Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
fwsnort/ChangeLog
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
603 lines (556 sloc)
34.3 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| fwsnort-1.6.9 (12//2018): | |
| - Bug fix to handle negated port numbers in multiport match usage (bug | |
| reported by David Mason). | |
| - Updated to bundle the latest Emerging Threats rule set. | |
| fwsnort-1.6.8 (07/31/2018): | |
| - Update to handle the 'metadata' keyword in the Snort rules language. | |
| This restores the ability to translate the Emerging Threats rule sets | |
| and beyond. | |
| - Updated to bundle the latest Emerging Threats rule set. | |
| fwsnort-1.6.7 (05/06/2017): | |
| - Bug fix reported independently by Dan Alberghetti and fixed by Axel | |
| Beckert in github issue #14 to strip out brackets from single port | |
| numbers in Snort rules when they exist. | |
| - Updated IPTables::Parse to 1.6.1. | |
| - Updated to bundle the latest Emerging Threats rule set. | |
| fwsnort-1.6.6 (12/04/2016): | |
| - (Robert Foreman) Whitelist IP addresses for Emerging Threats ruleset | |
| downloads (96.43.137.99, 204.12.217.19). | |
| - Update to IPTables::Parse-1.6 which contains a fix for a local-only | |
| vulnerability dealing with temporary file handling. Details can be found | |
| here: https://github.com/mrash/IPTables-Parse/blob/master/Changes | |
| - Fixed an issue for Snort rules against all IP protocols should be | |
| translated with the iptables '-p all' argument instead of '-p ip'. This | |
| issue was reported by Github user mgaulton. | |
| - Added support for using the 'ip' command for acquiring IP addresses | |
| assigned to local interfaces. The 'ifconfig' command is still supported, | |
| but 'ip' is preferred when it is available. Issue #9 reported by | |
| 'mgaulton'. | |
| - Updated to bundle the latest Emerging Threats rule set. | |
| fwsnort-1.6.5 (08/26/2014): | |
| - (Paulo Bruck) Submitted a patch to fix a bug in fwsnort usage of the | |
| iptables --ulog-prefix option (an invalid quote was being used previous | |
| to the fix). | |
| - Updated to bundle the latest Emerging Threats rule set. | |
| fwsnort-1.6.4 (02/02/2014): | |
| - Bug fix for vulnerability CVE-2014-0039 reported by Murray McAllister of | |
| the Red Hat Security Team in which an attacker-controlled fwsnort.conf | |
| file could be read by fwsnort when not running as root. This was caused | |
| by fwsnort reading './fwsnort.conf' when not running as root and when a | |
| path to the config file was not explicitly set with -c on the command | |
| line. This behavior has been changed to require the user to specify a | |
| path to fwsnort.conf with -c when not running as root. | |
| - Switch fwsnort.sh iptables-restore exec() strategy to leverage 'cat' | |
| against fwsnort.save file (fixes CentOS deployments). | |
| - Updated to bundle the latest Emerging Threats rule set. | |
| fwsnort-1.6.3 (12/21/2012): | |
| - Bug fix to ensure that !, <, >, and = chars in content strings are | |
| converted to the appropriate hex equivalents. All content strings with | |
| characters outside of [A-Za-z0-9] are now converted to hex-string format | |
| in their entirety. This should also fix an issue that results in the | |
| following error when running /var/lib/fwsnort/fwsnort.sh: | |
| Using intrapositioned negation (`--option ! this`) is deprecated in | |
| favor of extrapositioned (`! --option this`). | |
| Bad argument `bm' | |
| Error occurred at line: 64 | |
| Try `iptables-restore -h' or 'iptables-restore --help' for more | |
| information. | |
| Done. | |
| - Bug fix to set default max string length in --no-ipt-test mode where | |
| iptables capabilities are not tested. | |
| - (Andrew Merenbach) Bug fix to properly honor --exclude-regex filtering | |
| option. | |
| - Added fwsnort test suite to the test/ directory. This mimics the test | |
| suites from the psad and fwknop projects, and it designed to examine | |
| many of the run time results of fwsnort. | |
| - Added the ability to easily revert the fwsnort policy back to the | |
| original iptables policy with "/var/lib/fwsnort/fwsnort.sh -r". Note | |
| that this reverts back to the policy as it was when fwsnort itself was | |
| executed. | |
| - Implemented a single unified function for iptables match parameter | |
| length testing, and optimized to drastically reduce run time for iptables | |
| capabilities checks (going from over 20 seconds to less than one second | |
| in some cases). | |
| - (Dwight Davis) Contributed patches for several bugs including not | |
| handling --exclude-regex properly, not ignoring the deleted.rules file, | |
| not handling --strict mode operations correctly, and more. These issues | |
| and the corresponding patch were originally reported here: | |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000 | |
| - Bug fix for Snort rules with HOME_NET(any) -> EXTERNAL_NET(any) to | |
| ensure they go into the OUTPUT chain instead of the INPUT chain. This | |
| bug was reported by Dwight Davis. | |
| - Updated to bundle the latest Emerging Threats rule set. | |
| fwsnort-1.6.2 (04/28/2012): | |
| - Switched --no-ipt-sync to default to not syncing with the iptables policy. | |
| By default fwsnort attempts to match translated Snort rules to the | |
| running iptables policy, but this is tough to do well because iptables | |
| policies can be complex. And, before fwsnort switched to the | |
| iptables-save format for instantiating the policy, a large set of | |
| translated rules could take a really long time to make active within the | |
| kernel. Finally, many Snort rules restrict themselves to established TCP | |
| connections anyway, and if a restrictive policy doesn't allow connections | |
| to get into the established state for some port let's say, then there is | |
| little harm in having translated Snort rules for this port. Some kernel | |
| memory would be wasted (small), but no performance would be lost since | |
| packets won't be processed against these rules anyway. The end result is | |
| that the default behavior is now to not sync with the local iptables | |
| policy in favor of translating and instantiating as many rules as | |
| possible. | |
| - Replaced Net::IPv4Addr with the excellent NetAddr::IP module which has | |
| comprehensive support for IPv6 address network parsing and comparisons. | |
| - Moved the fwsnort.sh script and associated files into the | |
| /var/lib/fwsnort/ directory. This was suggested by Peter Vrabec. | |
| - Bug fix for recent versions of iptables (such as 1.4.12) where the icmp | |
| match requires --icmp-type to be set - some Snort rules look for a string | |
| to match in icmp traffic, but don't also specify an icmp type. | |
| - Bug fix for 'qw(...) usage as parenthesis' warnings for perl > 5.14 | |
| - Removed the ExtUtils::MakeMaker RPM build requirement from the | |
| fwsnort.spec file. This is a compromise which will allow the fwsnort RPM | |
| to be built even if RPM dosen't or can't see that ExtUtils::MakeMaker is | |
| installed - most likely it will build anyway. If it doesn't, there are | |
| bigger problems since fwsnort is written in perl. If you want to build | |
| the fwsnort RPM with a .spec file that requires ExtUtils::MakeMaker, then | |
| use the "fwsnort-require-makemaker.spec" file that is bundled in the | |
| fwsnort sources. | |
| fwsnort-1.6.1 (11/01/2011): | |
| - (Kim Hagen) submitted a patch for a bug in fwsnort-1.6 where the fwsnort | |
| policy in iptables-save format could not be loaded whenever iptables-save | |
| put the nat table output after the filter table output. In this case, | |
| fwsnort would fail with an error like the following: | |
| Couldn't load target | |
| `FWSNORT_FORWARD_ESTAB':/lib/xtables/libipt_FWSNORT_FORWARD_ESTAB.so: | |
| cannot open shared object file: No such file or directory | |
| fwsnort now invokes 'iptables-save -t filter' in order to ensure that | |
| ordering issues do not affect how fwsnort builds its translated rule set. | |
| - Bug fix to ensure that fwsnort does not attempt to re-order pattern | |
| matches for patterns that have a relative match requirement. For non- | |
| relative matches fwsnort re-orders pattern matches based on the pattern | |
| length, reasoning that the longest pattern should be processed first for | |
| better performance. The usage of the fast_pattern keyword give the user | |
| explicit control over this. Here is a Snort rule that is now properly | |
| handled by fwsnort (references removed): | |
| alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT | |
| Possible Adobe Reader and Acrobat Forms Data Format Remote Security | |
| Bypass Attempt"; flow:established,to_client; file_data; content:"%FDF-"; | |
| depth:300; content:"/F(JavaScript|3a|"; nocase; distance:0; | |
| classtype:attempted-user; sid:2010664; rev:8;) | |
| Before this change, fwsnort translated this rule as: | |
| $IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string | |
| --hex-string "/F(JavaScript|3a|" --algo bm --from 69 --icase -m string | |
| --hex-string "%FDF|2d|" --algo bm --to 364 -m comment --comment | |
| "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms | |
| Data Format Remote Security Bypass Attempt; classtype:attempted-user; | |
| rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix | |
| "SID2010664 ESTAB " | |
| Note that in the above rule, the "/F(JavaScript|3a|" pattern was switched | |
| to be evaluated first even though it is a relative match to the previous | |
| pattern in the original Snort rule. After this change, fwsnort translates | |
| this rule as: | |
| $IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string | |
| --hex-string "%FDF|2d|" --algo bm --to 364 -m string --hex-string | |
| "/F(JavaScript|3a|" --algo bm --from 69 --icase -m comment --comment | |
| "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms | |
| Data Format Remote Security Bypass Attempt; classtype:attempted-user; | |
| rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix | |
| "SID2010664 ESTAB " | |
| - Updated to the latest Emerging Threats rule set. | |
| fwsnort-1.6 (07/28/2011): | |
| - Fixed the --ipt-apply functionality - the variable that held the | |
| fwsnort.sh path was not initialized properly prior to this change. | |
| - Added the --Conntrack-state argument to specify a conntrack state | |
| in place of the "established" state that commonly accompanies the Snort | |
| "flow" keyword. By default, fwsnort uses the conntrack state of | |
| "ESTABLISHED" for this. In certain corner cases, it might be useful to | |
| use "ESTABLISHED,RELATED" instead to apply application layer inspection | |
| to things like ICMP port unreachable messages that are responses to real | |
| attempted communications. (Need to add UDP tracking for the _ESTAB | |
| chains for this too - coming soon.) | |
| - Recent releases of iptables and the Linux kernel support matching on | |
| connection state via the conntrack modules and the --ctstate switch. | |
| Added a capabilities test for this, and will fall back to using the state | |
| match if the conntrack module is not available. | |
| - Bugfix to ensure the iptables log prefixes built by fwsnort are not | |
| longer than those allowed by the running iptables firewall. This is | |
| usually a total of 29 characters, but fwsnort now dynamically figures out | |
| this value. | |
| - Bugfix for --ipt-list and --ipt-flush to ensure that the proper iptables | |
| binary path is chosen. These args failed without this because the | |
| iptables binary was not set. | |
| fwsnort-1.5 (01/08/2011): | |
| - Major update to use the iptables-save format instead of the older | |
| strategy of always just executing iptables commands directly (which was | |
| very flow for large fwsnort policies). The /etc/fwsnort/fwsnort.sh | |
| script now just executes: | |
| /sbin/iptables-restore < /etc/fwsnort/fwsnort.save | |
| All fwsnort rules are now placed in the /etc/fwsnort/fwsnort.save file, | |
| but the older fwsnort.sh output (for the individual commands version) | |
| is still available at /etc/fwsnort/fwsnort_iptcmds.sh. This | |
| functionality extends to ip6tables policies as well. The fwsnort man | |
| page explain this in better detail: | |
| "As of fwsnort-1.5 all iptables rules built by fwsnort are written out | |
| to the /etc/fwsnort/fwsnort.save file in iptables-save format. This | |
| allows a long fwsnort policy (which may contain thousands of iptables | |
| rules translated from a large Snort signature set) to be quickly | |
| instantiated via the "iptables-restore" command. A wrapper script | |
| /etc/fwsnort/fwsnort.sh is also written out to make this easy. Hence, | |
| the typical work flow for fwsnort is to: 1) run fwsnort, 2) note the | |
| Snort rules that fwsnort was able to successfully translate (the number | |
| of such rules is printed to stdout), and then 3) execute the | |
| /etc/fwsnort/fwsnort.sh wrapper script to instantiate the policy in the | |
| running kernel." | |
| - Added the --rules-url argument so that the URL for updating the | |
| Emerging Threats rule set can be specified from the command line. The | |
| default is: | |
| http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules | |
| - Updated to automatically check for the maximum length string that the | |
| string match supports, and this is used to through out any Snort rules | |
| with content matches longer than this length. | |
| - Updated the iptables capabilities testing routines to add and delete | |
| testing rules to/from the custom chain 'FWS_CAP_TEST'. This maintains a | |
| a cleaner separation between fwsnort and any existing iptables policy | |
| even during the capabilities testing phase. | |
| - Added the --ipt-check-capabilities argument to have fwsnort test the | |
| capabilities of the local iptables firewall and exit. | |
| - Added the --string-match-alg argument to allow the string matching | |
| algorithm used by fwsnort to be specified from the command line. The | |
| default algorithm is 'bm' for 'Boyer-Moore', but 'kmp' may also be | |
| specified (short for the 'Knuth–Morris–Pratt' algorithm). | |
| - Updated to the latest complete rule set from Emerging Threats (see | |
| http://www.emergingthreats.net/). | |
| fwsnort-1.1 (01/05/2010): | |
| - Added the ability to build an fwsnort policy that utilizes ip6tables | |
| instead of iptables. This allows fwsnort filtering and altering | |
| capabilities to apply to IPv6 traffic instead of just IPv4 traffic. To | |
| enable ip6tables usage, use the "-6" or "--ip6tables" command line | |
| arguments. | |
| - Added the --include-perl-triggers command line argument so that | |
| translated Snort rules can easily be tested. This argument instructs | |
| fwsnort to include 'perl -e print ... ' commands as comments in the | |
| /etc/fwsnort/fwsnort.sh script, and these commands can be combined | |
| with netcat to send payloads across the wire that match Snort rules. | |
| - Updated fwsnort to create logs in the /var/log/fwsnort/ directory | |
| instead of directly in the /var/log/ directory. The path is controlled | |
| by a new variable 'LOG_FILE' in the /etc/fwsnort/fwsnort.conf file. | |
| - Added several variables in /etc/fwsnort/fwsnort.conf to control paths | |
| to everything from the config file to the snort rules path. Coupled | |
| with this is the ability to create variables within path components and | |
| fwsnort will expand them (e.g. 'CONF_DIR /etc/fwsnort; | |
| CONF_FILE $CONF_DIR/fwsnort.conf'). | |
| - Added --Last-cmd arg so that it is easy to rebuild the fwsnort.sh script | |
| with the same command line args as the previous execution. | |
| fwsnort-1.0.6 (05/30/2009): | |
| - (Franck Joncourt) Updated fwsnort to use the "! <option> <arg>" syntax | |
| instead of the older "<option> ! <arg>" for the iptables command line. | |
| - (Franck Joncourt) For the --hex-string and --string matches, if the | |
| argument exceeds 128 bytes (iptables 1.4.2) then iptables fails with an | |
| error "iptables v1.4.2: STRING too long". Fixes this with a patch that | |
| adds a new variable in fwsnort.conf "MAX_STRING_LEN", so that the size of | |
| the content can be limited. If the content (null terminated string) is | |
| more than MAX_STRING_LEN chars, fwsnort throws the rule away. | |
| - Bug fix to allow fwsnort to properly translate snort rules that have | |
| "content" fields with embedded escaped semicolons (e.g. "\;"). This | |
| allows fwsnort to translate about 58 additional rules from the Emerging | |
| Threats rule set. | |
| - Bug fix to allow case insensitive matches to work properly with the | |
| --include-re-caseless and --exclude-re-caseless arguments. | |
| - Bug fix to move the 'rawbytes' keyword to the list of keywords that are | |
| ignored since iptables does a raw match anyway as it doesn't run any | |
| preprocessors in the Snort sense. | |
| - Added the --snort-rfile argument so that a specific Snort rules file (or | |
| list of files separated by commas) is parsed. | |
| - Added a small hack to choose the first port from a port list until the | |
| iptables 'multiport' match is supported. | |
| - Updated to consolidate spaces in hex matches in the fwsnort.sh script | |
| since the spaces are not part of patterns to be searched anyway. | |
| - Updated to the latest complete rule set from Emerging Threats (see | |
| http://www.emergingthreats.net/). | |
| - Added the "fwsnort-nobuildreqs.spec" file for building fwsnort on | |
| systems (such as Debian) that do not install/upgrade software via RPM. | |
| This file omits the "BuildRequires: perl-ExtUtils-MakeMaker" directive, | |
| and this fixes errors like the following on an Ubuntu system when | |
| building fwsnort with rpmbuild: | |
| rpm: To install rpm packages on Debian systems, use alien. See README.Debian. | |
| error: cannot open Packages index using db3 - No such file or directory (2) | |
| error: cannot open Packages database in /var/lib/rpm | |
| fwsnort-1.0.5 (08/21/2008): | |
| - Replaced the bleeding-all.rules file with the emerging-all.rules file. | |
| This is because Matt Jonkman now releases his rule sets at | |
| http://www.emergingthreats.net/ | |
| - Restructured perl module paths to make it easy to introduce a "nodeps" | |
| distribution of fwsnort that does not contain any perl modules. This | |
| allows better integration with systems that already have all necessary | |
| modules installed (including the IPTables::ChainMgr and IPTables::Parse | |
| modules). The main driver for this work is to make all cipherdyne.org | |
| projects easily integrated with distributions based on Debian, and | |
| Franck Joncourt has been instrumental in making this process a reality. | |
| All perl modules are now placed within the "deps" directory, and the | |
| install.pl script checks to see if this directory exists - a separate | |
| fwsnort-nodeps-<ver> tarball will be distributed without this directory. | |
| The Debian package for fwsnort can then reference the -nodeps tarball, | |
| and a new "fwsnort-nodeps.spec" file has been added to build an RPM from | |
| the fwsnort sources that does not install any perl modules. | |
| - Updated to import perl modules from /usr/lib/fwsnort, but only if this | |
| path actually exists in the filesystem. This is similar to the strategy | |
| implemented by psad. A new variable FWSNORT_LIBS_DIR was added to the | |
| fwsnort.conf to support this. | |
| - Added support for multiple Snort rule directories as a comma-separated | |
| list for the argument to --snort-rdir. | |
| - Moved 'threshold' to the unsupported list since there will be several | |
| signatures that use this feature to detect the Dan Kaminsky DNS attack, | |
| and fwsnort does not yet support the usage of the iptables --limit | |
| match. | |
| fwsnort-1.0.4 (01/22/2008): | |
| - (Grant Ferley) Submitted patch to exclude loopback interfaces from | |
| iptables allow rules parsing. This behavior can be reversed with the | |
| existing --no-exclude-loopback command line argument. | |
| - (Grant Ferley) Submitted patch to IPTables::Parse to take into account | |
| iptables policy output that contains "0" instead of "all" to represent | |
| any protocol. | |
| - (Grant Ferley) Submitted patch to IPTables::Parse to set sport and dport | |
| to '0:0' if the protocol is 'all'. | |
| - Bugfix to allow negated networks to be specified within iptables allow | |
| rules or within the fwsnort.conf file. | |
| - Updated install.pl to set the LC_ALL environmental variable to "C". This | |
| should fix potential locale problems (this fix was borrowed from the | |
| fwknop project). | |
| fwsnort-1.0.3 (11/22/2007): | |
| - Added --include-re-caseless and --exclude-re-caseless options to have | |
| --include-regex and --exclude-regex options match case insensitively. | |
| - Major signature update from Bleeding Threats. This update includes a | |
| large number of new signatures with PCRE statements, with an emphasis on | |
| detecting SQL injection attacks directed at internal webservers from | |
| external sources. | |
| - Added the ability to interpret PCRE statements that include simple | |
| string matches separated by ".*" and ".+" as multiple iptables string | |
| matches. The only negative consequence in terms of signature detection | |
| is that ordering is not preserved; that is, the PCRE "/UNION.+SELECT/" | |
| would only match a packet that contains "UNION" followed by "SELECT", | |
| whereas an iptables rule that uses a string match for UNION and a | |
| separate string match for SELECT would match a packet that contains both | |
| strings but in reverse. Typically this is not a huge concern, and the | |
| PCRE translation can be disabled with a new option --no-pcre. | |
| - Added asn1 keyword to unsupported list. | |
| fwsnort-1.0.2 (08/26/2007): | |
| - Bugfix to make sure to add in header lengths for depth and offset values | |
| since the string match extension compares bytes from the start of the | |
| data link header. | |
| fwsnort-1.0.1 (08/26/2007): | |
| - Bugfix for ipt_rule_test() function name. | |
| - Added the ability to automatically resolve command paths if any commands | |
| cannot be found at the locations specified in the fwsnort.conf file. | |
| fwsnort-1.0 (04/19/2007): | |
| - Major update to include support for the NFQUEUE and QUEUE targets with | |
| new command line options --NFQUEUE and --QUEUE. This changes the | |
| default LOG target to the NFQUEUE or QUEUE targets instead, and at the | |
| same time builds a parallel Snort rule set in the | |
| /etc/fwsnort/snort_rules_queue directory. Every Snort rule in this | |
| directory has at least one "content" keyword, which fwsnort uses in the | |
| resulting iptables policy. This policy only sends those packets to | |
| snort_inline via the NFQUEUE or QUEUE target that match a content field | |
| within some Snort rule. The end result is that snort_inline should run | |
| faster because the vast majority of packets (which are not malicious) | |
| are processed via the Linux kernel without ever having to be sent to | |
| userspace for analysis. There is a tradeoff here in terms of attack | |
| detection; snort_inline does not receive all packets associated with a | |
| stream, so it cannot detect attacks quite as effectively (snort_inline | |
| does not have an opportunity to look at reassembled buffers). However, | |
| this trade off may be acceptable for large sites where performance is | |
| more important. | |
| - Bug fix to remove any existing jump rules from the built-in INPUT, | |
| OUTPUT, and FORWARD chains before creating a new jump rules. This | |
| allows the fwsnort.sh script to be executed multiple times without | |
| creating a new jump rule into the fwsnort chains for each execution. | |
| - Added the -X command line argument to allow fwsnort to delete all of | |
| the fwsnort chains; this emulates the iptables command line argument | |
| of the same name. | |
| - Minor output enhancements and bugfixes to give more insight into the | |
| translation process. For example, if fwsnort is run in --snort-sid | |
| mode but is unable to translate the specified signatures, the user is | |
| notified. Also, any existing /etc/fwsnort/fwsnort.sh script is not | |
| archived and erased until fwsnort is actually going to write a new one. | |
| - Added sid values to iptables comment match string. | |
| - Bugfix for iptables string match --from and --to values to skip past | |
| packet headers. This is an approximation until a new --payload option | |
| can be added to the string match extension. | |
| - Added a single iptables rule testing API internally within fwsnort; | |
| this adds a measure of consistency and removes some duplicate code. | |
| - Added fwsnort mailing list at SourceForge. | |
| fwsnort-0.9.0 (03/22/2007): | |
| - Added support for multiple content matches since this is supported by | |
| iptables. This made a 10% increase in the fwsnort translation rate - | |
| about 60% of all Snort-2.3.3 rules can be translated now. | |
| - Added emulation for distance and within from previous content match | |
| based on --from and --to (string match extension) and the length of | |
| the previous pattern. | |
| - Added the ability to include the Snort "msg", "classtype", "reference", | |
| "priority", and "rev" fields in each iptables rule with the comment | |
| match. This can be disabled with a new command line argument | |
| --no-ipt-comments. The fwsnort version is also included within this | |
| string. | |
| - Added the ability to include the iptables rule number for each rule in | |
| the fwsnort chains. This is useful to easily know which iptables rule | |
| is being triggered by network traffic (so it can be disabled if | |
| necessary). This can be disabled with --no-ipt-rule-nums. | |
| - Added the --include-regex and --exclude-regex command line arguments. | |
| These arguments allow rules to be included/excluded based on a regular | |
| expression supplied on the command line. | |
| - Updated to include the original Snort rule as a comment within the | |
| fwsnort.sh script without having to use --verbose. | |
| - Bugfix to force install of IPTables::Parse since it had been updated in | |
| the fwsnort-0.8.2 release. | |
| - Changed the IGNORE_ADDR variable to WHITELIST since this name better | |
| describes the actual function of this var. Updated to allow multiple | |
| WHITELIST lines. | |
| - Added the BLACKLIST variable to allow a true blacklist to be | |
| instantiated with either the DROP or REJECT targets. The syntax for the | |
| BLACKLIST variable is "BLACKLIST <ip or network> <target>", where | |
| "target" is either "DROP" or "REJECT". | |
| - Added -F and -L command line arguments to flush and list iptables rules. | |
| This is similar to the iptables command line args of the same names. | |
| - Bugfix to ensure that traffic directed into the INPUT or coming from the | |
| OUTPUT chains is treated as going toward or originating from the | |
| HOME_NET. After all the HOME_NET variable may contain an internal | |
| network but omit the IP assigned to an external interface on the | |
| firewall. | |
| - Added "--log-ip-options" and "--log-tcp-options" to fwsnort LOG rules by | |
| default (in the generated fwsnort.sh script). This can be disabled with | |
| --no-log-ip-opts and --no-log-tcp-opts arguments on the fwsnort command | |
| line. | |
| - Added the ability to include --log-tcp-sequence to LOG rules in | |
| fwsnort.sh with a new argument --ipt-log-tcp-seq on the fwsnort command | |
| line. | |
| - Updated to handle negative string matches with "--string ! <string>". | |
| - Updated to output all unsupported options of the /var/log/fwsnort.log | |
| file to assist in the development of addition keyword emulation. | |
| fwsnort-0.8.2 (02/17/2007): | |
| - Updated to newer IPTables::Parse module that uses the array of hash | |
| references method of returning iptables policy data. | |
| - Added --Dump-ipt and --Dump-snort rules to allow iptables policy and | |
| Snort rules to be dumped to STDOUT. | |
| - Added bleeding-all.rules file from http://www.bleedingsnort.com/ | |
| - Added patches/bm_goodshift_fix.patch patch file that fixes an | |
| initialization bug in the Boyer-Moore text search implementation in the | |
| kernel (linux-2.6.x/lib/ts_bm.c) which caused slightly repetitive | |
| patterns to only match at specific offsets with the string match | |
| extension. | |
| - Bugfix to ensure that a depth cannot be less that an offset (these | |
| translate to the --to and --from command line arguments to iptables). | |
| - Bugfix to escape '$' chars in iptables search strings. | |
| - Added cd_rpmbuilder to make it easy to automatically build RPM files of | |
| fwsnort. | |
| - Added support for the iptables OUTPUT chain. | |
| - Added the ChangeLog.svn file so that all of the changed files and | |
| corresponding svn commit messages can be viewed (this file is built from | |
| release to release). | |
| fwsnort-0.8.1 (11/11/2005): | |
| - Updated to use the string match extension "--algo bm" argument if | |
| fwsnort is being run on a 2.6.14 (or greater) kernel. | |
| - Updated to handle the Snort "offset" and "depth" keywords via the | |
| --from and --to options to the string match extension in the 2.6.14 | |
| kernel. | |
| - Created RPM package of fwsnort. | |
| - Minor man page updates. | |
| fwsnort-0.8.0 (07/11/2005): | |
| - Completely re-structured fwsnort w.r.t. how it creates Netfilter | |
| chains. There are no longer any per-interface chains (this | |
| greatly simplifies the Netfilter chains). | |
| - Added three new chains "FWSNORT_INPUT_ESTAB", "FWSNORT_OUTPUT_ESTAB" | |
| and "FWSNORT_FORWARD_ESTAB" to which tcp connections in the | |
| ESTABLISHED state are jumped. This allows fwsnort to use the | |
| Netfilter tcp connection tracking mechanism to ignore Stick and Snot | |
| style attacks (similar to the flow:established Snort rule option). | |
| - Added true variable resolution (i.e. HTTP_SERVERS -> HOME_NET -> any) | |
| for the Snort rule header. This directly emulates the behavior of | |
| the Snort IDS. | |
| - Added IP protocol support in the translation of the Snort rule | |
| header. The Snort rule translation rate is now at about 53% for | |
| Snort-2.3. | |
| - Bugfix for ipopts Snort option (several arguments are not supported | |
| by the ipv4options extension). | |
| - Better tests for Netfiler TTL, TOS, and ipv4options matches. | |
| - Replaced IGNORE_IP and IGNORE_NET keywords with single IGNORE_ADDR | |
| keywork in fwsnort.conf. | |
| - Updated to correctly handle ICMP type and code rules (itype and | |
| icode Snort options) via the "--icmp-types type/code" convention. | |
| - Added support for emulating the dsize Snort option through the use | |
| of the Netfilter length match. | |
| - Changed --type argument to --include-types and added list support | |
| so it accepts things like "chat,ddos". Also added --exclude-types | |
| command line argument. | |
| - Added support for multiple sid's (as a comma separated list) in | |
| --snort-sids argument. Also added --exclude-sids argument to remove | |
| a list of sids from translation. | |
| - Added support for the replace Snort option (originally from the | |
| Snort_inline project). The requires the replace string patch. | |
| - Added support for restricting jump rules to a list of interfaces | |
| via the --restrict-intf argument. | |
| - Added kernel patch to extend the maximum packet length that the | |
| string match extension will attempt to search from 1024 bytes to | |
| 2048 bytes (requires a kernel re-compile of course). | |
| - Added DRP and REJ strings to logging prefix if --ipt-drop or | |
| --ipt-reject is specified. | |
| - Added snortspoof.pl, which is a simple perl script that emulates | |
| the Stick and Snot tools. | |
| fwsnort-0.7.0 (06/05/2005): | |
| - Added support for the Snort pass action by using the ACCEPT target. | |
| - Added support for the Snort log action by using the ULOG target | |
| (which can then log the packet via the pcap writer). | |
| - Added support for all fwsnort alerts to be logged via the ULOG | |
| target instead of the LOG target. | |
| - Added support for the "resp" keyword to allow it to drive the | |
| Netfilter argument to the REJECT target. | |
| - Added "pcre" to the unsupported list... this knocks the fwsnort | |
| translation rate down to about 50% for Snort-2.3 rules (pcre is | |
| heavily utilized). | |
| - Added "priority" and "rev" to comment lines. | |
| fwsnort-0.6.5 (03/20/2005): | |
| - Updated to not attempt to download Snort rules from snort.org | |
| because the rules are no longer available for automatic downloads | |
| - Changed the install.pl script and the --update-rules mode for | |
| fwsnort to download the latest signature set from | |
| http://www.bleedingsnort.com/. | |
| (Snort.org is now offering pay-service around their rule sets). | |
| - Added signature test for the "flowbits" keyword. | |
| fwsnort-0.6.4 (12/18/2004): | |
| - Updated to Snort-2.3 rules. FWSnort can convert a total of 1710 | |
| out of 2559 total Snort-2.3 rules. | |
| - Updated to new Snort rules download link for --update-rules mode: | |
| http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz | |
| - Updated to standard [+], [-], and [*] prefixes for info, warning | |
| and die logging messages. | |
| - Added --replace-string patches. | |
| fwsnort-0.6.3 (04/04/2004): | |
| - Added ignore functionality for both IPs and networks | |
| - Split --ipt-block into --ipt-drop and --ipt-reject to add DROP | |
| or REJECT rules respectively. | |
| - Added --add-deleted option to allow rules in the "deleted.rules" | |
| file to be added. | |
| fwsnort-0.6.2 (03/19/2004): | |
| - Added --internal-net and --dmz-net options so that internal and | |
| dmz networks can be manually specified without having to parse | |
| the output of ifconfig. This is most useful for running fwsnort | |
| on a linux system that is acting as a bridge where no ip addresses | |
| are assigned to the interfaces. | |
| - Bugfix for missing icmp-port-unreachable rejects for UDP packets. | |
| fwsnort-0.6.1 (02/01/2004): | |
| - Bugfix for not adding dmz interface rules to INPUT chain. | |
| - Bugfix for not getting the DMZ interface network. | |
| fwsnort-0.6 (01/04/2004): | |
| - Speed increase and disk access decrease by writing iptables | |
| commands to the iptables script only after all lines have been | |
| generated. | |
| - Bugfix for DMZ interface. | |
| - Bugfix for multiple ip_proto fields. | |
| - Removed the ip protocol as an allowed protocol for translation. | |
| - Bugfix for negated port numbers. | |
| - Removed "<-" rule direction since not even snort supports this. | |
| - Fixed snort rule updates from snort.org. | |
| fwsnort-0.5 (12/21/2003): | |
| - Added "-j REJECT --reject-with tcp-reset" for tcp sessions | |
| if the --ipt-block option is specified. | |
| - Added ability to download latest snort rules from snort.org. | |
| - Added --no-ipt-jumps. | |
| - Added better checking for iptables build characteristics such | |
| as the LOG target and wether or not the ipv4options extension | |
| is compiled in. | |
| - Added config preservation code from psad in install.pl. |