cipherdyne.org

Michael Rash, Security Researcher



Software Release - fwsnort-0.9.0

fwsnort-0.9.0 release The 0.9.0 release of fwsnort is ready for download. This release is a major update that increases the Snort signature translation rate for the Snort-2.3.3 signature set from around 50% to over 60%. This is accomplished by using the fact that iptables supports multiple match conditions, so multiple Snort content keywords can be matched by a single iptables rule. There are also improvements in the way fwsnort builds iptables logging prefixes, and both whitelists and blacklists are fully supported now. The fwsnort-0.9.0 release will be featured in my talk at ShmooCon. Here is the ChangeLog:
  • Added support for multiple content matches since this is supported by iptables. This made a 10% increase in the fwsnort translation rate - about 60% of all Snort-2.3.3 rules can be translated now.
  • Added emulation for distance and within from previous content match based on --from and --to (string match extension) and the length of the previous pattern.
  • Added the ability to include the Snort "msg", "classtype", "reference", "priority", and "rev" fields in each iptables rule with the comment match. This can be disabled with a new command line argument --no-ipt-comments. The fwsnort version is also included within this string.
  • Added the ability to include the iptables rule number for each rule in the fwsnort chains. This is useful to easily know which iptables rule is being triggered by network traffic (so it can be disabled if necessary). This can be disabled with --no-ipt-rule-nums.
  • Added the --include-regex and --exclude-regex command line arguments. These arguments allow rules to be included/excluded based on a regular expression supplied on the command line.
  • Updated to include the original Snort rule as a comment within the fwsnort.sh script without having to use --verbose.
  • Bugfix to force install of IPTables::Parse since it had been updated in the fwsnort-0.8.2 release.
  • Changed the IGNORE_ADDR variable to WHITELIST since this name better describes the actual function of this var. Updated to allow multiple WHITELIST lines.
  • Added the BLACKLIST variable to allow a true blacklist to be instantiated with either the DROP or REJECT targets. The syntax for the BLACKLIST variable is "BLACKLIST <ip or network> <target> where "target" is either "DROP" or "REJECT".
  • Added -F and -L command line arguments to flush and list iptables rules. This is similar to the iptables command line args of the same names.
  • Bugfix to ensure that traffic directed into the INPUT or coming from the OUTPUT chains is treated as going toward or originating from the HOME_NET. After all the HOME_NET variable may contain an internal network but omit the IP assigned to an external interface on the firewall.
  • Added "--log-ip-options" and "--log-tcp-options" to fwsnort LOG rules by default (in the generated fwsnort.sh script). This can be disabled with --no-log-ip-opts and --no-log-tcp-opts arguments on the fwsnort command line.
  • Added the ability to include --log-tcp-sequence to LOG rules in fwsnort.sh with a new argument --ipt-log-tcp-seq on the fwsnort command line.
  • Updated to handle negative string matches with "--string ! <string>".
  • Updated to output all unsupported options of the /var/log/fwsnort.log file to assist in the development of addition keyword emulation.