cipherdyne.org

Michael Rash, Security Researcher



fwsnort-1.0.3 Software Release

fwsnort-1.0.3 Software Release The 1.0.3 release of fwsnort is ready for download. This release adds the ability to interpret basic PCRE's expressions (more detail below) and includes a major signature update from Bleeding Threats. A new command line argument --include-re-caseless allows fwsnort to restrict its translation operation to Snort rules that contain a regular expression (matched case-insensitively). For example, here is the command to build an iptables policy derived from Snort rules in the bleeding-all.rules file that contain the string "sid:2007" (for signatures that were added in 2007): # fwsnort --include-type bleeding-all --include-regex "sid:2007" --include-re-caseless
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Snort Rules File Success Fail Ipt_apply Total

[+] bleeding-all.rules 614 28 607 642
=======================================
614 28 607 642

[+] Generated iptables rules for 614 out of 642 signatures: 95.64%
[+] Found 607 applicable snort rules to your current iptables
policy.

[+] Logfile: /var/log/fwsnort.log
[+] iptables script: /etc/fwsnort/fwsnort.sh
This results in 607 successfully translated Snort rules, and here is the iptables command equivalent built by fwsnort for the "BLEEDING-EDGE MALWARE Softwarereferral.com Adware Checkin" signature: $IPTABLES -A FWSNORT_OUTPUT_ESTAB -p tcp --dport 80 -m string --string "wmid=" --algo bm -m string --string "&mid=" --algo bm -m string --string "&lid=" --algo bm -m comment --comment "sid:2007696; msg:BLEEDING-EDGE MALWARE Softwarereferral.com Adware Checkin; classtype:trojan-activity; rev:1; FWS:1.0.3;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[15] SID2007696 ESTAB " Here is the full ChangeLog:
  • Added --include-re-caseless and --exclude-re-caseless options to have --include-regex and --exclude-regex options match case insensitively.
  • Major signature update from Bleeding Threats. This update includes a large number of new signatures with PCRE statements, with an emphasis on detecting SQL injection attacks directed at internal webservers from external sources.
  • Added the ability to interpret PCRE statements that include simple string matches separated by ".*" and ".+" as multiple iptables string matches. The only negative consequence in terms of signature detection is that ordering is not preserved; that is, the PCRE "/UNION.+SELECT/" would only match a packet that contains "UNION" followed by "SELECT", whereas an iptables rule that uses a string match for UNION and a separate string match for SELECT would match a packet that contains both strings but in reverse. Typically this is not a huge concern, and the PCRE translation can be disabled with a new option --no-pcre.
  • Added asn1 keyword to unsupported list.