Fwsnort ( www.cipherdyne.org/fwsnort) functions as a transport layer inline IPS, because it is deployed directly within the IP table s firewall. It works by translating Snort signatures into their equivalent IP table rule sets; therefore, it will only stop attacks for which there are Snort signatures. Not all Snort rules are easily translated; however, Fwsnort does a good job at translating approximately 70 percent of them. Fwsnort also accepts Snort rules by the SID (Snort ID) value so you can add specific rules to your IPtables ruleset. IPtables can then either log or block the attacks. One nice feature of Fwsnort is its ability to parse the IPtables ruleset that is currently running on the Linux system and decide which rules are appropriate to add. For example, if the IPtables ruleset does not allow TCP port 80 through, Fwsnort will automatically skip all of the Snort Web rules. This helps to automatically decrease the size of the ruleset that is generated by Fwsnort.

Before installing Fwsnort, you must install the IPtables string match kernel patch and then recompile the kernel. Once Fwsnort is installed, it references the configuration file /etc/fwsnort/fwsnort.conf . You must make some initial changes to this file to assign the appropriate firewall interfaces. The configuration file also contains areas for whitelists, where you can exclude hosts and networks from being blocked. The following command instructs Fwsnort to generate an IPtables policy in prevention mode:

 [firewall]# fwsnort  -ipt-reject=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=    Snort Rules File ...