What's new in fwsnort 1.6.5
Dec 22, 2014
- (Paulo Bruck) Submitted a patch to fix a bug in fwsnort usage of the iptables --ulog-prefix option (an invalid quote was being used previous to the fix).
- Updated to bundle the latest Emerging Threats rule set.
New in fwsnort 1.6.4 (Feb 6, 2014)
- Bug fix for vulnerability CVE-2014-0039 reported by Murray McAllister of the Red Hat Security Team in which an attacker-controlled fwsnort.conf file could be read by fwsnort when not running as root. This was caused by fwsnort reading './fwsnort.conf' when not running as root and when a path to the config file was not explicitly set with -c on the command line. This behavior has been changed to require the user to specify a path to fwsnort.conf with -c when not running as root.
- Switch fwsnort.sh iptables-restore exec() strategy to leverage 'cat' against fwsnort.save file (fixes CentOS deployments).
- Updated to bundle the latest Emerging Threats rule set.
New in fwsnort 1.6.2 (Apr 30, 2012)
- This version switches the default policy load stance to load all translated Snort rules into the running iptables policy by default.
- This was made possible after fwsnort made use of the iptables-save format for policy instantiation.
- Updated to use the NetAddr::IP module from CPAN.
- A bugfix for translated ICMP rules and ICMP type requirements in recent versions of iptables.
New in fwsnort 1.6 (Jul 29, 2011)
- Snort fast_pattern support and iptables multiport match support were added.
- The --QUEUE and --NFQUEUE modes were enhanced.
- Support was added for the conntrack module for connection tracking.
- Case-insensitive pattern matching was added via the --icase argument to the iptables string match extension.
- A couple of minor bugs were fixed.
New in fwsnort 1.0.6 (May 31, 2009)
- (Franck Joncourt) Updated fwsnort to use the "! syntax instead of the older " ! for the iptables command line.
- (Franck Joncourt) For the --hex-string and --string matches, if the argument exceeds 128 bytes (iptables 1.4.2) then iptables fails with an error "iptables v1.4.2: STRING too long". Fixes this with a patch that adds a new variable in fwsnort.conf "MAX_STRING_LEN", so that the size of the content can be limited. If the content (null terminated string) is more than MAX_STRING_LEN chars, fwsnort throws the rule away.
- Bug fix to allow fwsnort to properly translate snort rules that have "content" fields with embedded escaped semicolons (e.g. ";"). This allows fwsnort to translate about 58 additional rules from the Emerging Threats rule set.
- Bug fix to allow case insensitive matches to work properly with the --include-re-caseless and --exclude-re-caseless arguments.
- Bug fix to move the 'rawbytes' keyword to the list of keywords that are ignored since iptables does a raw match anyway as it doesn't run any preprocessors in the Snort sense.
- Added the --snort-rfile argument so that a specific Snort rules file (or list of files separated by commas) is parsed.
- Added a small hack to choose the first port from a port list until the iptables 'multiport' match is supported.
- Updated to consolidate spaces in hex matches in the fwsnort.sh script since the spaces are not part of patterns to be searched anyway.
- Updated to the latest complete rule set from Emerging Threats (see http://www.emergingthreats.net/).
- Added the "fwsnort-nobuildreqs.spec" file for building fwsnort on systems (such as Debian) that do not install/upgrade software via RPM. This file omits the "BuildRequires: perl-ExtUtils-MakeMaker" directive, and this fixes errors like the following on an Ubuntu system when building fwsnort with rpmbuild: rpm: To install rpm packages on Debian systems, use alien. See README.Debian.
- error: cannot open Packages index using db3 - No such file or directory (2)
- error: cannot open Packages database in /var/lib/rpm