fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible.

fwsnort accepts command line arguments to restrict processing to any particular class of snort rules such as "ddos", "backdoor", or "web-attacks". Processing can even be restricted to a specific snort rule as identified by its "snort id" or "sid".

fwsnort utilizes the iptables string match module (together with a custom patch that adds a --hex-string option to the iptables user space code) to detect application level signatures.

fwsnort (optionally) makes use of the IPTables::Parse module (to be submitted to CPAN) to translate snort rules for which matching traffic could potentially be passed through the existing iptables ruleset.

Here are some key features of "fwsnort":
· Detection for tcp syn, fin, null, and xmas scans as well as udp scans.
· Detection of many signature rules from the snort intrusion detection system.
· Forensics mode iptables logfile analysis (useful as a forensics tool for extracting scan information from old iptables logfiles).
· Passive operating system fingerprinting via tcp syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy.
· Email alerts that contain tcp/udp/icmp scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
· Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the iptables string match extension and fwsnort.
· Icmp type and code header field validation.
· Configurable scan thresholds and danger level assignments.
· Iptables ruleset parsing to verify "default drop" policy stance.
· IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
· DShield alerts.
· Auto-blocking of scanning IP addresses via iptables and/or tcpwrappers based on scan danger level. (This is NOT enabled by default.)
· Status mode that displays a summary of current scan information with associated packet counts, iptables chains, and danger levels.

What's New in This Release:
· Support for multiple content matches was added, since this is supported by iptables.
· This increased the fwsnort translation rate by 10%, so about 60% of all Snort-2.3.3 rules can be translated now.
· Emulation was added for distance and within from previous content match based on --from and --to and the length of the previous pattern.
· The ability to include the Snort "msg", "classtype", "reference", "priority", and "rev" fields in each iptables rule with the comment match was added.
· This can be disabled with --no-ipt-comments.