# Snort or fwsnort

## plice

Hi,

Was wondering which one is better to deploy as an active ids. I've read the book about fwsnort, but the problem is that it can't translate all the rules from snort (maybe 40ish% ?)

So I wonder which one is better as an active ids to work with iptables. Might as well run snort instead fwsnort, correct?

I haven't read much about snort (just starting now).

Pls advise  :Smile: 

Thank you.

Polish

----------

## neyoobaba

Hello, 

i am new to snort. Can anyone please help or post a step by step link on how to install gentoo

----------

## Btoo

Can you post what ruleset you used? I could assume you used the opensource register only set. It would be good to get a discussion going on this, I am just now looking into using fwsnort myself so I have a few questions for you. Was there some categories that did not work or were the errors or untranslated rules all over the map so to speak?

I have read in Michael Rashes book "Linux Firewalls" that the rules that use pcre (perl core regex?) will not be translated. Could you post the fwsnort log? (fwsnort.log) You should take a look at pg 176, it seems that your output is normal, not all rules will work with fwsnort.

As for the other post here, in Gentoo the installation of Snort is easy, it's the configuring that will take time!

For an inline box with 3 nics, one for management, here is a list of USE flags I used:

net-analyzer/snort-2.9.0.5  USE="active-response decoder-preprocessor-rules dynamicplugin flexresp3 gre inline-init-failopen mysql normalizer ppm react reload-error-restart threads zlib 

The ebuild will pull in the dependencies for you. Just install it then read the docs on the compile options and reinstall with the USE flags you need for your particular installation.

Hope this helps

----------

## plice

Hi Btoo,

 sorry i haven't had time to do anything  ... I was planing on using opensource register sets. Yeh, i've read that book as well. I got VPS so i'm not keen setting up snort.

Let me know how u went, i will try to work on it tonight . . .

neyoobaba, if you want some reading material, PM.

thanks

----------

## myceliv

To get only 40% you may have some kernel extensions missing. The Rash book mentioned has a pretty good rundown on kernel config, although a few things are out of date. I get about 70% instantiated using very recent emerging-all snort-edge rules, plus those installed with fwsnort ebuild.

@Btoo the majority that fail are complex pcre's, and several other categories, such as byte_jump, threshold, fast_pattern. A few might be able to be addressed now that I've moved to 2.6.39 kernels, haven't had time to research yet. It's a much better situation than when the Rash book first came out, in terms of fwsnort coverage anyway.

I need to learn so much more about iptables and security anyway, and my network is relatively low loss if damaged and low risk (not so exposed), so for me it is easy to decide to not run snort, and focus on simpler task of maintaining and learning to better use iptables and fwsnort. Also my first line firewall is very low on cpu and memory, so I'd rather do most everything within the kernel, rather than feed snort.

[Edit:] Another thought.... Very likely more important than snort or fwnsnort is to run hardened and minimize services, etc. Review to make sure basics are covered too.

----------

