Permalink
Browse files

added ChangeLog info for the 1.6.1 and 1.6.2 releases

  • Loading branch information...
1 parent f65256d commit 9b31c8bef1e24d114857e38dcf62c22861f6487b @mrash committed Apr 28, 2012
Showing with 81 additions and 1 deletion.
  1. +81 −1 ChangeLog
View
@@ -1,4 +1,84 @@
-fwsnort-1.6 (11//2011):
+fwsnort-1.6.2 (04/28/2012):
+ - Switched --no-ipt-sync to default to not syncing with the iptables policy.
+ By default fwsnort attempts to match translated Snort rules to the
+ running iptables policy, but this is tough to do well because iptables
+ policies can be complex. And, before fwsnort switched to the
+ iptables-save format for instantiating the policy, a large set of
+ translated rules could take a really long time to make active within the
+ kernel. Finally, many Snort rules restrict themselves to established TCP
+ connections anyway, and if a restrictive policy doesn't allow connections
+ to get into the established state for some port let's say, then there is
+ little harm in having translated Snort rules for this port. Some kernel
+ memory would be wasted (small), but no performance would be lost since
+ packets won't be processed against these rules anyway. The end result is
+ that the default behavior is now to not sync with the local iptables
+ policy in favor of translating and instantiating as many rules as
+ possible.
+ - Replaced Net::IPv4Addr with the excellent NetAddr::IP module which has
+ comprehensive support for IPv6 address network parsing and comparisons.
+ - Moved the fwsnort.sh script and associated files into the
+ /var/lib/fwsnort/ directory. This was suggested by Peter Vrabec.
+ - Removed the ExtUtils::MakeMaker RPM build requirement from the
+ fwsnort.spec file. This is a compromise which will allow the fwsnort RPM
+ to be built even if RPM dosen't or can't see that ExtUtils::MakeMaker is
+ installed - most likely it will build anyway. If it doesn't, there are
+ bigger problems since fwsnort is written in perl. If you want to build
+ the fwsnort RPM with a .spec file that requires ExtUtils::MakeMaker, then
+ use the "fwsnort-require-makemaker.spec" file that is bundled in the
+ fwsnort sources.
+
+fwsnort-1.6.1 (11/01/2011):
+ - (Kim Hagen) submitted a patch for a bug in fwsnort-1.6 where the fwsnort
+ policy in iptables-save format could not be loaded whenever iptables-save
+ put the nat table output after the filter table output. In this case,
+ fwsnort would fail with an error like the following:
+
+ Couldn't load target
+ `FWSNORT_FORWARD_ESTAB':/lib/xtables/libipt_FWSNORT_FORWARD_ESTAB.so:
+ cannot open shared object file: No such file or directory
+
+ fwsnort now invokes 'iptables-save -t filter' in order to ensure that
+ ordering issues do not affect how fwsnort builds its translated rule set.
+ - Bug fix to ensure that fwsnort does not attempt to re-order pattern
+ matches for patterns that have a relative match requirement. For non-
+ relative matches fwsnort re-orders pattern matches based on the pattern
+ length, reasoning that the longest pattern should be processed first for
+ better performance. The usage of the fast_pattern keyword give the user
+ explicit control over this. Here is a Snort rule that is now properly
+ handled by fwsnort (references removed):
+
+ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
+ Possible Adobe Reader and Acrobat Forms Data Format Remote Security
+ Bypass Attempt"; flow:established,to_client; file_data; content:"%FDF-";
+ depth:300; content:"/F(JavaScript|3a|"; nocase; distance:0;
+ classtype:attempted-user; sid:2010664; rev:8;)
+
+ Before this change, fwsnort translated this rule as:
+
+ $IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string
+ --hex-string "/F(JavaScript|3a|" --algo bm --from 69 --icase -m string
+ --hex-string "%FDF|2d|" --algo bm --to 364 -m comment --comment
+ "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms
+ Data Format Remote Security Bypass Attempt; classtype:attempted-user;
+ rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix
+ "SID2010664 ESTAB "
+
+ Note that in the above rule, the "/F(JavaScript|3a|" pattern was switched
+ to be evaluated first even though it is a relative match to the previous
+ pattern in the original Snort rule. After this change, fwsnort translates
+ this rule as:
+
+ $IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --sport 80 -m string
+ --hex-string "%FDF|2d|" --algo bm --to 364 -m string --hex-string
+ "/F(JavaScript|3a|" --algo bm --from 69 --icase -m comment --comment
+ "sid:2010664; msg:ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms
+ Data Format Remote Security Bypass Attempt; classtype:attempted-user;
+ rev:8; FWS:1.6;" -j LOG --log-ip-options --log-tcp-options --log-prefix
+ "SID2010664 ESTAB "
+
+ - Updated to the latest Emerging Threats rule set.
+
+fwsnort-1.6 (07/28/2011):
- Fixed the --ipt-apply functionality - the variable that held the
fwsnort.sh path was not initialized properly prior to this change.
- Added the --Conntrack-state argument to specify a conntrack state

0 comments on commit 9b31c8b

Please sign in to comment.