9 months agochanges since 1.6.4 master 1.6.5
Michael Rash [Wed, 27 Aug 2014 01:18:02 +0000]
changes since 1.6.4

9 months agospec files fwsnort-1.6.5 release
Michael Rash [Wed, 27 Aug 2014 01:14:42 +0000]
spec files fwsnort-1.6.5 release

9 months agochanges since 1.6.4
Michael Rash [Wed, 27 Aug 2014 01:04:16 +0000]
changes since 1.6.4

9 months agobumped version to 1.6.5
Michael Rash [Wed, 27 Aug 2014 00:53:01 +0000]
bumped version to 1.6.5

9 months agoupdated Emerging Threats rule set
Michael Rash [Wed, 27 Aug 2014 00:51:37 +0000]
updated Emerging Threats rule set

15 months ago(Paulo Bruck) Bug fix for --ulog-prefix option
Michael Rash [Sun, 9 Feb 2014 02:59:54 +0000]
(Paulo Bruck) Bug fix for --ulog-prefix option

An invalid quote was being used previous to this commit.

15 months agochanges since 1.6.3 1.6.4
Michael Rash [Sun, 2 Feb 2014 21:01:57 +0000]
changes since 1.6.3

15 months agoadded note about 'cat' usage
Michael Rash [Sun, 2 Feb 2014 21:01:29 +0000]
added note about 'cat' usage

15 months agobumped version and copyright info
Michael Rash [Sun, 2 Feb 2014 20:53:04 +0000]
bumped version and copyright info

15 months agobumped version to 1.6.4
Michael Rash [Sun, 2 Feb 2014 20:51:35 +0000]
bumped version to 1.6.4

15 months agoupdate to bundle the latest Emerging Threats rule set
Michael Rash [Sun, 2 Feb 2014 20:31:12 +0000]
update to bundle the latest Emerging Threats rule set

15 months agoBug fix for CVE-2014-0039
Michael Rash [Sat, 1 Feb 2014 19:58:22 +0000]
Bug fix for CVE-2014-0039

Bug fix for vulnerability CVE-2014-0039 reported by Murray McAllister of
the Red Hat Security Team in which an attacker-controlled fwsnort.conf
file could be read by fwsnort when not running as root.  This was caused
by fwsnort reading './fwsnort.conf' when not running as root and when a
path to the config file was not explicitly set with -c on the command
line.  This behavior has been changed to require the user to specify a
path to fwsnort.conf with -c when not running as root.

16 months agominor README re-wording w.r.t. Snort signatures
Michael Rash [Fri, 24 Jan 2014 02:17:14 +0000]
minor README re-wording w.r.t. Snort signatures

2 years agoAdded 'cat' and 'grep' commands
Michael Rash [Fri, 8 Feb 2013 03:06:19 +0000]
Added 'cat' and 'grep' commands

2 years agobug fix for installation directory names, check_commands() enhancements
Michael Rash [Fri, 8 Feb 2013 03:06:02 +0000]
bug fix for installation directory names, check_commands() enhancements

2 years agoswitch fwsnort.sh iptables-restore exec() strategy to leverage 'cat' against fwsnort...
Michael Rash [Fri, 8 Feb 2013 03:05:19 +0000]
switch fwsnort.sh iptables-restore exec() strategy to leverage 'cat' against fwsnort.save file (fixes CentOS deployments)

2 years agominor typo fix
Michael Rash [Fri, 8 Feb 2013 02:43:27 +0000]
minor typo fix

2 years agominor version string fix fwsnort-1.6.3
Michael Rash [Sat, 22 Dec 2012 02:26:32 +0000]
minor version string fix

2 years agoremoved -pre1 from version string
Michael Rash [Sat, 22 Dec 2012 02:23:46 +0000]
removed -pre1 from version string

2 years agoChangeLog.git file update for changes from 1.6.2 -> 1.6.3
Michael Rash [Sat, 22 Dec 2012 02:03:04 +0000]
ChangeLog.git file update for changes from 1.6.2 -> 1.6.3

2 years agoHOME_NET -> EXTERNAL_NET to OUTPUT chain
Michael Rash [Sat, 22 Dec 2012 01:53:35 +0000]

2 years agoupdated 1.6.3 release date
Michael Rash [Fri, 21 Dec 2012 04:47:31 +0000]
updated 1.6.3 release date

2 years agoHOME_NET(any) -> EXTERNAL_NET(any) => OUTPUT chain
Michael Rash [Fri, 21 Dec 2012 04:42:28 +0000]
HOME_NET(any) -> EXTERNAL_NET(any) => OUTPUT chain

Dwight Davis reported that "when EXTERNAL_NET is set to 'any' the outbound rules
get put into the INPUT chain":  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000

This commit fixes this behavior, and forces such rules to the OUTPUT chain
whenever the original Snort rule has HOME_NET -> EXTERNAL_NET.

2 years agoadded ip6tables tests
Michael Rash [Thu, 20 Dec 2012 04:14:14 +0000]
added ip6tables tests

2 years agoconverted snort options regex to use qr// form
Michael Rash [Thu, 20 Dec 2012 04:00:30 +0000]
converted snort options regex to use qr// form

2 years agoadded --strict test
Michael Rash [Thu, 20 Dec 2012 03:45:40 +0000]
added --strict test

2 years agoApplied patch from Dwight Davis to fix multiple issues.
Michael Rash [Thu, 20 Dec 2012 03:40:24 +0000]
Applied patch from Dwight Davis to fix multiple issues.

(Dwight Davis) Contributed patches for several bugs including not
handling --exclude-regex properly, not ignoring the deleted.rules file,
not handling --strict mode opertions correctly, and more.  These issues
and the corresponding patch were originally reported here:

2 years agoadded --include-type emerging-all test
Michael Rash [Thu, 20 Dec 2012 02:44:06 +0000]
added --include-type emerging-all test

2 years agoadded --include-type + --exclude-type test
Michael Rash [Thu, 20 Dec 2012 02:21:39 +0000]
added --include-type + --exclude-type test

2 years agoadded --exclude-type tests
Michael Rash [Thu, 20 Dec 2012 02:17:54 +0000]
added --exclude-type tests

2 years agofwsnort.sh to use exec to pick up iptables-restore exit status
Michael Rash [Thu, 20 Dec 2012 02:17:37 +0000]
fwsnort.sh to use exec to pick up iptables-restore exit status

2 years agoadded return value checking in --enable-fw-exec mode
Michael Rash [Thu, 20 Dec 2012 00:40:12 +0000]
added return value checking in --enable-fw-exec mode

2 years agoadded --ipt-revert option, though --ipt-flush is usually more desirable
Michael Rash [Thu, 20 Dec 2012 00:37:16 +0000]
added --ipt-revert option, though --ipt-flush is usually more desirable

2 years agoadded fw_exec for --enable-fw-exec mode to instantiate and revert fwsnort policy
Michael Rash [Thu, 20 Dec 2012 00:17:16 +0000]
added fw_exec for --enable-fw-exec mode to instantiate and revert fwsnort policy

2 years agoiptables capabilities check optimization
Michael Rash [Wed, 19 Dec 2012 23:58:08 +0000]
iptables capabilities check optimization

Implemented a single unified function for iptables match parameter
length testing, and optimized to drastically reduce run time for iptables
capabilities checks (going from over 20 seconds to less than one second
in some cases).

2 years agoAdded easy way to revert fwsnort iptables policy changes
Michael Rash [Wed, 19 Dec 2012 23:57:07 +0000]
Added easy way to revert fwsnort iptables policy changes

Added the ability to easily revert the fwsnort policy back to the
original iptables policy with "/var/lib/fwsnort/fwsnort.sh -r".  Note
that this reverts back to the policy as it was when fwsnort itself was

2 years agoadded a test suite for fwsnort
Michael Rash [Wed, 19 Dec 2012 02:44:57 +0000]
added a test suite for fwsnort

2 years agoadded --install-test-dir argument for test suite installation
Michael Rash [Wed, 19 Dec 2012 02:41:14 +0000]
added --install-test-dir argument for test suite installation

2 years agobug fix in --no-ipt-test mode to ensure no empty lines in fwsnort.save related to...
Michael Rash [Wed, 19 Dec 2012 02:40:44 +0000]
bug fix in --no-ipt-test mode to ensure no empty lines in fwsnort.save related to the conntrack test

2 years ago(Andrew Merenbach) Bug fix to properly honor --exclude-regex filtering option.
Michael Rash [Tue, 18 Dec 2012 03:25:20 +0000]
(Andrew Merenbach) Bug fix to properly honor --exclude-regex filtering option.

2 years agobumped version to 1.6.3
Michael Rash [Tue, 18 Dec 2012 03:00:13 +0000]
bumped version to 1.6.3

2 years agobumped version to 1.6.3
Michael Rash [Tue, 18 Dec 2012 02:59:51 +0000]
bumped version to 1.6.3

2 years agoadded README to version changing script
Michael Rash [Tue, 18 Dec 2012 02:59:31 +0000]
added README to version changing script

2 years agominor ChangeLog update
Michael Rash [Tue, 18 Dec 2012 02:59:05 +0000]
minor ChangeLog update

2 years agoAll strings with non [A-Za-z0-9] chars now converted to hex format
Michael Rash [Tue, 18 Dec 2012 02:56:45 +0000]
All strings with non [A-Za-z0-9] chars now converted to hex format

  Bug fix to ensure that !, <, >, and = chars in content strings are
  converted to the appropriate hex equivalents.  All content strings with
  characters outside of [A-Za-z0-9] are now converted to hex-string format
  in their entirety.  This should also fix an issue that results in the
  following error when running /var/lib/fwsnort/fwsnort.sh:

    Using intrapositioned negation (`--option ! this`) is deprecated in
    favor of extrapositioned (`! --option this`).
    Bad argument `bm'
    Error occurred at line: 64
    Try `iptables-restore -h' or 'iptables-restore --help' for more

2 years agoadded INSTALL_ROOT variable
Michael Rash [Tue, 18 Dec 2012 02:56:28 +0000]
added INSTALL_ROOT variable

2 years agoadded INSTALL_ROOT variable
Michael Rash [Tue, 18 Dec 2012 02:56:13 +0000]
added INSTALL_ROOT variable

2 years agoadded fwsnort-1.6.3 changes
Michael Rash [Tue, 18 Dec 2012 02:50:17 +0000]
added fwsnort-1.6.3 changes

2 years agofwsnort-1.6.3 release
Michael Rash [Tue, 18 Dec 2012 02:49:54 +0000]
fwsnort-1.6.3 release

2 years agominor README re-ordering
Michael Rash [Tue, 18 Dec 2012 02:43:47 +0000]
minor README re-ordering

2 years agoadded various unrecognized snort rule options
Michael Rash [Tue, 18 Dec 2012 02:43:11 +0000]
added various unrecognized snort rule options

2 years agoupdated Emerging Threats rule set
Michael Rash [Tue, 18 Dec 2012 02:26:56 +0000]
updated Emerging Threats rule set

2 years agobumped version to 1.6.3-pre1 fwsnort-1.6.3-pre1
Michael Rash [Wed, 19 Sep 2012 00:46:02 +0000]
bumped version to 1.6.3-pre1

2 years agostarted on 1.6.3 ChangeLog
Michael Rash [Wed, 19 Sep 2012 00:45:18 +0000]
started on 1.6.3 ChangeLog

2 years agomake sure \!, <, >, and = are converted to hex equivalents
Michael Rash [Wed, 19 Sep 2012 00:43:11 +0000]
make sure \!, <, >, and = are converted to hex equivalents

2 years agorules update from Emerging Threats
Michael Rash [Wed, 19 Sep 2012 00:39:23 +0000]
rules update from Emerging Threats

2 years agoapplied patch from Franck to fix man page paths to reflect new installation directory...
Michael Rash [Mon, 11 Jun 2012 03:07:37 +0000]
applied patch from Franck to fix man page paths to reflect new installation directory structure

3 years agoupdated QUEUE_RULES_DIR path to a sub-dir of /var/lib/fwsnort/
Michael Rash [Sun, 27 May 2012 18:14:16 +0000]
updated QUEUE_RULES_DIR path to a sub-dir of /var/lib/fwsnort/

3 years agoadded note about trying yum/agt-get installation (Guillermo Gomez)
Michael Rash [Sun, 27 May 2012 17:37:20 +0000]
added note about trying yum/agt-get installation (Guillermo Gomez)

3 years agominor version update (mentioned by Guillermo Gomez)
Michael Rash [Sun, 27 May 2012 17:32:52 +0000]
minor version update (mentioned by Guillermo Gomez)

3 years agoMerge branch 'refs/heads/fwsnort-1.6.2'
Michael Rash [Sun, 27 May 2012 17:29:04 +0000]
Merge branch 'refs/heads/fwsnort-1.6.2'

3 years agomerged fwsnort-1.6.2
Michael Rash [Sun, 27 May 2012 17:28:50 +0000]
merged fwsnort-1.6.2

3 years agoGPL license address update (mentioned by Guillermo Gomez) fwsnort-1.6.2
Michael Rash [Sun, 27 May 2012 17:27:18 +0000]
GPL license address update (mentioned by Guillermo Gomez)

3 years agomentioned Guillermo Gomez as the fwsnort maintainer
Michael Rash [Sun, 27 May 2012 17:25:23 +0000]
mentioned Guillermo Gomez as the fwsnort maintainer

3 years agoadded ChangeLog.git file fwsnort-1.6.2
Michael Rash [Sun, 29 Apr 2012 00:45:42 +0000]
added ChangeLog.git file

3 years agobumped version to 1.6.2
Michael Rash [Sun, 29 Apr 2012 00:45:23 +0000]
bumped version to 1.6.2

3 years agoremoved ShortLog in favor of ChangeLog + ChangeLog.git
Michael Rash [Sat, 28 Apr 2012 18:27:02 +0000]
removed ShortLog in favor of ChangeLog + ChangeLog.git

3 years agoAdded --icmp-type 'any' (with capabilities test)
Michael Rash [Sat, 28 Apr 2012 18:23:56 +0000]
Added --icmp-type 'any' (with capabilities test)

Bug fix for recent versions of iptables (such as 1.4.12) where the icmp
match requires --icmp-type to be set - some Snort rules look for a string
to match in icmp traffic, but don't also specify an icmp type.

3 years agobug fix psadlibdir -> fwsnortlibdir
Michael Rash [Sat, 28 Apr 2012 15:44:27 +0000]
bug fix psadlibdir -> fwsnortlibdir

3 years agobug fix for 'qw() used as parenthesis' warnings under perl > 5.14
Michael Rash [Sat, 28 Apr 2012 15:43:58 +0000]
bug fix for 'qw() used as parenthesis' warnings under perl > 5.14

3 years agoadded ChangeLog info for the 1.6.1 and 1.6.2 releases
Michael Rash [Sat, 28 Apr 2012 14:18:16 +0000]
added ChangeLog info for the 1.6.1 and 1.6.2 releases

3 years agoupdated RPM spec file version to 1.6.2
Michael Rash [Sat, 28 Apr 2012 14:17:48 +0000]
updated RPM spec file version to 1.6.2

3 years agoupdated to the latest Snort rules from Emerging Threats
Michael Rash [Sat, 28 Apr 2012 14:17:05 +0000]
updated to the latest Snort rules from Emerging Threats

3 years agomoved ChangeLog.old -> ChangeLog (the old style is much more readable)
Michael Rash [Fri, 20 Apr 2012 01:30:43 +0000]
moved ChangeLog.old -> ChangeLog (the old style is much more readable)

3 years agominor documentation fixes
Michael Rash [Fri, 20 Apr 2012 01:30:16 +0000]
minor documentation fixes

3 years agoadded 1.6.2 release
Michael Rash [Fri, 20 Apr 2012 01:29:58 +0000]
added 1.6.2 release

3 years agoRemoved the ExtUtils::MakeMaker build requirement
Michael Rash [Fri, 20 Apr 2012 01:28:50 +0000]
Removed the ExtUtils::MakeMaker build requirement

Although building the fwsnort RPM builds a set of perl modules which themselves
have the 'use ExtUtils::MakeMaker' requirement in their respective Makefile.PL
scripts, some Linux distributions don't seem to make it easy to install
ExtUtils::MakeMaker in a manner in which the local RPM install can see it.
And, at the same time, it usually is there since installing perl modules is
such a common operation.  The compromise is this solution, which will allow the
fwsnort RPM to be built even if RPM dosen't or can't see that ExtUtils::MakeMaker
is installed - most likely it will build anyway.  If it doesn't, there are
bigger problems since fwsnort is written in perl.  If you want to build the fwsnort
RPM with a .spec file that requires ExtUtils::MakeMaker, then use the
"fwsnort-require-makemaker.spec" file that is bundled in the fwsnort sources.

3 years agoupdated IPTables::Parse to 1.1
Michael Rash [Sat, 3 Mar 2012 03:58:11 +0000]
updated IPTables::Parse to 1.1

3 years agoupdated to IPTables::Parse 0.8
Michael Rash [Tue, 21 Feb 2012 01:33:18 +0000]
updated to IPTables::Parse 0.8

3 years agobumped version to 1.6.2-pre1
Michael Rash [Sun, 19 Feb 2012 18:21:27 +0000]
bumped version to 1.6.2-pre1

3 years agoconverted from Net::AddrIPv4 to the excellent NetAddr::IP module
Michael Rash [Sat, 18 Feb 2012 19:33:29 +0000]
converted from Net::AddrIPv4 to the excellent NetAddr::IP module

3 years agoconverted from Net::AddrIPv4 to the excellent NetAddr::IP module
Michael Rash [Sat, 18 Feb 2012 19:33:19 +0000]
converted from Net::AddrIPv4 to the excellent NetAddr::IP module

3 years agoadded the proper ChangeLog back in fwsnort-1.6.2-pre1
Michael Rash [Fri, 17 Feb 2012 02:32:19 +0000]
added the proper ChangeLog back in

3 years agobumped version to 1.6.2-pre1
Michael Rash [Fri, 17 Feb 2012 02:24:25 +0000]
bumped version to 1.6.2-pre1

3 years agoSwitched --no-ipt-sync to default to not syncing with the iptables policy
Michael Rash [Fri, 17 Feb 2012 02:18:44 +0000]
Switched --no-ipt-sync to default to not syncing with the iptables policy

By default fwsnort attempts to match translated Snort rules to the running
iptables policy, but this is tough to do well because iptables policies can be
complex.  And, before fwsnort switched to the iptables-save format for
instantiating the policy, a large set of translated rules could take a really
long time to make active within the kernel.  Finally, many Snort rules restrict
themselves to established TCP connections anyway, and if a restrictive policy
doesn't allow connections to get into the established state for some port let's
say, then there is little harm in having translated Snort rules for this port.
Some kernel memory would be wasted (small), but no performance would be lost
since packets won't be processed against these rules anyway.  The end result is
that the default behavior is now to not sync with the local iptables policy in
favor of translating and instantiating as many rules as possible.

This commit also moves the fwsnort.sh script and associated files into the
/var/lib/fwsnort/ directory.

3 years agoupdated to the latest emerging threats Snort rules
Michael Rash [Fri, 17 Feb 2012 01:36:59 +0000]
updated to the latest emerging threats Snort rules

3 years agobumped version to 1.6.1
Michael Rash [Fri, 2 Sep 2011 03:04:14 +0000]
bumped version to 1.6.1

3 years ago(Kim Hagen) Bug fix for 'Couldn't load target' error
Michael Rash [Fri, 2 Sep 2011 02:58:22 +0000]
(Kim Hagen) Bug fix for 'Couldn't load target' error

Kim Hagen submitted this patch for a bug in fwsnort-1.6 where the fwsnort
policy in iptables-save format could not be loaded whenever iptables-save put
the nat table output after the filter table output.  In this case, fwsnort
would fail with an error like the following (fixed in fwsnort-1.6.1):

    Couldn't load target
    cannot open shared object file: No such file or directory

fwsnort now invokes 'iptables-save -t filter' in order to ensure that
ordering issues do not affect how fwsnort builds its translated rule set.

3 years agoBug fix for fast_pattern interpretation for relative matches
Michael Rash [Fri, 2 Sep 2011 02:13:18 +0000]
Bug fix for fast_pattern interpretation for relative matches

This change ensures that fwsnort does not attempt to re-order pattern matches
for patterns that have a relative match requirement.  For non-relative matches
fwsnort re-orders pattern matches based on the pattern length, reasoning that
the longest pattern should be processed first for better performance.  The
usage of the fast_pattern keyword give the user explicit control over this.

Here is a Snort rule that is now properly handled by fwsnort:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; file_data; content:"%FDF-"; depth:300; content:"/F(JavaScript|3a|"; nocase; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; sid:2010664; rev:8;)

Before this change, fwsnort translated this rule as:

$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --hex-string "/F(JavaScript|3a|" --algo bm --from 69 --icase -m string --hex-string "%FDF|2d|" --algo bm --to 364 -m comment --comment "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID2010664 ESTAB "

Note that in the above rule, the "/F(JavaScript|3a|" pattern was switched to
be evaluated first even though it is a relative match to the previous pattern
in the original Snort rule.  After this change, fwsnort translates this rule

$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --hex-string "%FDF|2d|" --algo bm --to 364 -m string --hex-string "/F(JavaScript|3a|" --algo bm --from 69 --icase -m comment --comment "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID2010664 ESTAB "

3 years agoUpdated to the latest Emerging Threats rule set
Michael Rash [Fri, 2 Sep 2011 02:09:41 +0000]
Updated to the latest Emerging Threats rule set

Update to the latest 'emerging-all.rules' Snort rule set from Emerging Threats

3 years agoUpdated ChangeLog and added the ShortLog file
Michael Rash [Fri, 29 Jul 2011 00:40:36 +0000]
Updated ChangeLog and added the ShortLog file

Minor change to update the global ChangeLog and added the ShortLog file.

3 years agoAdded iptables capabilities test for COMMENT len
Michael Rash [Fri, 29 Jul 2011 00:19:41 +0000]
Added iptables capabilities test for COMMENT len

In keeping with the ability to test the capabilities of iptables where fwsnort
is deployed, added the ability find the maximum length of a string provided to
the COMMENT match.  This match is used to store Snort rule information within
the running fwsnort policy.

3 years agoAdded the ChangeLog file for 'git log' output.
Michael Rash [Wed, 27 Jul 2011 02:17:08 +0000]
Added the ChangeLog file for 'git log' output.

The complete ChangeLog is derived from 'git log' with this commit.  Version-
specific change logs will be included with each release.

3 years agoBumped version from 1.5 to 1.6
Michael Rash [Wed, 27 Jul 2011 02:12:02 +0000]
Bumped version from 1.5 to 1.6

Bumped version from 1.5 to 1.6 in preparation for the upcoming release.

3 years agoRenamed ChangeLog -> ChangeLog.old
Michael Rash [Wed, 27 Jul 2011 01:53:52 +0000]
Renamed ChangeLog -> ChangeLog.old

Renamed ChangeLog -> ChangeLog.old after the svn -> git conversion.  All
ChangeLog* files from now on will conform to:

ChangeLog.v<num>   <-- This is the change log for the released version.
ChangeLog          <-- The complete log output from git.

3 years agoAdded support for rules updates from several URL's
Michael Rash [Fri, 22 Jul 2011 03:03:29 +0000]
Added support for rules updates from several URL's

Added support for grabbing Snort rules from multiple URL's via a new variable
UPDATE_RULES_URL in the /etc/fwsnort/fwsnort.conf file.  This variable can be
specified multiple times.

3 years agoAdded --queue-pre-match-max <num> argument
Michael Rash [Thu, 21 Jul 2011 03:00:07 +0000]
Added --queue-pre-match-max <num> argument

Added a new command line arg --queue-pre-match-max <num> that allows the number
of patterns that will be matched within the kernel before sending a packet to
a userspace Snort instance (via the QUEUE or NFQUEUE targets) to be limited.

Here is an example for the "ET WEB_CLIENT Possible Internet Explorer srcElement
Memory Corruption Attempt" signature from Emerging Threats (sid 2010799).
First, here is the original rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; file_data; content:"document.createEventObject"; distance:0; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; sid:2010799; rev:5;)

The translated rule is shown below in the iptables-save format after running
the command "fwsnort --no-ipt-sync --no-ipt-rule-num --NFQUEUE --snort-sid 2010799":

-A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --string "srcElement" --algo bm --from 82 --icase -m string --string "document.createEventObject" --algo bm --from 64 --icase -m string --string ".innerHTML" --algo bm --to 190 --icase -m string --string "window.setInterval" --algo bm --from 74 --icase -m comment --comment "sid:2010799; msg:ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; rev:5; FWS:1.5;" -j NFQUEUE

Now, by using the --queue-pre-match-max argument, instead of forcing iptables
to match on all four patterns in the original rule, we limit it to matching
only the first pattern.  Note also that fwsnort has interpreted the 'fast_pattern'
keyword so that the "srcElement" pattern is searched for instead of the pattern
"document.createEventObject" which is the first to appear in the original rule.

Here is the command:

fwsnort --no-ipt-sync --no-ipt-rule-num --NFQUEUE --snort-sid 2010799 --queue-pre-match-max 1

The translated rule is now:

-A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --string "srcElement" --algo bm --from 82 --icase -m comment --comment "sid:2010799; msg:ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; rev:5; FWS:1.5;" -j NFQUEUE

3 years agoMinor man page wording update for NFQUEUE mode
Michael Rash [Sun, 17 Jul 2011 18:25:05 +0000]
Minor man page wording update for NFQUEUE mode

Minor man page wording update for NFQUEUE mode to make sure to convey to the
reader the need to disable the stream preprocessor for the userspace
snort_inline instance.

3 years agoAdded iptables capabilities test for NFQUEUE modes
Michael Rash [Sun, 17 Jul 2011 18:20:54 +0000]
Added iptables capabilities test for NFQUEUE modes

Added a test to see whether iptables supports either the QUEUE or NFQUEUE
targets in --QUEUE and --NFQUEUE modes respectively.

3 years agoBugfix to support --NFQUEUE mode
Michael Rash [Sun, 17 Jul 2011 17:09:57 +0000]
Bugfix to support --NFQUEUE mode

With the recent code refactoring for the Snort 'fast_pattern' keyword, the
--QUEUE and --NFQUEUE modes were broken in the process.  This changes restores
these modes:

./fwsnort --no-ipt-sync --NFQUEUE |grep Generated
[+] Generated iptables rules for 12916 out of 13131 signatures: 98.36%