cipherdyne.org

21 August, 2008

The 1.0.5 release of fwsnort is available for download. For this release all Snort rules and perl modules packaged within the fwsnort sources have been moved into the deps/ directory so that it is clear which components are dependencies, and this change makes it easy to build "nodeps" tar archives and RPMs of fwsnort that do not include any dependencies. This change was suggested by Franck Joncourt in support of his efforts to create Debian packages of fwsnort, and this will also mean that fwsnort will integrate easily into Linux distributions such as Ubuntu). Also, from now on, all cipherdyne.org project will be signed with a new GnuPG key that is dedicated just for this purpose, and this key can be downloaded here.

The complete ChangeLog for fwsnort-1.0.5 appears below:

• Replaced the bleeding-all.rules file with the emerging-all.rules file. This is because Matt Jonkman now releases his rule sets at http://www.emergingthreats.net/
• Restructured perl module paths to make it easy to introduce a "nodeps" distribution of fwsnort that does not contain any perl modules. This allows better integration with systems that already have all necessary modules installed (including the IPTables::ChainMgr and IPTables::Parse modules). The main driver for this work is to make all cipherdyne.org projects easily integrated with distributions based on Debian, and Franck Joncourt has been instrumental in making this process a reality. All perl modules are now placed within the "deps" directory, and the install.pl script checks to see if this directory exists - a separate fwsnort-nodeps-<ver> tarball will be distributed without this directory. The Debian package for fwsnort can then reference the -nodeps tarball, and a new "fwsnort-nodeps.spec" file has been added to build an RPM from the fwsnort sources that does not install any perl modules.
• Updated to import perl modules from /usr/lib/fwsnort, but only if this path actually exists in the filesystem. This is similar to the strategy implemented by psad. A new variable FWSNORT_LIBS_DIR was added to the fwsnort.conf to support this.
• Added support for multiple Snort rule directories as a comma-separated list for the argument to --snort-rdir.
• Moved 'threshold' to the unsupported list since there will be several signatures that use this feature to detect the Dan Kaminsky DNS attack, and fwsnort does not yet support the usage of the iptables --limit match.

22 January, 2008

The 1.0.4 release of fwsnort is ready for download. This release is mostly a bugfix release for bugs discovered and patched by Grant Ferley (thanks for the contributions both on the fwsnort mailing list and also via personal correspondence). Because these fixes mostly apply to the IPTables::Parse perl module, they will also make it into the psad and fwknop projects. Here is the full ChangeLog:

• (Grant Ferley) Submitted patch to exclude loopback interfaces from iptables allow rules parsing. This behavior can be reversed with the existing --no-exclude-loopback command line argument.
• (Grant Ferley) Submitted patch to IPTables::Parse to take into account iptables policy output that contains "0" instead of "all" to represent any protocol.
• (Grant Ferley) Submitted patch to IPTables::Parse to set sport and dport to '0:0' if the protocol is 'all'.
• Bugfix to allow negated networks to be specified within iptables allow rules or within the fwsnort.conf file.
• Updated install.pl to set the LC_ALL environmental variable to "C". This should fix potential locale problems (this fix was borrowed from the fwknop project).

07 April, 2007

The fwsnort project has been around for several years now, but has never had a dedicated forum for discussion of development and deployment issues that are unique to making heavy use of the Netfilter string match extension as done by fwsnort. That's changed now with the introduction of the fwsnort mailing list generously provided by SourceForge. If you are interested in learning more about fwsnort and would like to ask questions or post comments, the mailing list is the place to do it!