HOME_NET(any) -> EXTERNAL_NET(any) => OUTPUT chain
authorMichael Rash <mbr@cipherdyne.org>
Fri, 21 Dec 2012 04:42:28 +0000 (23:42 -0500)
committerMichael Rash <mbr@cipherdyne.org>
Fri, 21 Dec 2012 04:42:28 +0000 (23:42 -0500)
Dwight Davis reported that "when EXTERNAL_NET is set to 'any' the outbound rules
get put into the INPUT chain":  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000

This commit fixes this behavior, and forces such rules to the OUTPUT chain
whenever the original Snort rule has HOME_NET -> EXTERNAL_NET.

fwsnort
test/test-fwsnort.pl

diff --git a/fwsnort b/fwsnort
index 66e68f7..b92de1e 100755 (executable)
--- a/fwsnort
+++ b/fwsnort
@@ -717,10 +717,8 @@ sub parse_snort_rules() {
             }
 
             ### parse options portion of Snort rule
-            my ($parse_rv, $opts_hr, $patterns_ar)
-                            = &parse_rule_options($rule_options,
-                                    &get_avg_hdr_len($hdr_hr),
-                                    $line_num);
+            my ($parse_rv, $opts_hr, $patterns_ar) = &parse_rule_options(
+                    $rule_options, &get_avg_hdr_len($hdr_hr), $line_num);
 
             unless ($parse_rv) {
                 $unsup_ctr++;
@@ -1555,7 +1553,11 @@ sub ipt_build() {
     ### define iptables source and destination
     if ($snort_hdr_hr->{'dst'} =~ /any/i) {
         if ($snort_hdr_hr->{'src'} =~ /any/i) {
-            push @{$process_rules{'INPUT'}}, '' if $process_chains{'INPUT'};
+            if ($orig_snort_rule =~ m|\$HOME_NET.*\-\>\s+\$EXTERNAL_NET|) {
+                push @{$process_rules{'OUTPUT'}}, '' if $process_chains{'OUTPUT'};
+            } else {
+                push @{$process_rules{'INPUT'}}, '' if $process_chains{'INPUT'};
+            }
             push @{$process_rules{'FORWARD'}}, ''
                 if $process_chains{'FORWARD'};
         } else {
index f48b9d4..4d05fb1 100755 (executable)
@@ -142,7 +142,7 @@ my @tests = (
 
     {
         'category'  => 'operations',
-        'detail'    => "--snort-sid $simple_sig_id",
+        'detail'    => "--snort-sid $simple_sig_id EXTERNAL->HOME",
         'err_msg'   => "did not translate sid: $simple_sig_id",
         'positive_output_matches' => [qr/Found\ssid\:\s$simple_sig_id/,
             qr/Successful\stranslation/
@@ -156,6 +156,21 @@ my @tests = (
     },
     {
         'category'  => 'operations',
+        'detail'    => "--snort-sid 1292 HOME->EXTERNAL",
+        'err_msg'   => "did not translate sid: 1292",
+        'positive_output_matches' => [qr/Found\ssid\:\s1292/,
+            qr/Successful\stranslation/
+        ],
+        'match_all' => $MATCH_ALL_RE,
+        'function'  => \&generic_exec,
+        'cmdline'   => "$fwsnortCmd --no-ipt-test -c $default_conf --snort-sid 1292",
+        'fw_exec'   => $fw_exec,
+        'exec_err'  => $NO,
+        'fatal'     => $NO
+    },
+
+    {
+        'category'  => 'operations',
         'detail'    => "multiple rules --snort-sid $simple_sig_id,109,321",
         'err_msg'   => "did not translate sid: $simple_sig_id",
         'positive_output_matches' => [qr/Found\ssid/,
@@ -514,7 +529,7 @@ my @tests = (
     },
     {
         'category'  => 'operations',
-        'detail'    => "ip6tables --sn.. $simple_sig_id,109,321 --in... sid\:109",
+        'detail'    => "ip6tables --sn.. $simple_sig_id,109,321 --in.. sid\:109",
         'err_msg'   => "did not translate sid: $simple_sig_id",
         'positive_output_matches' => [qr/Found\ssid/,
             qr/Found\ssid\:\s109/,