Michael Rash, Security Researcher

Software Releases    [Summary View]

« Previous | Next »

Software Release - fwsnort-1.1

software release fwsnort-1.1 The 1.1 release of fwsnort is ready for download. This is a significant release that adds support for ip6tables so that SNORT ® inspection logic can be applied to IPv6 traffic within the Linux kernel. This release also includes a new feature that allows fwsnort to build perl commands interfaced with netcat that generate packet data that matches Snort rules (for those that that can be faithfully translated - see the --include-perl-triggers command line argument and associated comments within the file).

Here is the complete fwsnort-1.1 ChangeLog:

  • Added the ability to build an fwsnort policy that utilizes ip6tables instead of iptables. This allows fwsnort filtering and altering capabilities to apply to IPv6 traffic instead of just IPv4 traffic. To enable ip6tables usage, use the "-6" or "--ip6tables" command line arguments.
  • Added the --include-perl-triggers command line argument so that translated Snort rules can easily be tested. This argument instructs fwsnort to include 'perl -e print ... ' commands as comments in the /etc/fwsnort/ script, and these commands can be combined with netcat to send payloads across the wire that match Snort rules.
  • Updated fwsnort to create logs in the /var/log/fwsnort/ directory instead of directly in the /var/log/ directory. The path is controlled by a new variable 'LOG_FILE' in the /etc/fwsnort/fwsnort.conf file.
  • Added several variables in /etc/fwsnort/fwsnort.conf to control paths to everything from the config file to the snort rules path. Coupled with this is the ability to create variables within path components and fwsnort will expand them (e.g. 'CONF_DIR /etc/fwsnort; CONF_FILE $CONF_DIR/fwsnort.conf').
  • Added --Last-cmd arg so that it is easy to rebuild the script with the same command line args as the previous execution.
Snort is a registered trademark of Sourcefire, Inc.

Software Release - fwknop-1.9.12

software release fwknop-1.9.12 The 1.9.12 release of fwknop is ready for download. This is a significant release that moves by default to the new libfko and the new FKO module for SPA encryption and decryption. Other new features include interface monitoring for the fwknopd daemon so it can survive administrative changes due to things like a DHCP address changes, and the ability to send SPA packets through HTTP proxies.

An excerpt from the 1.9.12 ChangeLog appears below:

  • Fully integrated the FKO module that is part of the libfko library for all SPA routines - encryption/decryption, digest calculation, replay attack detection, etc. The default is to always use the FKO module if it has been installed, but the original perl code remains intact as well just in case FKO does not exist on the local system. The libfko code can be viewed with Trac here
  • Added the ability to recover from interface error conditions, such as when fwknopd sniffs a ppp interface (say, associated with a VPN) that goes away and then is recreated. In previous versions of fwknop, this would result in the fwknopd daemon no longer able to receive SPA packets. This new functionality is controlled by five new configuration variables in the fwknop.conf file: ENABLE_INTF_CHECKS, INTF_CHECKS_INTERVAL, ENABLE_INTF_EXISTS_CHECK, ENABLE_INTF_RUNNING_CHECK, and ENABLE_INTF_BYTES_CHECK. By default, all of these checks are enabled and are run every 20 seconds by the knoptm daemon. If any check fails, then knoptm stops the fwknopd daemon once the error condition is corrected (such as when the interface comes back) so that knopwatchd will then restart it. The fwknopd daemon cannot receive packet data until the error condition is cleared (most likely except perhaps for the "RUNNING" check, but restarting the fwknopd daemon is better than not being able to access a service).
  • Updated the fwknop client to include the SPA destination before DNS resolution when sending an SPA packet over an HTTP request. This allows more flexible Apache configurations with virtual web hosts to function properly with HTTP requests that contain SPA packet data. Also updated the fwknop client to include a leading "/" in SPA packets over HTTP, and updated the fwknopd server to strip this out before attempting SPA packet decryption.
  • Updated the fwknop client to resolve external IP addresses (with the -R argument) here by default.
  • (Jonathan Bennett): Submitted patch to the fwknop client to add HTTP proxy support when sending SPA packets over HTTP. The result is a new --HTTP-proxy option that expects the proxy host to be given as "http://HOST", and it also supports the "http://HOST:PORT" notation as well.

Software Release - gpgdir-1.9.5

software release gpgdir-1.9.5 The 1.9.5 release of gpgdir is ready for download. This release adds support for decrypting files that have been encrypted with PGP (so they have the .pgp file extension). This feature was essentially implemented for free in gpgdir because GnuPG along with the GnuPG::Interface perl module can decrypt PGP-encrypted files. Here is an example: $ cd dir
$ find . -type f
$ gpgdir -d .
[+] Executing: gpgdir -d .
Using GnuPG key: ABCD1234

[+] Decrypting files in directory: /home/mbr/tmp/dir
[+] Building file list...
[+] Decrypting: /home/mbr/tmp/dir/file3.pgp
[+] Decrypting: /home/mbr/tmp/dir/subdir2/file8.pgp
[+] Decrypting: /home/mbr/tmp/dir/subdir2/file7.pgp
[+] Decrypting: /home/mbr/tmp/dir/subdir1/file6.pgp
[+] Decrypting: /home/mbr/tmp/dir/file1.pgp
[+] Decrypting: /home/mbr/tmp/dir/file2.pgp
[+] Decrypting: /home/mbr/tmp/dir/file5.pgp
[+] Decrypting: /home/mbr/tmp/dir/file4.pgp
[+] Decrypting: /home/mbr/tmp/dir/file0.pgp

[+] Total number of files decrypted: 9

$ !find
find . -type f

iptables Script Update - Logging and IPv6 Issues

ipv6 traffic vs. iptables Recently, Bobby Krupczak, a reader of "Linux Firewalls" pointed out to me that the iptables script used in the book does not log traffic over the loopback interface, and that such traffic is also blocked because of the INPUT and OUTPUT policies of "DROP" (instead of having a separate DROP rule). This should be made more clear in the book. Quite right - all logging is excluded for traffic that is sent or received over the loopback interface, and the iptables policy also drops loopback traffic because no ACCEPT rule exists. The lack of a logging rule is mostly because logging traffic generated locally and restricted to the loopback interface is usually a distraction from logging more important (and potentially malicious) traffic from remote networks. However, if a local process seems to have connectivity issues, then making sure that loopback traffic flows unimpeded is important. The script has been updated to ACCEPT all loopback traffic handled by the INPUT and OUTPUT chains.

On another note, I would also like to mention that the script has been updated to block IPv6 traffic altogether. With more networks routing IPv6 these days, and with things like Federal mandates for IPv6 compliance on Federal networks, IPv6 adoption is... still slow. However, Linux has had the ability to speak IPv6 for a long time, and Nmap can scan for IPv6-enabled services. Hence it is important to apply iptables controls to IPv6 traffic via ip6tables. The consequences of not doing this could be a system compromise via a service that can communicate over IPv6, but that is normally firewalled off in the IPv4 world.

Here is an example of scanning ::1 on an Ubuntu-9.04 system with Nmap without any ip6tables controls applied. Note that three important services are available over IPv6: [root@isengard ~]# nmap -6 -P0 ::1

Starting Nmap 5.00 ( ) at 2009-07-28 21:10 EDT
Interesting ports on ip6-localhost (::1):
Not shown: 997 closed ports
22/tcp open ssh
53/tcp open domain
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

With the updated iptables script deployed, Nmap no longer sees these services.

Have you checked the output of ip6tables -v -nL | grep DROP lately on your Linux system? If you are running a different operating system, are you confident that IPv6 traffic is being filtered appropriately? [root@isengard ~]# ip6tables -v -nL | grep DROP
Chain INPUT (policy DROP 0 packets, 0 bytes)
Chain FORWARD (policy DROP 0 packets, 0 bytes)
Chain OUTPUT (policy DROP 0 packets, 0 bytes)

Software Release - fwsnort-1.0.6

software release fwsnort-1.0.6 The 1.0.6 release of fwsnort is ready for download. This release fixes a bug that caused some Snort rules to not be translated into iptables rules due to improper handling of escaped semicolons. Now that this bug has been fixed, an additional 58 rules from the Emerging Threats rule set are now properly supported. Also made it easier to point fwsnort at a single file with a Snort rule set to be converted (see the --fwsnort-rfile command line argument).

Here is the complete ChangeLog:

  • (Franck Joncourt) Updated fwsnort to use the "! <option> <arg> syntax instead of the older "<option> ! <arg> for the iptables command line.
  • (Franck Joncourt) For the --hex-string and --string matches, if the argument exceeds 128 bytes (iptables 1.4.2) then iptables fails with an error "iptables v1.4.2: STRING too long". Fixes this with a patch that adds a new variable in fwsnort.conf "MAX_STRING_LEN", so that the size of the content can be limited. If the content (null terminated string) is more than MAX_STRING_LEN chars, fwsnort throws the rule away.
  • Bug fix to allow fwsnort to properly translate snort rules that have "content" fields with embedded escaped semicolons (e.g. "\;"). This allows fwsnort to translate about 58 additional rules from the Emerging Threats rule set.
  • Bug fix to allow case insensitive matches to work properly with the --include-re-caseless and --exclude-re-caseless arguments.
  • Bug fix to move the 'rawbytes' keyword to the list of keywords that are ignored since iptables does a raw match anyway as it doesn't run any preprocessors in the Snort sense.
  • Added the --snort-rfile argument so that a specific Snort rules file (or list of files separated by commas) is parsed.
  • Added a small hack to choose the first port from a port list until the iptables 'multiport' match is supported.
  • Updated to consolidate spaces in hex matches in the script since the spaces are not part of patterns to be searched anyway.
  • Updated to the latest complete rule set from Emerging Threats (see
  • Added the "fwsnort-nobuildreqs.spec" file for building fwsnort on systems (such as Debian) that do not install/upgrade software via RPM. This file omits the "BuildRequires: perl-ExtUtils-MakeMaker" directive, and this fixes errors like the following on an Ubuntu system when building fwsnort with rpmbuild: rpm: To install rpm packages on Debian systems, use alien. See README.Debian.
    error: cannot open Packages index using db3 - No such file or directory (2)
    error: cannot open Packages database in /var/lib/rpm

Software Release - fwknop-1.9.11

software release fwknop-1.9.11 The 1.9.11 release of fwknop is ready for download. The major feature addition in this release is the ability to utilize ipfw 'sets' to organize new rules added by the fwknopd daemon on Mac OS X or FreeBSD systems after receiving a valid SPA packet. A couple of other features were added as well, such as user-defined type and code values for SPA packets sent over ICMP, and support in the test suite for running specific chains of related tests.

Here is the complete ChangeLog:

  • (Julien Picalaus) Contributed patches to implement a proper interface to use ipfw 'sets' on systems running ipfw firewalls. This involved changes to fwknopd, knoptm, and the fwknop.conf file like so: Added a test to see if the local ipfw firewall policy is using dynamic rules. Added ipfw_move_rule() so that rules can be moved from one set to another. Added ipfw_disable() set subroutine and it is called at init for IPFW_SET_NUM (except when ipfw isn't using dynamic rules). Made sure that rule finding includes disabled rules (ipfw list -S and changes to regexp) and returning the set in addition to the rule number. When granting access, if a corresponding disabled rule already exists, enable it instead of adding a new one (except when ipfw isn't using dynamic rules). When adding rules, only use keep-state if there are already dynamic rules. Added IPFW_SET_NUM so that the set number for new ipfw can be specified, and add IPFW_DYNAMIC_INTERVAL so that the interval over which rules that have no associated dynamic rules are removed (the default is 60 seconds).
  • (Franck Joncourt) Bug fix to add -O command line arg to knopwatchd to specify an override config file if one is given on the fwknopd command line.
  • Added --icmp-type and --icmp-code command line arguments for the fwknop client in order to manually set the ICMP type/code values when using "--Spoof-proto icmp" or "--Server-proto icmp". Also restructured how SPA packets are sent over the various protocols. Here is an example of sending an SPA packet over an ICMP packet with type "123" and code "123" (not normal ICMP type/code values) with the pcap trace shown:
    # fwknop -A tcp/22 -s --Server-proto icmp --icmp-type 123 --icmp-code 123 -D
    # tcpdump -i lo -l -nn icmp or udp -s 0 -X
    tcpdump: verbose output suppressed, use -v or -vv for full protocol
    decode listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
    07:24:32.527221 IP > ICMP type-#123, length 169
    0x0000: 4510 00bd 0000 4000 4001 3c2e 7f00 0001 E.....@.@.<.....
    0x0010: 7f00 0001 7b7b e66f 0000 0000 2b63 6a6f ....{{.o....+cjo
    0x0020: 5049 6138 7345 7a35 4864 7955 5176 624b PIa8sEz5HdyUQvbK
    0x0030: 6637 6f51 5934 4e36 4c6c 3454 6931 4453 f7oQY4N6Ll4Ti1DS
    0x0040: 2b4f 3756 6636 4775 6234 756f 6738 4432 +O7Vf6Gub4uog8D2
    0x0050: 3155 4377 5259 6b52 2b30 354b 7043 6b33 1UCwRYkR+05KpCk3
    0x0060: 4f66 452f 4f32 6737 6d37 5064 4846 4842 OfE/O2g7m7PdHFHB
    0x0070: 7a32 4745 3766 7a31 4a4c 7652 764e 626c z2GE7fz1JLvRvNbl
    0x0080: 7a4a 7250 5355 3665 5051 5375 7a54 394b zJrPSU6ePQSuzT9K
    0x0090: 702b 4446 4a79 7a6b 3847 6c51 6a70 3564 p+DFJyzk8GlQjp5d
    0x00a0: 3957 3673 4f52 7945 3771 6f57 6b56 634e 9W6sORyE7qoWkVcN
    0x00b0: 4e41 6167 6231 5a79 6a63 4834 49 NAagb1ZyjcH4I
  • Updated all unpack() calls for packet decoding in fwknopd to use the "mN" format instead of "m[N]" format for proper operation on older versions of perl. On FreeBSD 7.0 with perl-5.6.2 the following error is generated without this fix: "Invalid type in unpack: '['".
  • Bug fix to not require that gpg is installed in order to install fwknop.
  • (Franck Joncourt) Documentation updates for the knopwatchd.8 man page to include the latest command line options.
  • (Martin Ferrari) Bug fix to provide a work around for fwknopd segfaults on Debian systems when the version of Net::Pcap that is installed comes from doing 'apt-get install fwknop-server'. See the thread at for more info.
  • Bug fix to ensure that UDP rules in ipfw firewalls are timed out correctly by knoptm (the problem was that 'keep-state' was required).
  • (Test suite): Added tests for multi-port access requests. So, to gain access to tcp/22,udp/1194 with one SPA packet, the test suite verifies that the code support this.
  • (Test suite): Started on updates to handle the upcoming libfko C implementation of Single Packet Authorization (the command line args are somewhat different).
  • (Test suite): Added support for multiple include/exclude test identifying strings (separated by commas). For example, to run the 'Setup', 'Basic', and 'Replay' tests, just do:
    ./ --include Setup,Basic,Replay
  • (Test suite): Added the ability to test sending SPA packets over ICMP.
  • (Test suite): Added import_perl_modules() routine from fwknop itself to enforce the usage of the same perl modules as those that fwknop references. The main application of this is for the Net::RawIP module which is used by the test suite for the SPA over ICMP tests.

IPTables::ChainMgr Used in PacketFence

IPTables::ChainMgr used in packetfence The IPTables::ChainMgr module is now used by the PacketFence NAC system in the latest 1.8.0 release. The module is used to build iptables rules that match on source MAC addresses, set a connection mark, and jump packets into a dedicated MARK chain.

The latest release of the IPTables::ChainMgr module is 0.9 (available as of Feb 11th), and can be downloaded from CPAN. The changes since the 0.8 release are:

  • Added Net::IPv4Addr prerequisite to Makefile.PL (patch submitted by Dominik Gehl).
  • Updated perldoc documentation to properly discuss the delete_chain() API. The material about the $jump_from_chain was missing (Darien Kindlund reported this issue).
  • Applied patch from Darien Kindlund to add the ability to specify the source MAC address via the --mac-source <addr> command line argument to iptables.

Software Release - fwknop-1.9.10

software release fwknop-1.9.10 The 1.9.10 release of fwknop is ready for download. This release adds a few new features such as the ability to send SPA packets over HTTP requests, and the ability to sniff interfaces without requiring any IP address to be assigned. Several minor bug fixes were made as well such as restoring the ability to send SPA packets over ICMP and properly decode them on the fwknopd server system.

Here is the complete ChangeLog:

  • Added the ability to send SPA packet over HTTP to a webserver. This requires that the same running fwknopd is also running a webserver, or that ENABLE_TCP_SERVER is enabled so that fwknopd spawns fwknop_serv to listen on a real TCP socket. Sending SPA packets over HTTP is accomplished with a new command line argument --HTTP on the fwknop client command line, and via a new configuration variable ENABLE_SPA_OVER_HTTP in the fwknop.conf file.
  • Added ENABLE_EXTERNAL_CMDS for fwknopd to control whether the EXTERNAL_CMD_OPEN and EXTERNAL_CMD_CLOSE directives are used (instead of just checking whether they are set to __NONE__).
  • Bug fix to make sure to properly construct hash reference for the "include" command list for the check_commands() function when checking for the mail command.
  • Bug fix for fwknopd to not require Net::Pcap::lookupnet() to succeed on interfaces with no IPv4 address assigned. This function sets the IP and netmask of the local interface, but if fwknopd sniffs an interface without any IP assigned, then such information will not necessarily exist.
  • Bug fix to add --Override config support to knopwatchd (Franck Joncourt).
  • Bug fix to add client timeout (--fw-timeout) support to both forward NAT and local NAT modes (Damien Stuart). This required increasing the number of expected fields in decrypted SPA packets in fwknopd.
  • Bug fix in the script for Cygwin systems (or others where a client-mode only install is done) to take into account the newer perl library path handling code.
  • Updated minimum ICMP header length to 8 bytes in fwknopd to accept spoofed SPA packets over ICMP echo requests.
  • Added config dumping support to knopwatchd with -D (Franck Joncourt).
  • Minor code cleanups and updates to knopwatched (such as the usage of isspace() to allow tab chars between variable names and values in the fwknop.conf file (Franck Joncourt).
  • Added ENABLE_COOKED_INTF to force fwknopd to always treat the sniffing interface as the "cooked" interface type found on Linux.
  • Updated knopwatchd to allow more than one overwrite file (Franck Joncourt).
  • Added --Single-mod-install to the perl installer so that individual module dependencies can be installed piecemeal.
  • (Test suite): Bug fix for the proper usage of the 'ps' command on FreeBSD and Mac OS X systems. The test suite now runs successfully on these systems after this fix.
  • (Test suite): Added the ability to test sending SPA packets over established TCP connections with the fwknop_serv daemon.
  • (Test suite): Added support for collecting *.warn and *.die output for each test as it is executed and appending this data to each test output file.

Software Release - fwknop-1.9.9

software release fwknop-1.9.9 The 1.9.9 release of fwknop is ready for download. This is a fairly major update to allow integration with third party applications with the ability to execute external programs on SPA open and SPA close. There were also updates made to the fwknop signal handling code, the IPTables::ChainMgr and IPTables::Parse modules for Linux systems, and a few bug fixes as well.

There will probably be a 1.9.10 release before the 2.0 release, and it will most likely include support for the PF firewall, and more advanced support for using SPA in the Amazon EC2 cloud computing service.

Here is the complete ChangeLog:

  • Added support to fwknop for the Linux 'any' interface which allows SPA packets to be received on multiple interfaces on a Linux system. This is useful for running fwknop on a dual-homed Linux host, and then accepting SPA packets on either the internal or external interface so that SPA packets can influence the packet filter from either network.
  • Added support for interfacing fwknop with third party software through the addition of three new variables in the access.conf file (or set globally in the fwknop.conf file): EXTERNAL_CMD_OPEN, EXTERNAL_CMD_CLOSE, and EXTERNAL_CMD_ALARM. The "open" and "close" commands might be manually supplied firewall commands, and both support variable substitution of any of the variables in the access.conf file with "$VAR". Also, three special variables are supported: $SRC, $PORT, and $PROTO, which are derived from actual values from within valid SPA packets (as opposed to $SOURCE from access.conf which may contain a list of networks instead of a single IP address). Here are some examples:
    Execute a specific iptables command on behalf of the source IP in a valid SPA packet to add a new ACCEPT rule, and execute another command (to delete the same rule after a timeout):
  • Execute a custom binary with the SOURCE and OPEN_PORTS variables from the access.conf file as input on the command line, and after a timeout execute a different program but use the real SPA source IP:
    EXTERNAL_CMD_OPEN /path/otherprog $SRC
  • Added IPT_CMD_ALARM to control the number of seconds that the IPTables::ChainMgr module uses to wrap alarm() calls around iptables commands (for IPTables::ChainMgr 0.8 and later, although this does not interfere with earlier versions of the module).
  • Added IPT_EXEC_STYLE to control the execution method used for iptables commands in the IPTables::ChainMgr module. The default is "waitpid", but "system", and "popen" are also supported.
  • Added IPT_EXEC_SLEEP to control the number of seconds that the IPTables::ChainMgr module uses to delay between each iptables command. The default is zero (no delay), but this can be increased to ensure that iptables commands are issued at a slower pace.
  • Added IPT_EXEC_TRIES to allow critical iptables commands to be tried multiple times (with a default of 1) in case there are any errors from iptables execution.
  • Added --Override-config to fwknopd (suggested by Franck Joncourt) to allow config variables in the normal /etc/fwknop/fwknop.conf file to be superseded by values from other specified files. The --Override-config command line argument accepts a comma-separated list of multiple files from which to import configuration variables from.
  • Added code to prefer the usage of the /usr/sbin/sendmail binary to send email alerts before falling back to the mail binary (suggested by Alexander Perlis).
  • Added --Dump-config to fwknopd (suggested by Franck Joncourt).
  • Added execution of --Dump-config to the test suite to collect the installed version of the fwknop.conf and access.conf files (personal information is anonymized).
  • Updated fwknopd to use the POSIX sys_wait_h API for SIGCHLD handling in order to be more consistent with an example from the perlipc man page.
  • Updated fwknopd to pass in a reference to the SIGCHLD signal handler to the IPTables::ChainMgr module so that all command executions via fork() and exec() are associated with the same signal handler.
  • Updated to IPTables::ChainMgr version 0.8.
  • Updated to IPTables::Parse version 0.7.
  • (Test suite): Added time stamps to MSG and TEST lines for each test (useful to see the relative time if an alarm expires).
  • (Test suite): Added tests for fwknopd --Override-config, --Dump-config, and writing SPA packets to disk with the --Save-packet functionality (in the fwknop client).
  • (Test suite): Added tests for IPT_EXEC_SLEEP delays for executing iptables commands.
  • (Test suite): Added tests for Linux 'any' interface capture of SPA packets on all interfaces.
  • (Test suite): Added the ability to collect output from knoptm to see when requests are received from fwknopd and when rules are added and removed.
  • Added version information for fwknopd to syslog startup message.
  • Bug fix for the fwknop client in symmetric key mode where the terminal would not be taken out of 'noecho' mode if a password less than 8 characters long is provided. Previous to this fix, it was necessary to blindly type 'reset'. (Reported by Alexander Perlis.)

Software Release - IPTables perl modules

IPTables::Parse and IPTables::ChainMgr release New versions (0.7 and 0.8) of the IPTables::Parse and IPTables::ChainMgr modules are available for download, and Trac is now setup to visualize the module sources. Franck Joncourt has also packaged both modules for the Debian Linux distro: libiptables-parse-perl_0.7-1_all.deb and libiptables-chainmgr-perl_0.8-1_all.deb. The IPTables::Parse and IPTables::ChainMgr modules provide important functionality to all three of the psad, fwsnort, and fwknop projects.

In psad, the IPTables::Parse module is primarily used to look for default logging rules in the INPUT and FORWARD chains in the local iptables policy. Such rules are necessary for psad to detect port scans and other malicious traffic because it uses iptables log information as its data source. Traffic that does not hit an ACCEPT rule should normally be logged and dropped anyway, and psad tries to programmatically determine whether the iptables policy is indeed configured in this way. The IPTables::ChainMgr module is also used by psad to add and delete new blocking rules against malicious IP addresses whenever automatic responses are configured (see the ENABLE_AUTO_IDS variable in the /etc/psad/psad.conf file).

fwknop uses the IPTables::ChainMgr module to add ACCEPT rules for IP addresses that have been properly authenticated either by generating a proper port knocking sequence (which is parsed out of iptables log messages), or by sending a valid SPA message. The knoptm daemon then uses the IPTables::ChainMgr to delete any rules that were added by the fwknopd daemon after a configurable time delay.

fwsnort uses the IPTables::Parse module to look for iptables rules that block traffic that matches the transport layer criteria in translated Snort rules. That is, if the iptables policy blocks all attempts to communicate with a web server, then it is pointless to translate Snort rules that are designed to detect attacks against web servers. While fwsnort uses the iptables state tracking modules to ensure that application layer attacks are only searched for in established TCP connections (so spoofing a TCP packet with a malicious payload does not cause an event to be generated), if the iptables policy blocks all traffic anyway for some particular TCP port then it is more efficient to exclude signatures that detect attacks on this port.

The updates to the IPTables::ChainMgr module are as follows (and similar changes have been made to the IPTables::Parse module as well):

  • Added the ability to control the iptables execution model. The default is to use waitpid(), but other options are to use system() or popen().
  • Added the ability to introduce a configurable time delay between each iptables command.
  • Added the ability to use a function reference for the SIGCHLD signal handler.
  • Added the ability to configure the number of seconds used as the alarm timeout for iptables command execution in the waitpid() execution model.
  • Passed IPTables::ChainMgr options for the execution model, configurable alarm timeouts, the SIGCHLD signal handler reference, and the configurable number of seconds for additional sleeps between iptables commands to the IPTables::Parse module.
  • Bugfix for SIGALRM handling to be more consistent with an example from the perlipc man page.
  • Added append_ip_rule() so that new iptables rules can be appended to the end of a chain instead of just inserted at a particular rule number.
This software release moves the state of both modules closer to being ready for submission to CPAN, and I've applied for a CPAN developer account to get this process rolling.

« Previous | Next »