Friday, January 27, 2006

Writing PF and Snort rules - Syntax Identical?

Writing Firewall and IDS rules now is part of my job where I have to write when there's a need. Before I have used OpenBSD which was three years back, I remember that I was using redhat linux-6.0/7.2 and had tried to finish the IPchain/IPtables documentations and I did, but I found myself kind of short memory which can't remember how to write a proper firewall rules without refering to the documentation or manual, IPtables is considered solid but the rule writing part seems to be cryptic and that's one of main reason why tools like firewallbuilder and etc getting popular because simplifying user/admin's job to get their job done on firewalling. They no longer need to learn IPtables in hardway. I do know those people who is IPtables hardcorer but remember it takes longer time to learn then it supposes to be, no offense on any firewalling technologies but I guess lots of people agree with me.

I use linux, and yet I tried out OpenBSD which was 3.5, I manage to learn it quickly especially the configuration part for apache, ftpd and other services, however my main purpose of using OpenBSD would be running a security device since OpenBSD itself is secured by default. Since OpenBSD offers it's own firewall calls PF, hence I start learning it by reading the manual and the documentation in, quickly googling and learning how other people put the rules together, it seems that PF is much simpler and easy to understand, I'm now able to write PF rules file without much refering to it's manual and documentations, more fun as well since less headache on loading PF rules.

Last year I start writing snort rules after joining new company, I have used snort since two years back but never write any rules till last year where I have to. At first it looks complicated but after a while you might feel comfortable since the tricky part would be how to write the rules that detecting the intrusions perfectly instead of it's syntax.

Apparently either PF Firewall rules or Snort IDS rules are very human readable and you can quickly understand what it does or perform. Then I found out why I can quickly adapt to Snort rules writing since it is actually identical and similar to writing PF rules. Let's take a look at both rules writing structure.

Below it's the syntax of PF rules

(pf action) [log] [quick] on [interface] [af] [protocol] from [src_addr[port src_port]] (direction) [dst_addr[port dst_port]] [flags tcp_flags] [state]

And yet the syntax of Snort rule

(snort action) [protocol] [src_addr[src_port]] (direction) [dst_addr[dst_port]] (msg:"PF Snort l33t"; optional classtype; optional snort ID (sid); optional revision (rev) number;)

I have bold the similarities between them, and if you read them correctly, you may find both of them are almost similar and not much differences, however don't you think this is cool, I have killed two birds with one stone. PF makes me easy going on Snort (:])

What a Coincidence !!!!!

Before I'm offline from the Matrix, Happy Chinese New Year to everybody and to all people around the world - peace


Anonymous said...

Hi! Regarding your comments about iptables, I completely agree with you, iptables syntax is crap, so baddly designed that you should use it every day in order to remember the complete syntax. I've switched a month ago to PF/OBSD 3.8 and am completely satisfied, the rule syntax is really wonderful!! and you don't require a high end machine, in this case I'm using a 486DX with 48MB of RAM!

C.S.Lee said...

IPtables is wonderful. However it just that it's syntax is kinda confusing and most people can't get it right. It requires more efforts to learn to write proper iptables rules.

Anonymous said...

Yeah, I'd love to see PF ported to Linux...