Search This Blog

Friday, July 29, 2011

Fwsnort: --hex-string syntax bug

Hi,


I've been trying to file a bug report trough the bug report tool of Debian. But without a succes.
So I'll just inform you all about this bug since I do want to inform you about it.
I'm sorry this isn't the proper method, but bugreport isn't cooperative with my SMTP for some reason.

I've discovered that fwsnort generates a small but significant syntax error when this iptable rule is present: # ICMP echo request
$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

The below fwsnort rule is generated which makes 'iptables-persistent' crash on boot, which in turn boots Debian without a firewall.
-A FWSNORT_INPUT -p icmp -m icmp --icmp-type 8 -m string --hex-string"|0102030405060708090a0b0c0d0e0f|"  --algo bm --to 74 -m comment --comment "sid:2100369; msg:GPL ICMP_INFO PING BayRS Router; classtype:misc-activity; reference:arachnids,438; rev:7; FWS:1.5;" -j LOG --log-prefix "[11] SID2100369 " --log-ip-options

The right syntax should be: --hex-string "|0102030405060708090a0b0c0d0e0f|"
It's a small syntax error, I'm sorry I don't have the time to fix this bug. I hope I've given enough information to you to fix this problem.

In the mean time this can be fixed by editing the saved iptable configuration in /etc/iptables/rules.v4
To display some helpful debugging information you can run: # iptables-restore < /etc/iptables/rules.v4
This will inform you of the line where this syntax error is. Then edit it accordingly with your favorite text editor.



--
Kind regards,
Kees de Jong


De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren.
--
The information contained in this message may be confidential and is intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail.