Applied patch from Dwight Davis to fix multiple issues.
authorMichael Rash <mbr@cipherdyne.org>
Thu, 20 Dec 2012 03:40:24 +0000 (22:40 -0500)
committerMichael Rash <mbr@cipherdyne.org>
Thu, 20 Dec 2012 03:40:24 +0000 (22:40 -0500)
(Dwight Davis) Contributed patches for several bugs including not
handling --exclude-regex properly, not ignoring the deleted.rules file,
not handling --strict mode opertions correctly, and more.  These issues
and the corresponding patch were originally reported here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000

CREDITS
ChangeLog
fwsnort

diff --git a/CREDITS b/CREDITS
index dfb38da..96941ce 100644 (file)
--- a/CREDITS
+++ b/CREDITS
@@ -83,3 +83,10 @@ Peter Vrabec
 
 Andrew Merenbach
     - Contributed bug fix to properly honor --exclude-regex filtering option.
+
+Dwight Davis
+    - Contributed patches for several bugs including not handling
+      --exclude-regex properly, not ignoring the deleted.rules file, not
+      handling --strict mode opertions correctly, and more.  These issues and
+      the corresponding patch were originally reported here:
+        http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000
index 8f84ac2..1ba445b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,11 @@ fwsnort-1.6.3 (12/18/2012):
       length testing, and optimized to drastically reduce run time for iptables
       capabilities checks (going from over 20 seconds to less than one second
       in some cases).
+    - (Dwight Davis) Contributed patches for several bugs including not
+      handling --exclude-regex properly, not ignoring the deleted.rules file,
+      not handling --strict mode opertions correctly, and more.  These issues
+      and the corresponding patch were originally reported here:
+        http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000
     - Updated to bundle the latest Emerging Threats rule set.
 
 fwsnort-1.6.2 (04/28/2012):
diff --git a/fwsnort b/fwsnort
index 6775aff..da10208 100755 (executable)
--- a/fwsnort
+++ b/fwsnort
@@ -280,7 +280,24 @@ my %snort_opts = (
         'http_client_body' => '[\s;]http_client_body\s*;',
         'http_cookie' => '[\s;]http_cookie\s*;',
         'urilen'    => '[\s;]urilen:\s*.*?\s*;',
-    }
+    },
+
+    ### in --strict mode, signatures that include any of these
+    ### options are not translated to iptables rules
+    'strict_list' => [
+        'uricontent',
+        'pcre',
+        'distance',
+        'within',
+        'http_uri',
+        'http_raw_uri',
+        'http_method',
+        'http_stat_code',
+        'http_stat_msg',
+        'http_client_body',
+        'http_cookie',
+        'urilen'
+    ]
 );
 
 ### rules update link
@@ -623,7 +640,7 @@ sub parse_snort_rules() {
         if ($exclude_types) {
             next FILE if defined $exclude_types{$type};
         }
-        if ($rfile eq 'deleted.rules') {
+        if ($rfile =~ m|deleted\.rules|) {
             next FILE unless $add_deleted;
         }
         ($snort_type) = ($rfile =~ m|.*/(\S+)\.rules|);
@@ -3474,11 +3491,16 @@ sub fwsnort_init() {
 
     if ($strict) {
         ### make the snort options parser very strict
-        for my $opt (qw(uricontent pcre
-                distance within http_uri http_method urilen)) {
-            $snort_opts{'unsupported'}{$opt}
-                = $snort_opts{'filter'}{$opt};
-            delete $snort_opts{'filter'}{$opt};
+        for my $opt (@{$snort_opts{'strict_list'}}) {
+            if (defined $snort_opts{'filter'}{$opt}) {
+                $snort_opts{'unsupported'}{$opt}
+                    = $snort_opts{'filter'}{$opt};
+                delete $snort_opts{'filter'}{$opt};
+            } elsif (defined $snort_opts{'ignore'}{$opt}) {
+                $snort_opts{'unsupported'}{$opt}
+                    = $snort_opts{'ignore'}{$opt};
+                delete $snort_opts{'ignore'}{$opt};
+            }
         }
         my @ignore = (qw(nocase));
 
@@ -4452,7 +4474,8 @@ sub write_ipt_script() {
 
     ### make sure the script is writable first
     if (-e $config{'FWSNORT_SCRIPT'}) {
-        chmod 0755, $config{'FWSNORT_SCRIPT'} or die $!;
+        chmod 0755, $config{'FWSNORT_SCRIPT'} or
+            die "[*] Could not chmod $config{'FWSNORT_SCRIPT'}: $!";
     }
 
     open F, "> $config{'FWSNORT_SCRIPT'}" or
@@ -4460,7 +4483,8 @@ sub write_ipt_script() {
     print F "$_\n" for @ipt_script_lines;
     close F;
 
-    chmod 0500, $config{'FWSNORT_SCRIPT'} or die $!;
+    chmod 0500, $config{'FWSNORT_SCRIPT'} or
+        die "[*] Could not chmod $config{'FWSNORT_SCRIPT'}: $!";
 
     return;
 }
@@ -4724,7 +4748,7 @@ Options:
                                 iptables rules.
     --ipt-script=<script>     - Print iptables script to <script>
                                 instead of the default location at
-                                /etc/fwsnort/fwsnort.sh
+                                /var/lib/fwsnort/fwsnort.sh
     --ipt-apply               - Execute the fwsnort.sh script.
     --ipt-exec                - Synonym for --ipt-apply.
     --ipt-revert              - Revert to a version of the iptables
@@ -4832,7 +4856,7 @@ Options:
     --queue-rules-dir=<dir>   - Specify the path to the generated set of
                                 Snort rules that are to be queued to
                                 userspace in --NFQUEUE or --QUEUE mode.  The
-                                default is /etc/fwsnort/snort_rules_queue/.
+                                default is /var/lib/fwsnort/snort_rules_queue/.
     -Q   --QUEUE              - Same as the --NFQUEUE option, except use the
                                 older iptables QUEUE target.
     --string-match-alg=<alg>  - Specify the string match algorithm to use