1 commit 336dea6aa9dd5b2a2ae3de88f3a4213f0efae92e
2 Author: Michael Rash <mbr@cipherdyne.org>
3 Date: Thu Sep 1 23:04:14 2011 -0400
5 bumped version to 1.6.1
7 commit 4cfbd3e7e29a601ac74e59031b620235ce8d76f6
8 Author: Michael Rash <mbr@cipherdyne.org>
9 Date: Thu Sep 1 22:58:22 2011 -0400
11 (Kim Hagen) Bug fix for 'Couldn't load target' error
13 Kim Hagen submitted this patch for a bug in fwsnort-1.6 where the fwsnort
14 policy in iptables-save format could not be loaded whenever iptables-save put
15 the nat table output after the filter table output. In this case, fwsnort
16 would fail with an error like the following (fixed in fwsnort-1.6.1):
19 `FWSNORT_FORWARD_ESTAB':/lib/xtables/libipt_FWSNORT_FORWARD_ESTAB.so:
20 cannot open shared object file: No such file or directory
22 fwsnort now invokes 'iptables-save -t filter' in order to ensure that
23 ordering issues do not affect how fwsnort builds its translated rule set.
25 commit 19625a6eb7e40a375be733b0a74b550292f4dcf8
26 Author: Michael Rash <mbr@cipherdyne.org>
27 Date: Thu Sep 1 22:13:18 2011 -0400
29 Bug fix for fast_pattern interpretation for relative matches
31 This change ensures that fwsnort does not attempt to re-order pattern matches
32 for patterns that have a relative match requirement. For non-relative matches
33 fwsnort re-orders pattern matches based on the pattern length, reasoning that
34 the longest pattern should be processed first for better performance. The
35 usage of the fast_pattern keyword give the user explicit control over this.
37 Here is a Snort rule that is now properly handled by fwsnort:
39 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; file_data; content:"%FDF-"; depth:300; content:"/F(JavaScript|3a|"; nocase; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; sid:2010664; rev:8;)
41 Before this change, fwsnort translated this rule as:
43 $IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --hex-string "/F(JavaScript|3a|" --algo bm --from 69 --icase -m string --hex-string "%FDF|2d|" --algo bm --to 364 -m comment --comment "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID2010664 ESTAB "
45 Note that in the above rule, the "/F(JavaScript|3a|" pattern was switched to
46 be evaluated first even though it is a relative match to the previous pattern
47 in the original Snort rule. After this change, fwsnort translates this rule
50 $IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string --hex-string "%FDF|2d|" --algo bm --to 364 -m string --hex-string "/F(JavaScript|3a|" --algo bm --from 69 --icase -m comment --comment "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix "SID2010664 ESTAB "
52 commit d90f90270c0ad3125a42ee04de43b2fe22e93ca9
53 Author: Michael Rash <mbr@cipherdyne.org>
54 Date: Thu Sep 1 22:09:41 2011 -0400
56 Updated to the latest Emerging Threats rule set
58 Update to the latest 'emerging-all.rules' Snort rule set from Emerging Threats
59 (http://www.emergingthreats.net).
projects / fwsnort.git / blob