Permalink
Browse files

Added iptables capabilities test for COMMENT len

In keeping with the ability to test the capabilities of iptables where fwsnort
is deployed, added the ability find the maximum length of a string provided to
the COMMENT match.  This match is used to store Snort rule information within
the running fwsnort policy.
  • Loading branch information...
mrash committed Jul 29, 2011
1 parent 9f93d92 commit c9982963632825c6ddd2666a0bee9643a363de3b
Showing with 37 additions and 2 deletions.
  1. +37 −2 fwsnort
View
39 fwsnort
@@ -432,6 +432,7 @@ my $include_perl_triggers = 0;
my $duplicate_last_build = 0;
my $ipt_max_str_len = 1;
my $ipt_max_log_prefix_len = 1;
+my $ipt_max_comment_len = 1;
my $no_fast_pattern_order = 0;
my $ipt_have_multiport_match = 0;
my $ipt_multiport_max = 2;
@@ -1932,11 +1933,13 @@ sub ipt_build_opts() {
if (defined $opts_hr->{'sid'}) {
unless ($no_ipt_comments) {
### add the Snort msg (and other) fields to the iptables rule
- ### with the 'comment' match (which can handle up to 256 chars)
+ ### with the 'comment' match (which can handle up to 255 chars
+ ### and is set/verified by the ipt_find_max_comment_len()
+ ### function).
$comment =~ s|\"||g;
$comment =~ s|/\*||g;
$comment =~ s|\*/||g;
- if (length($comment) < 256) {
+ if (length($comment) < $ipt_max_comment_len) {
$target_str = qq| -m comment --comment "$comment"|;
}
}
@@ -3681,6 +3684,10 @@ sub ipt_capabilities() {
qq|-j LOG|) == $IPT_SUCCESS) {
print "[+] $ipt_str has 'comment' match support...\n"
if $verbose or $ipt_check_capabilities;
+
+ ### now find the maximum comment length that is supported by iptables
+ &ipt_find_max_comment_len();
+
} else {
unless ($no_ipt_comments) {
print"[-] It looks like the $ipt_str 'comment' match is not ",
@@ -4046,6 +4053,33 @@ sub ipt_find_max_log_prefix_len() {
return;
}
+sub ipt_find_max_comment_len() {
+
+ my $test_comment = '';
+
+ for (;;) {
+
+ $test_comment = 'A'x$ipt_max_comment_len;
+ my $test_rule_rv = 0;
+
+ $test_rule_rv = &ipt_rule_test("-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s " .
+ qq|$non_host -p tcp --dport 1234 -m comment --comment | .
+ qq|"$test_comment" -j LOG|);
+
+ last if $test_rule_rv != $IPT_SUCCESS;
+
+ $ipt_max_comment_len++;
+
+ last if $ipt_max_comment_len == 1025; ### unlikely we'll ever get here
+ }
+ $ipt_max_comment_len--;
+
+ print " Max supported comment length: $ipt_max_comment_len\n"
+ if $verbose or $ipt_check_capabilities;
+
+ return;
+}
+
sub ipt_find_max_multiport_supported_ports() {
my $test_ports_str = $ipt_multiport_max-1;
@@ -4487,6 +4521,7 @@ sub set_non_root_values() {
$fwsnort_conf = './fwsnort.conf';
}
$ipt_max_str_len = 128;
+ $ipt_max_comment_len = 255;
$ipt_max_log_prefix_len = 29;
$ipt_have_multiport_match = 1;
$ipt_multiport_max = 15;

0 comments on commit c998296

Please sign in to comment.