3 years agoAdded fwsnort-1.6 ChangeLog, ShortLog and diffstat files. fwsnort-1.6 fwsnort-1.6
Michael Rash [Fri, 29 Jul 2011 00:53:48 +0000]
Added fwsnort-1.6 ChangeLog, ShortLog and diffstat files.

Added fwsnort-1.6 ChangeLog, ShortLog and diffstat files.

3 years agoUpdated ChangeLog and added the ShortLog file
Michael Rash [Fri, 29 Jul 2011 00:40:36 +0000]
Updated ChangeLog and added the ShortLog file

Minor change to update the global ChangeLog and added the ShortLog file.

3 years agoAdded iptables capabilities test for COMMENT len
Michael Rash [Fri, 29 Jul 2011 00:19:41 +0000]
Added iptables capabilities test for COMMENT len

In keeping with the ability to test the capabilities of iptables where fwsnort
is deployed, added the ability find the maximum length of a string provided to
the COMMENT match.  This match is used to store Snort rule information within
the running fwsnort policy.

3 years agoAdded the ChangeLog file for 'git log' output.
Michael Rash [Wed, 27 Jul 2011 02:17:08 +0000]
Added the ChangeLog file for 'git log' output.

The complete ChangeLog is derived from 'git log' with this commit.  Version-
specific change logs will be included with each release.

3 years agoBumped version from 1.5 to 1.6
Michael Rash [Wed, 27 Jul 2011 02:12:02 +0000]
Bumped version from 1.5 to 1.6

Bumped version from 1.5 to 1.6 in preparation for the upcoming release.

3 years agoRenamed ChangeLog -> ChangeLog.old
Michael Rash [Wed, 27 Jul 2011 01:53:52 +0000]
Renamed ChangeLog -> ChangeLog.old

Renamed ChangeLog -> ChangeLog.old after the svn -> git conversion.  All
ChangeLog* files from now on will conform to:

ChangeLog.v<num>   <-- This is the change log for the released version.
ChangeLog          <-- The complete log output from git.

3 years agoAdded support for rules updates from several URL's
Michael Rash [Fri, 22 Jul 2011 03:03:29 +0000]
Added support for rules updates from several URL's

Added support for grabbing Snort rules from multiple URL's via a new variable
UPDATE_RULES_URL in the /etc/fwsnort/fwsnort.conf file.  This variable can be
specified multiple times.

3 years agoAdded --queue-pre-match-max <num> argument
Michael Rash [Thu, 21 Jul 2011 03:00:07 +0000]
Added --queue-pre-match-max <num> argument

Added a new command line arg --queue-pre-match-max <num> that allows the number
of patterns that will be matched within the kernel before sending a packet to
a userspace Snort instance (via the QUEUE or NFQUEUE targets) to be limited.

Here is an example for the "ET WEB_CLIENT Possible Internet Explorer srcElement
Memory Corruption Attempt" signature from Emerging Threats (sid 2010799).
First, here is the original rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; file_data; content:"document.createEventObject"; distance:0; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; sid:2010799; rev:5;)

The translated rule is shown below in the iptables-save format after running
the command "fwsnort --no-ipt-sync --no-ipt-rule-num --NFQUEUE --snort-sid 2010799":

-A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --string "srcElement" --algo bm --from 82 --icase -m string --string "document.createEventObject" --algo bm --from 64 --icase -m string --string ".innerHTML" --algo bm --to 190 --icase -m string --string "window.setInterval" --algo bm --from 74 --icase -m comment --comment "sid:2010799; msg:ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; rev:5; FWS:1.5;" -j NFQUEUE

Now, by using the --queue-pre-match-max argument, instead of forcing iptables
to match on all four patterns in the original rule, we limit it to matching
only the first pattern.  Note also that fwsnort has interpreted the 'fast_pattern'
keyword so that the "srcElement" pattern is searched for instead of the pattern
"document.createEventObject" which is the first to appear in the original rule.

Here is the command:

fwsnort --no-ipt-sync --no-ipt-rule-num --NFQUEUE --snort-sid 2010799 --queue-pre-match-max 1

The translated rule is now:

-A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --string "srcElement" --algo bm --from 82 --icase -m comment --comment "sid:2010799; msg:ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; rev:5; FWS:1.5;" -j NFQUEUE

3 years agoMinor man page wording update for NFQUEUE mode
Michael Rash [Sun, 17 Jul 2011 18:25:05 +0000]
Minor man page wording update for NFQUEUE mode

Minor man page wording update for NFQUEUE mode to make sure to convey to the
reader the need to disable the stream preprocessor for the userspace
snort_inline instance.

3 years agoAdded iptables capabilities test for NFQUEUE modes
Michael Rash [Sun, 17 Jul 2011 18:20:54 +0000]
Added iptables capabilities test for NFQUEUE modes

Added a test to see whether iptables supports either the QUEUE or NFQUEUE
targets in --QUEUE and --NFQUEUE modes respectively.

3 years agoBugfix to support --NFQUEUE mode
Michael Rash [Sun, 17 Jul 2011 17:09:57 +0000]
Bugfix to support --NFQUEUE mode

With the recent code refactoring for the Snort 'fast_pattern' keyword, the
--QUEUE and --NFQUEUE modes were broken in the process.  This changes restores
these modes:

./fwsnort --no-ipt-sync --NFQUEUE |grep Generated
[+] Generated iptables rules for 12916 out of 13131 signatures: 98.36%

3 years agoIgnore http_uri, http_method, and urilen
Michael Rash [Sun, 17 Jul 2011 16:39:16 +0000]
Ignore http_uri, http_method, and urilen

iptables has no good way to support the http_uri, http_method, and urilen Snort
keywords, so this change ignores them.  The tradeoff is that certain signatures
may have a higher rate of false positives, but detection may outweigh this for
rules like this one:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Generic Trojan Checkin"; flow:established,to_server; content:"unit_id="; http_uri; content:"&uv_id="; http_uri; content:"&uv_new="; http_uri; content:"&url="; http_uri; content:"&charset="; http_uri; content:"&hashval="; http_uri; content:"&app="; http_uri; content:"&lg="; http_uri; classtype:trojan-activity; sid:2013204; rev:1;)

It is possible to force fwsnort to not ignore the http_* keywords with the
--strict command line argument.

The number of signatures that this change picks up is trivial though for the
bundled signature set in the deps/snort_rules/ directory:


./fwsnort --no-ipt-sync |grep Generated
[+] Generated iptables rules for 9341 out of 13131 signatures: 71.14%


./fwsnort --no-ipt-sync |grep Generated
[+] Generated iptables rules for 9343 out of 13131 signatures: 71.15%

3 years agoUpdated to allow non-root users to execute fwsnort.
Michael Rash [Sun, 17 Jul 2011 02:50:30 +0000]
Updated to allow non-root users to execute fwsnort.

This update allows non-root users to run fwsnort, but a modified fwsnort.conf
file must be supplied that changes various paths.  Running as a non-root user
is mostly only useful to see how fwsnort translates certain Snort rules.  Here
is an example of running fwsnort as a non-root user:

$ ./fwsnort -c fwsnort.conf.nonroot --snort-sid 1234 |less
[+] Parsing Snort rules files...
[+] Found sid: 1234 in web-misc.rules
    Successful translation.

[+] Logfile: /home/mbr/git/fwsnort.git/fwsnort.log
[+] iptables script (individual commands): /home/mbr/git/fwsnort.git/fwsnort_iptcmds.sh
[*] Could not write to: /home/mbr/git/fwsnort.git/fwsnort.sh at ./fwsnort line 4418.
[mbr@minastirith ~/git/fwsnort.git]$ ./fwsnort -c fwsnort.conf.nonroot --snort-sid 1234 |less
[+] Parsing Snort rules files...
[+] Found sid: 1234 in web-misc.rules
    Successful translation.

[+] Logfile: /home/mbr/git/fwsnort.git/fwsnort.log
[+] iptables script (individual commands): /home/mbr/git/fwsnort.git/fwsnort_iptcmds.sh

    Main fwsnort iptables-save file: /home/mbr/git/fwsnort.git/fwsnort.save

    It does not appear as though you are running as root, so it is NOT
    recommended that you become root and execute the fwsnort.sh script. The
    reason is that non-root users cannot execute iptables, and therefore
    fwsnort had no way to check for iptables capabilities or to parse any
    existing iptables policy for proper splicing of the fwsnort rules.


3 years agoMinor change to not write args in --help mode.
Michael Rash [Fri, 15 Jul 2011 02:17:20 +0000]
Minor change to not write args in --help mode.

Minor update to exclude 'fwsnort --help' from the saved command line arguments
copy.  This ensures that 'fwsnort --Last' does not just re-execute
'fwsnort --help'.

3 years agoAdded support for the Snort 'nocase' keyword
Michael Rash [Sun, 10 Jul 2011 18:37:30 +0000]
Added support for the Snort 'nocase' keyword

The iptables string match extension supports case insensitive matches with
the --icase option.  This commit updates fwsnort to leverage --icase whenever
the 'nocase' modifier it applied to a pattern match in a Snort rule.

3 years agoUpdated to the latest Emerging Threats Snort rules
Michael Rash [Sun, 10 Jul 2011 03:59:15 +0000]
Updated to the latest Emerging Threats Snort rules

Updated to the latest Emerging Threats Snort rules - this file contains over
10,000 rules now.  Here is some sample translation output stats with fwsnort:

    Snort Rules File          Success   Fail      Total

[+] emerging-all.rules        7440      2582      10022
                              7440      2582      10022

[+] Generated iptables rules for 7440 out of 10022 signatures: 74.24%

3 years agoAdded iptables 'multiport' match support
Michael Rash [Sun, 10 Jul 2011 02:44:44 +0000]
Added iptables 'multiport' match support

The iptables 'multiport' match is now supported, and this enables fwsnort to
properly translate a few Snort rules from the emerging threats rule set like
this one:

alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:12;)

The translated version is now:

$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp -m multiport --sports 0:20,22:24,26:138,140:444,446:464,466:586,588:901 -m string ! --string "VMware Authentication Daemon" --algo bm --to 96 -m string --string "220 " --algo bm --to 68 -m comment --comment "sid:2011124; msg:ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced); classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; rev:12; FWS:1.5;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID2011124 ESTAB "

3 years agoAdded --no-fast-pattern-order to --help output
Michael Rash [Sat, 9 Jul 2011 20:21:35 +0000]
Added --no-fast-pattern-order to --help output

Added --no-fast-pattern-order to --help output and also added the
'fast_pattern' hash key to the 'ignore' bucket if --no-fast-pattern-order is
given on the command line.

3 years agoImplemented tighter 'within' criteria
Michael Rash [Sat, 9 Jul 2011 20:07:53 +0000]
Implemented tighter 'within' criteria

This commit fixes a problem where fwsnort was in some cases too lax with how it
calculated relative pattern matching depths that are defined via the Snort 'within'
keyword.  This should result in fewer fwsnort log messages for certain signatures.
An example signature that this change improves is:

alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; distance:4; within:8; classtype:policy-violation; sid:1631; rev:7;)

fwsnort previous to this change translated this as a set of signatures including
the following (allowing for the multiple IP's in the $AIM_SERVERS variable):

$IPTABLES -A FWSNORT_FORWARD_ESTAB -d -p tcp -m tcp -m string --hex-string "*|02|" --algo bm --to 66 -m string --hex-string "|00170006|" --algo bm --from 70 --to 76 -m comment --comment "sid:1631; msg:CHAT AIM login; classtype:policy-violation; rev:7; FWS:1.5;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID1631 ESTAB "

After this change the signature becomes:

$IPTABLES -A FWSNORT_FORWARD_ESTAB -d -p tcp -m tcp -m string --hex-string "*|02|" --algo bm --to 66 -m string --hex-string "|00170006|" --algo bm --from 70 --to 74 -m comment --comment "sid:1631; msg:CHAT AIM login; classtype:policy-violation; rev:7; FWS:1.5;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID1631 ESTAB "

Note that in the second pattern match the --to criteria has been reduced from
76 to 74.  (The second rule was generated with --no-fast-pattern-ordering to
make the diff make sense more easily.)

3 years agoAdded the --no-fast-pattern-ordering argument
Michael Rash [Sat, 9 Jul 2011 16:00:23 +0000]
Added the --no-fast-pattern-ordering argument

Added --no-fast-pattern-ordering to have fwsnort not try to reorder pattern
matches to process the longest pattern first.  This option also instructs
fwsnort to ignore the Snort 'fast_pattern' keyword in any Snort rule.

3 years agoMoved GetOpt() call to handle_cmd_line()
Michael Rash [Sat, 9 Jul 2011 15:47:19 +0000]
Moved GetOpt() call to handle_cmd_line()

Minor updated to move the GetOpt() function call for parsing command line args
to the handle_cmd_line() function (where it should have been for a while).

3 years agominor man page wording update
Michael Rash [Sat, 9 Jul 2011 02:50:13 +0000]
minor man page wording update

3 years agoFixed fast_pattern support for relative matches
Michael Rash [Sat, 9 Jul 2011 02:47:05 +0000]
Fixed fast_pattern support for relative matches

This is a significant code refactoring in order to support the fast_pattern
keyword when relative matches are involved.  Previous to this change, the
initial fast_pattern implementation would not take into account how the
iptables --from and --to keywords should be set under the 'distance' and
'within' keywords.

3 years agoAdded 'detection_filter' to not supported list
Michael Rash [Wed, 6 Jul 2011 03:14:19 +0000]
Added 'detection_filter' to not supported list

The newer 'detection_filter' Snort keyword (a replacement for the older
'threshold' keyword) is not supported yet.  The iptables limit match should
be able to help here eventually.

3 years agominor comment wording update for TCP options
Michael Rash [Wed, 6 Jul 2011 02:46:34 +0000]
minor comment wording update for TCP options

3 years agoAdded content match ordering based on length
Michael Rash [Tue, 5 Jul 2011 10:47:25 +0000]
Added content match ordering based on length

In cases where the 'fast_pattern' option is not used, Snort generally tries to
pick the longest pattern to match first since this should usually result in
better performance.  That is, longer there is a higher chance for a longer
string to be more unique, and this would result in shorter strings from not
being searched for.  This works in the context of iptables because 'matches'
are AND'd togther, so if the first string match fails, no subsequent string
matches will be executed.  Hence, the search for "shortstr" below would not
happen if the search for "thisisalongstring" failed:

-m string --string 'thisisalongstring' --algo bm -m string --string 'shortstr' --algo bm

One thing to note is that iptables does not support relative string matches
in the same way that Snort does.  The iptables string match can specify an
offset and depth into the packet via --from and --to.  The end result is that
the fwsnort way of maximizing performance is to find the longest string, do
the match, and apply an approximation for --from and --to whenever they are
required for any pattern.  That is, it doesn't have to worry about relative
matches and finding the end of a pattern in order to know where to start the
next search.  Now, this will result in signature matching in fwsnort not
being as accurate as Snort (remember that fwsnort emulates Snort behavior as
closely as possible given functionality implemented in iptables), but it
should be faster.

3 years agoMerge branch 'master' of github.com:mrash/fwsnort
Michael Rash [Tue, 5 Jul 2011 02:19:53 +0000]
Merge branch 'master' of github.com:mrash/fwsnort

3 years agoAdded 'fast_pattern' support + no patterns bug fix
Michael Rash [Tue, 5 Jul 2011 01:57:14 +0000]
Added 'fast_pattern' support + no patterns bug fix

Added support for the Snort 'fast_pattern' keyword which is used to force a
particular payload match to be done first.  This allows the signature author
to optimize the performance of certain signatures based on a knowledge of
how likely certain strings are to match within application layer protocols.
A gooo write up of the 'fast_pattern' keyword was posted to the VRT blog


Also fixed a bug that would exclude all signatures that do not have at least
one content match.  A good example of such a signature is this one:

alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net
connection reset (possible IP-Ban)"; flags:R,12; classtype: policy-violation;
sid:2002117; rev:6;)

Between this bug fix and the 'fast_pattern' support, fwsnort is able to
translated nearly 300 additional signatures beyond the fwsnort-1.5 release:

[+] Generated iptables rules for 8529 out of 12224 signatures: 69.77%

[+] Generated iptables rules for 8812 out of 12224 signatures: 72.09%

3 years agoAdded support for Snort keyword 'fast_pattern'
Michael Rash [Tue, 5 Jul 2011 01:57:14 +0000]
Added support for Snort keyword 'fast_pattern'

Added support for the Snort 'fast_pattern' keyword which is used to force a
particular payload match to be done first.  This allows the signature author
to optimize the performance of certain signatures based on a knowledge of
how likely certain strings are to match within application layer protocols.
A gooo write up of the 'fast_pattern' keyword was posted to the VRT blog


3 years agominor man page wording update
Michael Rash [Fri, 1 Jul 2011 00:52:22 +0000]
minor man page wording update

3 years agoAdded three Snort signature keywords
Michael Rash [Fri, 1 Jul 2011 00:50:30 +0000]
Added three Snort signature keywords

Added the 'detection_filter', 'threshold', and 'urilen' Snort rule keywords.
Also included a minor update to calculate max keyword length on the fly.

3 years agoAdded newer Snort keywords to snort_opts.pl
Michael Rash [Thu, 30 Jun 2011 00:23:38 +0000]
Added newer Snort keywords to snort_opts.pl

Added Snort keywords fast_pattern, http_header, http_uri, and http_method
to the snort_opts.pl script.

3 years agominor ChangeLog update
Michael Rash [Tue, 28 Jun 2011 02:39:57 +0000]
minor ChangeLog update

3 years agoBugfix for --ipt-apply to exec fwsnort.sh
Michael Rash [Tue, 28 Jun 2011 01:41:19 +0000]
Bugfix for --ipt-apply to exec fwsnort.sh

Fixed the --ipt-apply functionality - the variable that held the fwsnort.sh
path was not initialized properly prior to this change.

3 years agoAdded the --Conntrack-state argument
Michael Rash [Tue, 21 Jun 2011 01:00:57 +0000]
Added the --Conntrack-state argument

Added the --Conntrack-state argument to specify a conntrack state in place of
the "established" state that commonly accompanies the Snort "flow" keyword.
By default, fwsnort uses the conntrack state of "ESTABLISHED" for this.  In
certain corner cases, it might be useful to use "ESTABLISHED,RELATED" instead
to apply application layer inspection to things like ICMP port unreachable
messages that are responses to real attempted communications.  (Need to add
UDP tracking for the _ESTAB chains for this too - coming soon.)

3 years agoAdded test for conntrack --ctstate
Michael Rash [Tue, 21 Jun 2011 00:09:06 +0000]
Added test for conntrack --ctstate

Recent releases of iptables and the Linux kernel support matching
on connection state via the conntrack modules and the --ctstate
switch.  Added a capabilities test for this, and will fall back to
using the state match if the conntrack module is not available.

3 years agoBugfix for --ipt-list and --ipt-flush
Michael Rash [Sun, 19 Jun 2011 15:58:05 +0000]
Bugfix for --ipt-list and --ipt-flush

Fixed a problem with --ipt-list and --ipt-flush to ensure that the proper
iptables binary path is chosen.  These args failed without this because the
iptables binary was not set.

3 years agoBugfix for --log-prefix maximum lengths
Michael Rash [Sun, 19 Jun 2011 15:14:44 +0000]
Bugfix for --log-prefix maximum lengths

Bugfix to ensure the iptables log prefixes built by fwsnort are not
longer than those allowed by the running iptables firewall.  This is
usually a total of 29 characters, but fwsnort now dynamically figures out
this value.

This bug was originally reported by Yves Pagani to the fwsnort mailing

3 years agoRemoved old reference to $rev_num
Michael Rash [Sun, 19 Jun 2011 02:40:56 +0000]
Removed old reference to $rev_num

In keeping with svn, fwsnort used to store the $Id$ file ID into $rev_num. This
has been removed.

3 years agoRemoved legacy $Id$ tags (for old svn repos)
Michael Rash [Sun, 19 Jun 2011 01:09:12 +0000]
Removed legacy $Id$ tags (for old svn repos)

$Id$ tags don't really mean anything to git so they have been removed from all
source files.

4 years agowording fix for the fwsnort-1.5 ChangeLog fwsnort-1.5
Michael Rash [Sun, 9 Jan 2011 14:54:49 +0000]
wording fix for the fwsnort-1.5 ChangeLog

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@561 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agobumped software version to 1.5
Michael Rash [Sun, 9 Jan 2011 03:14:15 +0000]
bumped software version to 1.5

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@556 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agominor date update
Michael Rash [Mon, 3 Jan 2011 01:46:00 +0000]
minor date update

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@554 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agobumped version to: 1.5-pre5
Michael Rash [Mon, 3 Jan 2011 01:45:26 +0000]
bumped version to: 1.5-pre5

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@553 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agocopyright date update
Michael Rash [Mon, 3 Jan 2011 01:38:51 +0000]
copyright date update

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@552 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agoadded UPGRADE section
Michael Rash [Mon, 3 Jan 2011 01:37:31 +0000]
added UPGRADE section

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@551 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agoupdate to include information about the iptables-save format
Michael Rash [Fri, 31 Dec 2010 15:50:02 +0000]
update to include information about the iptables-save format

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@550 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agominor wording update to include ip6tables policies
Michael Rash [Fri, 31 Dec 2010 15:38:13 +0000]
minor wording update to include ip6tables policies

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@549 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agoadded the ability to build ip6tables policies in ip6tables-save format
Michael Rash [Fri, 31 Dec 2010 15:37:04 +0000]
added the ability to build ip6tables policies in ip6tables-save format

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@548 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agominor update to include the GPL version number (v2) suggested by Guillermo Gomez
Michael Rash [Fri, 31 Dec 2010 14:41:21 +0000]
minor update to include the GPL version number (v2) suggested by Guillermo Gomez

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@547 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agobumped to version 1.5-pre4
Michael Rash [Tue, 28 Dec 2010 04:13:57 +0000]
bumped to version 1.5-pre4

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@545 af5c991a-1414-0410-86ad-c3437102cd4a

4 years ago- Added the --string-match-alg argument to allow the string matching
Michael Rash [Sun, 26 Dec 2010 22:14:01 +0000]
- Added the --string-match-alg argument to allow the string matching
algorithm used by fwsnort to be specified from the command line.  The
default algorithm is 'bm' for 'Boyer-Moore', but 'kmp' may also be
specified (short for the 'Knuth–Morris–Pratt' algorithm).

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@544 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agobumped version to 1.5-pre3
Michael Rash [Fri, 24 Dec 2010 04:39:52 +0000]
bumped version to 1.5-pre3

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@542 af5c991a-1414-0410-86ad-c3437102cd4a

4 years ago- Updated to the latest complete rule set from Emerging Threats (see
Michael Rash [Fri, 24 Dec 2010 04:39:26 +0000]
- Updated to the latest complete rule set from Emerging Threats (see

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@541 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agoupdated to default to pulling Snort rules from the rules directory in --snort-rfile...
Michael Rash [Fri, 24 Dec 2010 04:39:04 +0000]
updated to default to pulling Snort rules from the rules directory in --snort-rfile mode when running as root

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@540 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agobug fix to make sure to add the 'COMMIT' and '# Completed ...' lines at the end of...
Michael Rash [Fri, 24 Dec 2010 04:26:53 +0000]
bug fix to make sure to add the 'COMMIT' and '# Completed ...' lines at the end of the generated fwsnort.save file

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@539 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agoupdated to point to the correct Emerging Threats rule set, and added the --rules...
Michael Rash [Fri, 24 Dec 2010 04:26:06 +0000]
updated to point to the correct Emerging Threats rule set, and added the --rules-url arg (similiar to fwsnort)

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@538 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agobumped version to: 1.5-pre2
Michael Rash [Thu, 23 Dec 2010 04:48:24 +0000]
bumped version to: 1.5-pre2

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@536 af5c991a-1414-0410-86ad-c3437102cd4a

4 years ago- Added the --rules-url argument so that the URL for updating the
Michael Rash [Thu, 23 Dec 2010 04:48:09 +0000]
- Added the --rules-url argument so that the URL for updating the
Emerging Threats rule set can be specified from the command line.  The
default is:


git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@535 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agobumped version to 1.5-pre1
Michael Rash [Thu, 23 Dec 2010 04:38:01 +0000]
bumped version to 1.5-pre1

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@533 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agominor comments update
Michael Rash [Thu, 23 Dec 2010 04:37:45 +0000]
minor comments update

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@532 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agomoved to instantiate the fwsnort iptables-save policy via /etc/fwsnort/fwsnort.sh
Michael Rash [Thu, 23 Dec 2010 04:31:15 +0000]
moved to instantiate the fwsnort iptables-save policy via /etc/fwsnort/fwsnort.sh

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@531 af5c991a-1414-0410-86ad-c3437102cd4a

4 years ago- Updated to automatically check for the maximum length string that the
Michael Rash [Tue, 14 Dec 2010 15:16:56 +0000]
- Updated to automatically check for the maximum length string that the
string match supports, and this is used to through out any Snort rules
with content matches longer than this length.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@530 af5c991a-1414-0410-86ad-c3437102cd4a

4 years ago- Updated the iptables capabilities testing routines to add and delete
Michael Rash [Tue, 14 Dec 2010 14:24:30 +0000]
- Updated the iptables capabilities testing routines to add and delete
testing rules to/from the custom chain 'FWS_CAP_TEST'.  This maintains a
a cleaner separation between fwsnort and any existing iptables policy
even during the capabilities testing phase.
- Added the --ipt-check-capabilities argument to have fwsnort test the
capabilities of the local iptables firewall and exit.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@529 af5c991a-1414-0410-86ad-c3437102cd4a

4 years agoMajor update to being moving to using the iptables-save format instead of the older
Michael Rash [Fri, 23 Jul 2010 01:09:19 +0000]
Major update to being moving to using the iptables-save format instead of the older
strategy to always just execute iptables commands directly.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@528 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoupdated GPL license string to mention GPLv2
Michael Rash [Sat, 6 Feb 2010 03:33:39 +0000]
updated GPL license string to mention GPLv2

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@527 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agominor version fix (1.1)
Michael Rash [Sat, 6 Feb 2010 03:33:22 +0000]
minor version fix (1.1)

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@526 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agominor update Snort -> SNORT
Michael Rash [Wed, 6 Jan 2010 01:54:52 +0000]
minor update Snort -> SNORT

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@522 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agobumped version to 1.1
Michael Rash [Wed, 6 Jan 2010 01:36:34 +0000]
bumped version to 1.1

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@521 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoadded a -6 example to the EXAMPLES section
Michael Rash [Wed, 6 Jan 2010 01:29:45 +0000]
added a -6 example to the EXAMPLES section

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@520 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agobumped version to 1.1-pre3
Michael Rash [Tue, 5 Jan 2010 03:57:20 +0000]
bumped version to 1.1-pre3

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@518 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoadded Guillermo Gomez
Michael Rash [Tue, 5 Jan 2010 03:57:08 +0000]
added Guillermo Gomez

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@517 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agobumped version to 1.1-pre2
Michael Rash [Tue, 5 Jan 2010 03:51:38 +0000]
bumped version to 1.1-pre2

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@515 af5c991a-1414-0410-86ad-c3437102cd4a

5 years ago- Updated fwsnort to create logs in the /var/log/fwsnort/ directory
Michael Rash [Tue, 5 Jan 2010 03:39:53 +0000]
- Updated fwsnort to create logs in the /var/log/fwsnort/ directory
  instead of directly in the /var/log/ directory.  The path is controlled
  by a new variable 'LOG_FILE' in the /etc/fwsnort/fwsnort.conf file.
- Added several variables in /etc/fwsnort/fwsnort.conf to control paths
  to everything from the config file to the snort rules path.  Coupled
  with this is the ability to create variables within path components and
  fwsnort will expand them (e.g. 'CONF_DIR /etc/fwsnort;
  CONF_FILE $CONF_DIR/fwsnort.conf').
- Added --Last-cmd arg so that it is easy to rebuild the fwsnort.sh script
  with the same command line args as the previous execution.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@514 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoupdated version to 1.1
Michael Rash [Tue, 22 Dec 2009 02:53:12 +0000]
updated version to 1.1

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@512 af5c991a-1414-0410-86ad-c3437102cd4a

5 years ago- Added the ability to build an fwsnort policy that utilizes ip6tables
Michael Rash [Tue, 22 Dec 2009 02:52:01 +0000]
- Added the ability to build an fwsnort policy that utilizes ip6tables
instead of iptables.  This allows fwsnort filtering and altering
capabilities to apply to IPv6 traffic instead of just IPv4 traffic.  To
enable ip6tables usage, use the "-6" or "--ip6tables" command line

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@511 af5c991a-1414-0410-86ad-c3437102cd4a

5 years ago- Added the --include-perl-triggers command line argument so that
Michael Rash [Mon, 21 Dec 2009 04:17:57 +0000]
- Added the --include-perl-triggers command line argument so that
translated Snort rules can easily be tested.  This argument instructs
fwsnort to include 'perl -e print ... ' commands as comments in the
/etc/fwsnort/fwsnort.sh script, and these commands can be combined
with netcat to send payloads across the wire that match Snort rules.
- Minor documentation fixes.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@510 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoupdated to the latest Emerging Threats rule set
Michael Rash [Mon, 21 Dec 2009 03:55:01 +0000]
updated to the latest Emerging Threats rule set

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@509 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoupdated to the latest Emerging Threats rule set
Michael Rash [Sat, 4 Jul 2009 16:13:49 +0000]
updated to the latest Emerging Threats rule set

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@508 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agomerged: svn merge -r 500:504 file:///home/mbr/svn/fwsnort_repos/fwsnort/branches...
Michael Rash [Sat, 30 May 2009 21:57:28 +0000]
merged: svn merge -r 500:504 file:///home/mbr/svn/fwsnort_repos/fwsnort/branches/fwsnort-1.0.6

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@507 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoversion 1.0.6
Michael Rash [Sat, 30 May 2009 02:39:38 +0000]
version 1.0.6

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@499 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoversion 1.0.6
Michael Rash [Sat, 30 May 2009 02:39:14 +0000]
version 1.0.6

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@498 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agoAdded the 'BuildRequires: perl-ExtUtils-MakeMaker' statement
Michael Rash [Sat, 30 May 2009 02:39:00 +0000]
Added the 'BuildRequires: perl-ExtUtils-MakeMaker' statement

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@497 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agobumped version to fwsnort-1.0.6-pre4
Michael Rash [Wed, 27 May 2009 21:29:48 +0000]
bumped version to fwsnort-1.0.6-pre4

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@495 af5c991a-1414-0410-86ad-c3437102cd4a

5 years ago- Bug fix to move the 'rawbytes' keyword to the list of keywords that are
Michael Rash [Wed, 27 May 2009 21:25:49 +0000]
- Bug fix to move the 'rawbytes' keyword to the list of keywords that are
ignored since iptables does a raw match anyway as it doesn't run any
preprocessors in the Snort sense.
- Added a small hack to choose the first port from a port list until the
iptables 'multiport' match is supported.
- Updated to consolidate spaces in hex matches in the fwsnort.sh script
since the spaces are not part of patterns to be searched anyway.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@494 af5c991a-1414-0410-86ad-c3437102cd4a

5 years agominor cleanup (href->hr, aref->ar)
Michael Rash [Wed, 27 May 2009 18:25:11 +0000]
minor cleanup (href->hr, aref->ar)

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@493 af5c991a-1414-0410-86ad-c3437102cd4a

5 years ago- Bug fix to allow case insensitive matches to work properly with the
Michael Rash [Wed, 27 May 2009 17:39:49 +0000]
- Bug fix to allow case insensitive matches to work properly with the
  --include-re-caseless and --exclude-re-caseless arguments.
- Added the --snort-rfile argument so that a specific Snort rules file (or
list of files separated by commas) is parsed.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@492 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agoupdated version to 1.0.6-pre3
Michael Rash [Sat, 16 May 2009 15:20:54 +0000]
updated version to 1.0.6-pre3

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@490 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agoBug fix to allow fwsnort to properly translate snort rules that have
Michael Rash [Sat, 16 May 2009 15:07:10 +0000]
Bug fix to allow fwsnort to properly translate snort rules that have
"content" fields with embedded escaped semicolons (e.g. "\;").  This
allows fwsnort to translate about 85 additional rules from the Emerging
Threats rule set.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@489 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agoupdated to the latest rule set from Emerging Threats
Michael Rash [Sat, 16 May 2009 14:49:47 +0000]
updated to the latest rule set from Emerging Threats

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@488 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agoupdated to version 1.0.6-pre2
Michael Rash [Wed, 22 Apr 2009 02:26:57 +0000]
updated to version 1.0.6-pre2

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@486 af5c991a-1414-0410-86ad-c3437102cd4a

6 years ago- Updated to the latest complete rule set from Emerging Threats (see
Michael Rash [Wed, 22 Apr 2009 02:26:43 +0000]
- Updated to the latest complete rule set from Emerging Threats (see

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@485 af5c991a-1414-0410-86ad-c3437102cd4a

6 years ago- (Franck Joncourt) Updated fwsnort to use the "! <option> <arg>" syntax
Michael Rash [Wed, 22 Apr 2009 02:22:46 +0000]
- (Franck Joncourt) Updated fwsnort to use the "! <option> <arg>" syntax
instead of the older "<option> ! <arg>" for the iptables command line.

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@484 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agobumped version to 1.0.6-pre1
Michael Rash [Sat, 31 Jan 2009 03:00:25 +0000]
bumped version to 1.0.6-pre1

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@482 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agoFrom: Franck Joncourt <franck.mail@dthconnex.com>
Michael Rash [Sat, 31 Jan 2009 02:59:53 +0000]
From: Franck Joncourt <franck.mail@dthconnex.com>
Subject: [PATCH] fixes/content_length

iptables v1.4.2: STRING too long `|7c|XML|7c

For the --hex-string and --string matches, if the argument exceeds 128 bytes
(iptables 1.4.2) then iptables fails as above.

Thus, this patch add a new variable in fwsnort.conf "MAX_STRING_LEN", so that
the size of the content can be limited. If the content (null terminated string)
is more than MAX_STRING_LEN chars, fwsnort throws the rule away.

Signed-off-by: Franck Joncourt <franck.mail@dthconnex.com>

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@481 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agowording updates for the fwsnort(8) man page from Justin B Rye and Franck Joncourt
Michael Rash [Sun, 26 Oct 2008 23:03:09 +0000]
wording updates for the fwsnort(8) man page from Justin B Rye and Franck Joncourt

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@480 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agocontent match fix for Emerging Threats Snort rule ID 2007975 (Frank Joncourt)
Michael Rash [Tue, 30 Sep 2008 04:11:04 +0000]
content match fix for Emerging Threats Snort rule ID 2007975 (Frank Joncourt)

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@479 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agobugfix in strict mode to use the fact that the threshold keyword is already unsupport...
Michael Rash [Tue, 30 Sep 2008 04:10:10 +0000]
bugfix in strict mode to use the fact that the threshold keyword is already unsupported (Franck Joncourt)

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@478 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agominor update to include download directory in status output in --update mode
Michael Rash [Wed, 27 Aug 2008 02:38:43 +0000]
minor update to include download directory in status output in --update mode

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@477 af5c991a-1414-0410-86ad-c3437102cd4a

6 years agoupdated to correct tar.gz path in --no-deps mode
Michael Rash [Fri, 22 Aug 2008 03:26:36 +0000]
updated to correct tar.gz path in --no-deps mode

git-svn-id: file:///home/mbr/svn/fwsnort_repos/fwsnort/trunk@476 af5c991a-1414-0410-86ad-c3437102cd4a