Software Release - fwsnort-1.6
28 July, 2011
The 1.6 release of fwsnort is available for
download. This is a fairly significant
release that adds support for the Snort fast_pattern keyword, makes enhancements to
the --QUEUE and --NFQUEUE modes, supports the conntrack module for connection tracking,
adds support for case-insensitive pattern matches using the --icase argument to the iptables
string match extension, and several other things. The Snort fast_pattern keyword allows the
rule author to influence the order in which Snort tries
to match a pattern against network traffic. When multiple patterns are included in a rule,
Snort usually tries to match the longest pattern first reasoning that the longest pattern
is probably the least likely to trigger a match and therefore the remaining pattern searches
would not have to be performed. But, there are times when the rule author would like to
explicitly ask Snort to match on a particular pattern first, and the fast_pattern keyword
is the mechanism that makes this possible. Because iptables matches are evaluated in order
and a failing match short circuits a rule, fast_pattern support with the string match
extension is possible through proper ordering in the iptables rule. Here is an example
Snort rule from Emerging Threats with the
fast_pattern keyword applied to the forth pattern:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; file_data; content:"document.createEventObject"; distance:0; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; sid:2010799; rev:5;)
fwsnort translates this rule as follows in iptables-save format from the /etc/fwsnort/fwsnort.save
file - the original iptables commands in non-save format are also available in the
/etc/fwsnort/fwsnort_iptcmd.sh script:
-A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --string "srcElement" --algo bm --from 82 --icase -m string --string "document.createEventObject" --algo bm --from 64 --icase -m string --string ".innerHTML" --algo bm --to 190 --icase -m string --string "window.setInterval" --algo bm --from 74 --icase -m comment --comment "sid:2010799; msg:ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; rev:5; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID2010799 ESTAB "
Note that the srcElement string is matched first in the iptables rule even though
it is the last string in the original Snort rule.
With fast_pattern support, fwsnort policies should be a bit faster at run time in the
in the Linux kernel.
On a final note, the iptables multiport match is also supported with the fwsnort-1.6
release, so Snort rules with lists of source or destination ports (like this:
"alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any")
can be translated.
The complete fwsnort-1.6 ChangeLog can be found here via the fwsnort gitweb interface.
