Package: fwsnort
Version: 1.6.2-1
Severity: important
Tags: patch
I first ran fwsnort without cutting any rules out, this resulted in 15000 rules
in the input chain. My i5 -2.6Ghz computer couldn't handle this. With one core
pegged, throughput dropped from ~470kBs to ~350kBs. So I had a closer look at
the script to reduce the number of rules generated. These are my notes and a
patch
-----------------------------
I ran the fwsnort like so;
sids="1841,626"
include="attack-responses,backdoor,bad-
traffic,ddos,dns,dos,exploit,icmp,imap,local,misc,pop3,rpc,scan,shellcode,smtp,snmp,virus
,web-attacks,web-client,web-misc,x11,emerging-all"
fwsnort --verbose --snort-rdir=/etc/snort/rules,/etc/fwsnort/snort_rules
--include-type="$include" --exclude-sid="$sids"
--exclude-regex="(ET|GPL)\s+(WEB_SPECIFIC_APPS|SQL|P2P|NETBIOS|GAMES|POLICY|INFO|INAPPROPRIATE|TFTP|TELNET|MOBILE_MALWARE|ACTIVEX|USER_AGENTS|FTP|SCADA|CHAT)"
-----------------------------
line 608 - rfile=/etc/snort/rules/deleted.rules and doesn't match
line 646 - exclude and include regex behaved the same
line 3404 - the {http_uri http_method urilen} options will not match in
$snort_opts{'filter'} since they are in $snort_opts{'ignore'} causing
errors when using --strict. Since they are already 'ignored', they do
not have to be added to unsupported
lines 4234 to 4237 - I have no idea the reason for this code. It breaks having
a
comma separated list of directories with the --snort-rdir option
line 4409 - add error message
When EXTERNAL_NET is set to 'any' the outbound rules get put into the INPUT
chain.
I checked this by running (assumes no multiple addrs in HOME_NET and
EXTERNAL_NET)
grep -A4 '\-> \$EXTERNAL' fwsnort_iptcmds.sh | grep INPUT | wc -l
A workaround - set EXTERNAL_NET to 0.0.0.0/0
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.6.6-grsec (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fwsnort depends on:
ii debconf [debconf-2.0] 1.5.46
ii iptables 1.4.14-3
ii libiptables-parse-perl 1.1-1
ii libnet-ip-perl 1.25-3
ii perl 5.14.2-14
Versions of packages fwsnort recommends:
ii snort-rules-default 2.9.2.2-3
fwsnort suggests no packages.
-- Configuration Files:
/etc/fwsnort/fwsnort.conf changed [not included]
-- debconf information excluded
-- debsums errors found:
debsums: changed file /usr/sbin/fwsnort (from fwsnort package)--- a/fwsnort 2012-06-07 16:55:00.000000000 -0400
+++ b/fwsnort 2012-10-22 14:15:53.533435043 -0400
@@ -605,7 +605,7 @@
if ($exclude_types) {
next FILE if defined $exclude_types{$type};
}
- if ($rfile eq 'deleted.rules') {
+ if ($type eq 'deleted') {
next FILE unless $add_deleted;
}
($snort_type) = ($rfile =~ m|.*/(\S+)\.rules|);
@@ -643,7 +643,7 @@
### regex filters
if ($exclude_re) {
- next RULE unless $rule =~ $exclude_re;
+ next RULE if $rule =~ $exclude_re;
}
if ($include_re) {
@@ -3401,8 +3401,7 @@
if ($strict) {
### make the snort options parser very strict
- for my $opt (qw(uricontent pcre
- distance within http_uri http_method urilen)) {
+ for my $opt (qw(uricontent pcre distance within)) {
$snort_opts{'unsupported'}{$opt}
= $snort_opts{'filter'}{$opt};
delete $snort_opts{'filter'}{$opt};
@@ -4231,11 +4230,6 @@
$config{'QUEUE_RULES_DIR'} = $queue_rules_dir if $queue_rules_dir;
$config{'LOG_FILE'} = $logfile if $logfile;
- if ($is_root) {
- chdir $config{'RULES_DIR'} or
- die "[*] Could not chdir $config{'RULES_DIR'}: $!";
- }
-
if ($rules_file) {
for my $file (split /\,/, $rules_file) {
die "[*] Snort rules file $file does not exist." unless -e $file;
@@ -4406,7 +4400,8 @@
### make sure the script is writable first
if (-e $config{'FWSNORT_SCRIPT'}) {
- chmod 0755, $config{'FWSNORT_SCRIPT'} or die $!;
+ chmod 0755, $config{'FWSNORT_SCRIPT'} or
+ die "[*] Could not chmod $config{'FWSNORT_SCRIPT'}: $!";
}
open F, "> $config{'FWSNORT_SCRIPT'}" or
@@ -4642,7 +4637,7 @@
iptables rules.
--ipt-script=<script> - Print iptables script to <script>
instead of the default location at
- /etc/fwsnort/fwsnort.sh
+ /var/lib/fwsnort/fwsnort.sh
--ipt-apply - Execute the fwsnort.sh script.
--ipt-reject - Add a protocol dependent REJECT rule
(tcp resets for tcp or icmp port
