fwsnort

This release replaces the bleeding-all.rules file
with the
emerging-all.rules file because Matt Jonkman now
releases his rule sets
at emergingthreats.net. Restructured Perl module
paths make it easy to
introduce a "nodeps" distribution of fwsnort that
does not contain any
Perl modules, allowing better integration with
systems that already
have all necessary modules installed (including
the IPTables::ChainMgr
and IPTables::Parse modules). This release adds
support for multiple
Snort rule directories as a comma-separated list
for the argument to
--snort-rdir.

This version was updated to exclude loopback
interfaces from iptables allow rules parsing. This
behavior can be reversed with the existing
--no-exclude-loopback command line argument.
IPTables::Parse was updated to take into account
iptables policy output that contains "0" instead
of "all" to represent any protocol.
IPTables::Parse was updated to set sport and dport
to "0:0" if the protocol is "all". A bug was fixed
to allow negated networks to be specified within
iptables allow rules or within the fwsnort.conf
file. install.pl was updated to set the LC_ALL
environment variable to "C".

A major signature update from Bleeding Threats. This update includes a large number of new signatures with PCRE statements, with an emphasis on detecting SQL injection attacks directed at internal Web servers from external sources. The ability to interpret PCRE statements that include simple string matches separated by ".*" and ".+" as multiple iptables string matches has been added. The asn1 keyword has been added to the unsupported list.

A bugfix to make sure to add in header lengths for depth and offset values, since the string match extension starts comparing bytes from the start of the data link header. A bugfix for the ipt_rule_test() function name. The ability to automatically resolve command paths if any commands cannot be found at the locations specified in the fwsnort.conf file.

This is a major update to add the ability to send
packets that match content or uricontent criteria
to userspace via the iptables QUEUE or NFQUEUE
targets. This can be used to speed up snort_inline
IPS. A fwsnort mailing list was added. A bug was
fixed to remove any existing jump rules from the
built-in INPUT, OUTPUT, and FORWARD chains before
creating a new jump rules. This allows the
fwsnort.sh script to be executed multiple times
without creating a new jump rule in the fwsnort
chains for each execution.