fwsnort: Application Layer IDS/IPS with iptables
fwsnort parses the rules files included in the Snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible. fwsnort utilizes the Netfilter string match module (together with a custom patch that adds a --hex-string option to the iptables user space code which is now integrated with iptables) to detect application level attacks.
fwsnort makes use of the IPTables::Parse module (to be submitted to CPAN) to translate snort rules for which matching traffic could potentially be passed through the existing iptables ruleset.
fwsnort was the subject of a featured security article "Basic Intrusion Prevention using Content-based Filtering" on linuxsecurity.com, and has also appeared in SysAdmin Magazine in the article "Content Filtering and Inspection with fwsnort and psad". Most recently (Dec, 2004), fwsnort has appeared in the book "Troubleshooting Linux(R) Firewalls" by Michael Shinn and Scott Shinn, and published by Addison Wesley.
Data replacement patches for the Netfilter string match extension can be found here (2.4 kernels only): libipt_string patch, ipt_string kernel patch. Together these patches emulate the replace keyword in Snort_inline by adding two new iptables command line options, "--replace-string" and "--replace-hex-string". All data replacement is performed within the kernel. See my DEFCON 12 presentation for more information.
