Control: tag -1 + confirmed Control: user bugsqu...@qa.debian.org Control: usertag -1 + a...@debian.org
Hi, allorder wrote: > - Update the snort rules: sudo fwsnort --update-rules > - Run fwsnort: sudo fwsnort > - instantiate the fwsnort policy: sudo /var/lib/fwsnort/fwsnort.sh > > The result: > > [+] Splicing fwsnort 11647 rules into the iptables policy... > iptables-restore v1.6.0: invalid port/service `[6789]' specified > Error occurred at line: 11464 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > > The "BUG?" seem to be present in debian 8 & 9: > https://superuser.com/questions/1189290/fwsnort-wont-apply-rules-in-iptables Yes and no. The issue is likely triggered by an updated downloadable rule set which seems to be incompatible with Debian's version of fwsnort. Basically the issue is that all but one line in that ruleset contain more than one port. And iptables seems to choke on single port numbers in square brackets. The offending line: # egrep '\$HOME_NET \[[^],]*\]' /etc/fwsnort/snort_rules/emerging-all.rules alert tcp $EXTERNAL_NET any -> $HOME_NET [6789] (msg:"ET TROJAN Possible Linux.Mirai DaHua Default Credentials Login"; flow:to_server,established; content:"888888|0d 0a|888888"; depth:14; content:"busybox telnetd -p"; distance:0; reference:url,isc.sans.edu/diary/21833; classtype:attempted-admin; sid:2023674; rev:1;) The resulting line(s) on which iptables-restore bails out: # egrep 'dport \[[^],]*\]' /var/lib/fwsnort/fwsnort.save -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp --dport [6789] -m string --hex-string "|3838383838380d0a383838383838|" --algo bm --to 78 -m string --hex-string "|62757379626f782074656c6e657464202d70|" --algo bm --from 78 -m comment --comment "sid:2023674; msg:ET TROJAN Possible Linux.Mirai DaHua Default Credentials Login; classtype:attempted-admin; reference:url,isc.sans.edu/diary/21833; rev:1; FWS:1.6.5;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[10620] SID2023674 ESTAB " -A FWSNORT_INPUT_ESTAB -p tcp -m tcp --dport [6789] -m string --hex-string "|3838383838380d0a383838383838|" --algo bm --to 78 -m string --hex-string "|62757379626f782074656c6e657464202d70|" --algo bm --from 78 -m comment --comment "sid:2023674; msg:ET TROJAN Possible Linux.Mirai DaHua Default Credentials Login; classtype:attempted-admin; reference:url,isc.sans.edu/diary/21833; rev:1; FWS:1.6.5;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[7074] SID2023674 ESTAB " I also noticed that there is a new upstream release from shortly before Debian's freeze (December 2016) at http://www.cipherdyne.org/fwsnort/download/, but neither the upstream changelog nor the diff shows anything which looks related to this bug report. So my current idea is to maybe fix this by replacing all single port specifications in square brackets with just the number without the brackets. But then again, from reading the code, it should already do that... Will investigate further. Regards, Axel (sent from the BSP in Zurich) -- ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
signature.asc
Description: Digital signature
