going to / coming from the HOME_NET in Snort rule parlance.
### If there is only one interface on the local system, then there will be
### no rules processed via the FWSNORT_FORWARD chain because no traffic
### would make it into the iptables FORWARD chain.
HOME_NET any;
EXTERNAL_NET any;
### List of servers. Fwsnort supports the same variable resolution as
### Snort.
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
### AOL AIM server nets
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, \
64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
### Configurable port numbers
SSH_PORTS 22;
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
### define average packet lengths and maximum frame length. This is
### used for iptables length match emulation of the Snort dsize option.
AVG_IP_HEADER_LEN 20; ### IP options are not usually used.
AVG_TCP_HEADER_LEN 30; ### Include 10 bytes for options (which
### accompany ACK packets).
MAX_FRAME_LEN 1500;
### Use the WHITELIST variable to define a list of hosts/networks
### that should be completely ignored by fwsnort. For example, if you
### want to whitelist the IP 192.168.10.1 and the network 10.1.1.0/24,
### you would use (note that you can also specify multiple WHITELIST
### variables, one per line):
#WHITELIST 192.168.10.1, 10.1.1.0/24;
WHITELIST NONE;
### Use the BLACKLIST variable to define a list of hosts/networks
### that for which fwsnort should DROP or REJECT all traffic. For
### example, to DROP all traffic from the 192.168.10.0/24 network, you
### can use:
### BLACKLIST 192.168.10.0/24 DROP;
### To have fwsnort REJECT all traffic from 192.168.10.0/24, you would
### use:
### BLACKLIST 192.168.10.0/24 REJECT;
BLACKLIST NONE;
### define the jump position in the built-in chains to jump to the
### fwsnort chains
FWSNORT_INPUT_JUMP 1;
FWSNORT_OUTPUT_JUMP 1;
FWSNORT_FORWARD_JUMP 1;
### iptables chains (these do not normally need to be changed).
FWSNORT_INPUT FWSNORT_INPUT;
FWSNORT_INPUT_ESTAB FWSNORT_INPUT_ESTAB;
FWSNORT_OUTPUT FWSNORT_OUTPUT;
FWSNORT_OUTPUT_ESTAB FWSNORT_OUTPUT_ESTAB;
FWSNORT_FORWARD FWSNORT_FORWARD;
FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB;
### system binaries
shCmd /bin/sh;
echoCmd /bin/echo;
tarCmd /bin/tar;
wgetCmd /usr/bin/wget;
unameCmd /usr/bin/uname;
ifconfigCmd /sbin/ifconfig;
iptablesCmd /sbin/iptables;
