fwsnort-1.0.3 Software Release

23 November, 2007

The 1.0.3 release of fwsnort is ready for download. This release adds the ability to interpret basic PCRE's expressions (more detail below) and includes a major signature update from Bleeding Threats. A new command line argument --include-re-caseless allows fwsnort to restrict its translation operation to Snort rules that contain a regular expression (matched case-insensitively). For example, here is the command to build an iptables policy derived from Snort rules in the bleeding-all.rules file that contain the string "sid:2007" (for signatures that were added in 2007):


# fwsnort --include-type bleeding-all --include-regex "sid:2007" --include-re-caseless

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    Snort Rules File          Success   Fail      Ipt_apply Total



[+] bleeding-all.rules        614       28        607       642

                              =======================================

                              614       28        607       642



[+] Generated iptables rules for 614 out of 642 signatures: 95.64%

[+] Found 607 applicable snort rules to your current iptables

    policy.



[+] Logfile: /var/log/fwsnort.log

[+] iptables script: /etc/fwsnort/fwsnort.sh

This results in 607 successfully translated Snort rules, and here is the iptables command equivalent built by fwsnort for the "BLEEDING-EDGE MALWARE Softwarereferral.com Adware Checkin" signature:


$IPTABLES -A FWSNORT_OUTPUT_ESTAB -p tcp --dport 80 -m string --string "wmid="
--algo bm -m string --string "&mid=" --algo bm -m string --string "&lid="
--algo bm -m comment --comment "sid:2007696; msg:BLEEDING-EDGE MALWARE Softwarereferral.com
Adware Checkin; classtype:trojan-activity; rev:1; FWS:1.0.3;" -j LOG --log-ip-options
--log-tcp-options --log-prefix "[15] SID2007696 ESTAB "

Here is the full ChangeLog:

Added --include-re-caseless and --exclude-re-caseless options to have --include-regex and --exclude-regex options match case insensitively.
Major signature update from Bleeding Threats. This update includes a large number of new signatures with PCRE statements, with an emphasis on detecting SQL injection attacks directed at internal webservers from external sources.
Added the ability to interpret PCRE statements that include simple string matches separated by ".*" and ".+" as multiple iptables string matches. The only negative consequence in terms of signature detection is that ordering is not preserved; that is, the PCRE "/UNION.+SELECT/" would only match a packet that contains "UNION" followed by "SELECT", whereas an iptables rule that uses a string match for UNION and a separate string match for SELECT would match a packet that contains both strings but in reverse. Typically this is not a huge concern, and the PCRE translation can be disabled with a new option --no-pcre.
Added asn1 keyword to unsupported list.

23 November, 2007 | Software Releases | By: Michael Rash

« fwknop Windows UI

Single Packet Authorization and Port Knocking Forum »

cipherdyne.org

fwsnort-1.0.3 Software Release

Software

Linux Firewalls Book

Recent Blog Posts

Categories