On Sun, 2014-02-02 at 08:45 -0500, Michael Rash wrote: > > Hi, > > > I noticed that it looks like the bug was seen in fwsnort-1.6.2 (given > the "FWS:1.6.2" in the output you had attached). This issue has > already been fixed in fwsnort-1.6.3 - at least in my testing the > consecutive "-" chars are properly consolidate into a single large hex > char block. Can you give 1.6.3 a try? > Hello there, This is somewhat embarrassing for me: I upgraded today to fwsnort-1.6.3 and I am able to confirm that the issue is resolved, I'm sorry for having bothered you before upgrading to the latest version. For reference, it successfully generated the following rule: -A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp -m string --hex-string "| 505249564d534720|" --algo bm -m string --hex-string "| 2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d|" --algo bm --from 72 -m comment --comment "sid:2017291; msg:ET TROJAN ATTACKER IRCBot - PRIVMSG Response - net command output; classtype:trojan-activity; rev:5; FWS:1.6.3;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[2955] SID2017291 ESTAB " > > Thanks, > > > --Mike > > Apologies, André > On Thu, Jan 23, 2014 at 8:27 PM, Michael Rash <mbr@cipherdyne.org> > wrote: > > On Thu, Jan 23, 2014 at 7:11 PM, André Nunes Batista > <andrenbatista@gmail.com> wrote: > Hello debianers! > > > > Hello Andre, > > I run fwsnort to update and improve on my iptables > rule sets. On > updating it's rules though I got this error message: > > # iptables-restore < /path/to/fwsnort.save > iptables-restore v1.4.14: Invalid hex char '|' Error > occurred at line: > 4013 Try `iptables-restore -h' or 'iptables-restore > --help' for more > information. > > The line mentioned on the error contains the rule > bellow: > > -A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp -m string > --string "PRIVMSG " > --algo bm -m string --hex-string "| > 2d2d2d2d2d2d2d2d2d2d2d2d||2d||2d|| > 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|" --algo bm > --from 72 -m > comment --comment "sid:2017291; msg:ET TROJAN ATTACKER > IRCBot - PRIVMSG > Response - net command output; > classtype:trojan-activity; rev:5; > FWS:1.6.2;" -j LOG --log-ip-options --log-tcp-options > --log-prefix > "[3006] SID2017291 ESTAB " > > Upon removing this line, iptables-restore did it's job > without > complaining. Since this line was automagically > generated by "fwsnort > --update-rules ; fwsnort --ipt-sync", I wonder if > it's worth a bug > report. > > > > Yes, that looks to be a bug - fwsnort should just consolidate > all of those consecutive |2d| hex chars into a single | > 2d2d2d....| block. I'll get this fixed for the next release. > > > Thanks, > > > --Mike > > > > -- > André N. Batista > GNUPG/PGP KEY: 6722CF80 > > > > >
Attachment:
signature.asc
Description: This is a digitally signed message part