Fwsnort: Application layer IDS/IPS with iptables

Fwsnort parses the rules files included in the Snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible.

Fwsnort utilizes the iptables string match module (together with a custom patch that adds a –hex-string option to the iptables user space code which is now integrated with iptables) to detect application level attacks.

Fwsnort 1.5 now is available for download. This is a major release that moves to using the iptables-save format for instantiating the fwsnort policy, and this allows the run time for adding the fwsnort policy to the kernel to be drastically reduced.

Fwsnort now splices in the translated Snort rules into the iptables policy in the running kernel at the time of translation. So, any updates to the iptables policy that are made after fwsnort is executed and before fwsnort.sh is run would be lost. Hence, it is advisable to execute fwsnort.sh soon after running fwsnort.

This is a reasonable tradeoff though considering the performance benefit as seen below – which gives an example of how long it takes to add an fwsnort iptables policy via the old strategy of executing one iptables command at a time vs. implementing the same policy with iptables-restore.