fwsnort Changelog

New in version 1.6.5

December 22nd, 2014
  • (Paulo Bruck) Submitted a patch to fix a bug in fwsnort usage of the iptables --ulog-prefix option (an invalid quote was being used previous to the fix).
  • Updated to bundle the latest Emerging Threats rule set.

New in version 1.6.4 (February 6th, 2014)

  • Bug fix for vulnerability CVE-2014-0039 reported by Murray McAllister of the Red Hat Security Team in which an attacker-controlled fwsnort.conf file could be read by fwsnort when not running as root. This was caused by fwsnort reading './fwsnort.conf' when not running as root and when a path to the config file was not explicitly set with -c on the command line. This behavior has been changed to require the user to specify a path to fwsnort.conf with -c when not running as root.
  • Switch fwsnort.sh iptables-restore exec() strategy to leverage 'cat' against fwsnort.save file (fixes CentOS deployments).
  • Updated to bundle the latest Emerging Threats rule set.

New in version 1.6.2 (April 30th, 2012)

  • This version switches the default policy load stance to load all translated Snort rules into the running iptables policy by default.
  • This was made possible after fwsnort made use of the iptables-save format for policy instantiation.
  • Updated to use the NetAddr::IP module from CPAN.
  • A bugfix for translated ICMP rules and ICMP type requirements in recent versions of iptables.

New in version 1.6 (July 29th, 2011)

  • Snort fast_pattern support and iptables multiport match support were added.
  • The --QUEUE and --NFQUEUE modes were enhanced.
  • Support was added for the conntrack module for connection tracking.
  • Case-insensitive pattern matching was added via the --icase argument to the iptables string match extension.
  • A couple of minor bugs were fixed.

New in version 1.0.6 (May 31st, 2009)

  • (Franck Joncourt) Updated fwsnort to use the "! syntax instead of the older " ! for the iptables command line.
  • (Franck Joncourt) For the --hex-string and --string matches, if the argument exceeds 128 bytes (iptables 1.4.2) then iptables fails with an error "iptables v1.4.2: STRING too long". Fixes this with a patch that adds a new variable in fwsnort.conf "MAX_STRING_LEN", so that the size of the content can be limited. If the content (null terminated string) is more than MAX_STRING_LEN chars, fwsnort throws the rule away.
  • Bug fix to allow fwsnort to properly translate snort rules that have "content" fields with embedded escaped semicolons (e.g. ";"). This allows fwsnort to translate about 58 additional rules from the Emerging Threats rule set.
  • Bug fix to allow case insensitive matches to work properly with the --include-re-caseless and --exclude-re-caseless arguments.
  • Bug fix to move the 'rawbytes' keyword to the list of keywords that are ignored since iptables does a raw match anyway as it doesn't run any preprocessors in the Snort sense.
  • Added the --snort-rfile argument so that a specific Snort rules file (or list of files separated by commas) is parsed.
  • Added a small hack to choose the first port from a port list until the iptables 'multiport' match is supported.
  • Updated to consolidate spaces in hex matches in the fwsnort.sh script since the spaces are not part of patterns to be searched anyway.
  • Updated to the latest complete rule set from Emerging Threats (see http://www.emergingthreats.net/).
  • Added the "fwsnort-nobuildreqs.spec" file for building fwsnort on systems (such as Debian) that do not install/upgrade software via RPM. This file omits the "BuildRequires: perl-ExtUtils-MakeMaker" directive, and this fixes errors like the following on an Ubuntu system when building fwsnort with rpmbuild: rpm: To install rpm packages on Debian systems, use alien. See README.Debian.
  • error: cannot open Packages index using db3 - No such file or directory (2)
  • error: cannot open Packages database in /var/lib/rpm