search

mrash / fwsnort

Application Layer IDS/IPS with iptables
http://www.cipherdyne.org/fwsnort/
GNU General Public License v2.0
73 stars 15 forks source link

Fix large consecutive hex char sequences #4

Closed mrash closed 10 years ago

mrash commented 10 years ago

André Nunes Batista reported the following issue to the Debian users list, and it should be fixed in the next release:

Hello debianers!

I run fwsnort to update and improve on my iptables rule sets. On updating it's rules though I got this error message:

iptables-restore < /path/to/fwsnort.save

iptables-restore v1.4.14: Invalid hex char '|' Error occurred at line: 4013 Try `iptables-restore -h' or 'iptables-restore --help' for more information.

The line mentioned on the error contains the rule bellow:

-A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp -m string --string "PRIVMSG " --algo bm -m string --hex-string "|2d2d2d2d2d2d2d2d2d2d2d2d||2d||2d|| 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|" --algo bm --from 72 -m comment --comment "sid:2017291; msg:ET TROJAN ATTACKER IRCBot - PRIVMSG Response - net command output; classtype:trojan-activity; rev:5; FWS:1.6.2;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[3006] SID2017291 ESTAB "

Upon removing this line, iptables-restore did it's job without complaining. Since this line was automagically generated by "fwsnort --update-rules ; fwsnort --ipt-sync", I wonder if it's worth a bug report.

mrash commented 10 years ago

This bug has already been fixed in fwsnort-1.6.3 in my testing. The consecutive "-" chars are consolidate properly, and the resulting iptables rule is:

-A FWSNORT_FORWARD_ESTAB -p tcp -m tcp -m string --hex-string "|505249564d534720|" --algo bm -m string --hex-string "|2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d|" --algo bm --from 72 -m comment --comment "sid:2017291; msg:ET TROJAN ATTACKER IRCBot - PRIVMSG Response - net command output; classtype:trojan-activity; rev:5; FWS:1.6.3;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] SID2017291 ESTAB "

I've emailed Andre to confirm before I close this issue.

mrash commented 10 years ago

fwsnort-1.6.4 has been released owing to the need to address a security concern from the Red Hat Security team. Either way, this bug has been fixed in the previous release.