Skip to content
Browse files

Applied patch from Dwight Davis to fix multiple issues.

(Dwight Davis) Contributed patches for several bugs including not
handling --exclude-regex properly, not ignoring the deleted.rules file,
not handling --strict mode opertions correctly, and more.  These issues
and the corresponding patch were originally reported here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000
  • Loading branch information...
1 parent 716d3e8 commit 894a78ce6611cf39146fb43981801a83b4f23440 @mrash committed Dec 19, 2012
Showing with 47 additions and 11 deletions.
  1. +7 −0 CREDITS
  2. +5 −0 ChangeLog
  3. +35 −11 fwsnort
View
7 CREDITS
@@ -83,3 +83,10 @@ Peter Vrabec
Andrew Merenbach
- Contributed bug fix to properly honor --exclude-regex filtering option.
+
+Dwight Davis
+ - Contributed patches for several bugs including not handling
+ --exclude-regex properly, not ignoring the deleted.rules file, not
+ handling --strict mode opertions correctly, and more. These issues and
+ the corresponding patch were originally reported here:
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000
View
5 ChangeLog
@@ -28,6 +28,11 @@ fwsnort-1.6.3 (12/18/2012):
length testing, and optimized to drastically reduce run time for iptables
capabilities checks (going from over 20 seconds to less than one second
in some cases).
+ - (Dwight Davis) Contributed patches for several bugs including not
+ handling --exclude-regex properly, not ignoring the deleted.rules file,
+ not handling --strict mode opertions correctly, and more. These issues
+ and the corresponding patch were originally reported here:
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000
- Updated to bundle the latest Emerging Threats rule set.
fwsnort-1.6.2 (04/28/2012):
View
46 fwsnort
@@ -280,7 +280,24 @@ my %snort_opts = (
'http_client_body' => '[\s;]http_client_body\s*;',
'http_cookie' => '[\s;]http_cookie\s*;',
'urilen' => '[\s;]urilen:\s*.*?\s*;',
- }
+ },
+
+ ### in --strict mode, signatures that include any of these
+ ### options are not translated to iptables rules
+ 'strict_list' => [
+ 'uricontent',
+ 'pcre',
+ 'distance',
+ 'within',
+ 'http_uri',
+ 'http_raw_uri',
+ 'http_method',
+ 'http_stat_code',
+ 'http_stat_msg',
+ 'http_client_body',
+ 'http_cookie',
+ 'urilen'
+ ]
);
### rules update link
@@ -623,7 +640,7 @@ sub parse_snort_rules() {
if ($exclude_types) {
next FILE if defined $exclude_types{$type};
}
- if ($rfile eq 'deleted.rules') {
+ if ($rfile =~ m|deleted\.rules|) {
next FILE unless $add_deleted;
}
($snort_type) = ($rfile =~ m|.*/(\S+)\.rules|);
@@ -3474,11 +3491,16 @@ sub fwsnort_init() {
if ($strict) {
### make the snort options parser very strict
- for my $opt (qw(uricontent pcre
- distance within http_uri http_method urilen)) {
- $snort_opts{'unsupported'}{$opt}
- = $snort_opts{'filter'}{$opt};
- delete $snort_opts{'filter'}{$opt};
+ for my $opt (@{$snort_opts{'strict_list'}}) {
+ if (defined $snort_opts{'filter'}{$opt}) {
+ $snort_opts{'unsupported'}{$opt}
+ = $snort_opts{'filter'}{$opt};
+ delete $snort_opts{'filter'}{$opt};
+ } elsif (defined $snort_opts{'ignore'}{$opt}) {
+ $snort_opts{'unsupported'}{$opt}
+ = $snort_opts{'ignore'}{$opt};
+ delete $snort_opts{'ignore'}{$opt};
+ }
}
my @ignore = (qw(nocase));
@@ -4452,15 +4474,17 @@ sub write_ipt_script() {
### make sure the script is writable first
if (-e $config{'FWSNORT_SCRIPT'}) {
- chmod 0755, $config{'FWSNORT_SCRIPT'} or die $!;
+ chmod 0755, $config{'FWSNORT_SCRIPT'} or
+ die "[*] Could not chmod $config{'FWSNORT_SCRIPT'}: $!";
}
open F, "> $config{'FWSNORT_SCRIPT'}" or
die "[*] Could not open $config{'FWSNORT_SCRIPT'}: $!";
print F "$_\n" for @ipt_script_lines;
close F;
- chmod 0500, $config{'FWSNORT_SCRIPT'} or die $!;
+ chmod 0500, $config{'FWSNORT_SCRIPT'} or
+ die "[*] Could not chmod $config{'FWSNORT_SCRIPT'}: $!";
return;
}
@@ -4724,7 +4748,7 @@ Options:
iptables rules.
--ipt-script=<script> - Print iptables script to <script>
instead of the default location at
- /etc/fwsnort/fwsnort.sh
+ /var/lib/fwsnort/fwsnort.sh
--ipt-apply - Execute the fwsnort.sh script.
--ipt-exec - Synonym for --ipt-apply.
--ipt-revert - Revert to a version of the iptables
@@ -4832,7 +4856,7 @@ Options:
--queue-rules-dir=<dir> - Specify the path to the generated set of
Snort rules that are to be queued to
userspace in --NFQUEUE or --QUEUE mode. The
- default is /etc/fwsnort/snort_rules_queue/.
+ default is /var/lib/fwsnort/snort_rules_queue/.
-Q --QUEUE - Same as the --NFQUEUE option, except use the
older iptables QUEUE target.
--string-match-alg=<alg> - Specify the string match algorithm to use

0 comments on commit 894a78c

Please sign in to comment.
Something went wrong with that request. Please try again.