Issue on emerging-all.rules files

Ubuntu 20 Server + psad 2.4.6 + fwsnort-1.6.8

fwsnort.sh script failing add iptables rules with last emerging-all.rules version

problem on ports with ! [!445,!1500]

seems a famliar issue?

root@2w1r:/usr/local/src/fwsnort-1.6.8# fwsnort
[+] Testing /sbin/iptables for supported capabilities...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    Snort Rules File          Success   Fail      Total

[+] attack-responses.rules    16        1         17
[+] backdoor.rules            65        11        76
[+] bad-traffic.rules         9         3         12
[+] chat.rules                29        1         30
[+] ddos.rules                18        14        32
[+] dns.rules                 19        2         21
[+] dos.rules                 9         7         16
[+] emerging-all.rules        11877     7035      18912
[+] experimental.rules        0         0         0
[+] exploit.rules             36        46        82
[+] finger.rules              13        1         14
[+] ftp.rules                 21        49        70
[+] icmp-info.rules           65        28        93
[+] icmp.rules                18        4         22
[+] imap.rules                1         37        38
[+] info.rules                8         2         10
[+] local.rules               0         0         0
[+] misc.rules                42        18        60
[+] multimedia.rules          4         6         10
[+] mysql.rules               3         0         3
[+] netbios.rules             11        419       430
[+] nntp.rules                0         13        13
[+] oracle.rules              3         295       298
[+] other-ids.rules           3         0         3
[+] p2p.rules                 18        0         18
[+] policy.rules              20        1         21
[+] pop2.rules                2         2         4
[+] pop3.rules                6         21        27
[+] porn.rules                21        0         21
[+] rpc.rules                 37        91        128
[+] rservices.rules           13        0         13
[+] scan.rules                14        4         18
[+] shellcode.rules           21        0         21
[+] smtp.rules                14        45        59
[+] snmp.rules                17        0         17
[+] sql.rules                 42        4         46
[+] telnet.rules              13        2         15
[+] tftp.rules                9         2         11
[+] virus.rules               0         1         1
[+] web-attacks.rules         46        0         46
[+] web-cgi.rules             348       2         350
[+] web-client.rules          9         16        25
[+] web-coldfusion.rules      35        0         35
[+] web-frontpage.rules       35        0         35
[+] web-iis.rules             112       7         119
[+] web-misc.rules            300       28        328
[+] web-php.rules             115       11        126
[+] x11.rules                 2         0         2
                              =============================
                              13519     8229      21748

[+] Generated iptables rules for 13519 out of 21748 signatures: 62.16%

[+] Logfile: /var/log/fwsnort/fwsnort.log
[+] iptables script (individual commands): /var/lib/fwsnort/fwsnort_iptcmds.sh

    Main fwsnort iptables-save file: /var/lib/fwsnort/fwsnort.save

    You can instantiate the fwsnort policy with the following command:

    /sbin/iptables-restore < /var/lib/fwsnort/fwsnort.save

    Or just execute: /var/lib/fwsnort/fwsnort.sh

root@2w1r:/usr/local/src/fwsnort-1.6.8# bash /var/lib/fwsnort/fwsnort.sh

[+] Splicing fwsnort 13519 rules into the iptables policy...
iptables-restore v1.8.4 (legacy): invalid port/service `!445' specified
Error occurred at line: 9043
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

fwsnort_iptcmds.sh file output problem

### alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; content:"|20 77 1e 77 19 77 13 77 18 77 00 77 04|"; distance:0; fast_pattern; content:!"|00 00 00 00 00 00|"; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:trojan-activity; sid:2026525; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackCarat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_30;)
$IPTABLES -A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp ! --sport 80 -m multiport ! --dports 25,!445,!1500 -m length --length 850:1550 -m string --hex-string "|20771e77197713771877007704|" --algo bm --from 77 -m string --hex-string "|7777|" --algo bm --from 66 --to 68 -m string --hex-string "|77|" --algo bm --from 69 --to 70 -m string --hex-string "|77777777777777777777777777|" --algo bm --from 66 --to 79 -m string ! --hex-string "|000000000000|" --algo bm -m comment --comment "sid:2026525; msg:ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin; classtype:trojan-activity; reference:md5,514AB639CD556CEBD78107B4A68A202A; rev:6; FWS:1.6.8;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[2295] SID2026525 ESTAB "
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp ! --sport 80 -m multiport ! --dports 25,!445,!1500 -m length --length 850:1550 -m string --hex-string "|20771e77197713771877007704|" --algo bm --from 77 -m string --hex-string "|7777|" --algo bm --from 66 --to 68 -m string --hex-string "|77|" --algo bm --from 69 --to 70 -m string --hex-string "|77777777777777777777777777|" --algo bm --from 66 --to 79 -m string ! --hex-string "|000000000000|" --algo bm -m comment --comment "sid:2026525; msg:ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin; classtype:trojan-activity; reference:md5,514AB639CD556CEBD78107B4A68A202A; rev:6; FWS:1.6.8;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[7029] SID2026525 ESTAB "

mrash / fwsnort

Issue on emerging-all.rules files #17