Michael Rash, Security Researcher

Chapter 9: Translating Snort Rules into iptables Rules

The Snort IDS has shown the community the way to detect network-based attacks, and so it is logical to leverage the Snort signature language in iptables. Because iptables offers a rich logging format and the ability to inspect application layer data, a significant percentage of Snort signatures can be translated into iptables rules.
For example, consider the following Snort rule which detects an XMLHttpRequest attempt coming from a malicious webserver back to the web client:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:7; This Snort rule can be cleanly translated into an equivalent iptables rule even though it requires multiple content matches, and here is the iptables rule that fwsnort builds: $IPTABLES -A FWSNORT_FORWARD_ESTAB -d -p tcp --sport 80 -m string --hex-string "new XMLHttpRequest|28|" --algo bm -m string --hex-string "file|3A|//" --algo bm -m comment --comment "sid:1735; msg:WEB-CLIENT XMLHttpRequest attempt; classtype:web-application-attack; reference:bugtraq,4628; rev:7; FWS:1.0.1;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] SID1735 ESTAB "