root/fwsnort/tags/fwsnort-1.1/ChangeLog

fwsnort-1.1 (01/05/2010):
    - Added the ability to build an fwsnort policy that utilizes ip6tables
      instead of iptables.  This allows fwsnort filtering and altering
      capabilities to apply to IPv6 traffic instead of just IPv4 traffic.  To
      enable ip6tables usage, use the "-6" or "--ip6tables" command line
      arguments.
    - Added the --include-perl-triggers command line argument so that
      translated Snort rules can easily be tested.  This argument instructs
      fwsnort to include 'perl -e print ... ' commands as comments in the
      /etc/fwsnort/fwsnort.sh script, and these commands can be combined
      with netcat to send payloads across the wire that match Snort rules.
    - Updated fwsnort to create logs in the /var/log/fwsnort/ directory
      instead of directly in the /var/log/ directory.  The path is controlled
      by a new variable 'LOG_FILE' in the /etc/fwsnort/fwsnort.conf file.
    - Added several variables in /etc/fwsnort/fwsnort.conf to control paths
      to everything from the config file to the snort rules path.  Coupled
      with this is the ability to create variables within path components and
      fwsnort will expand them (e.g. 'CONF_DIR /etc/fwsnort;
      CONF_FILE $CONF_DIR/fwsnort.conf').
    - Added --Last-cmd arg so that it is easy to rebuild the fwsnort.sh script
      with the same command line args as the previous execution.

fwsnort-1.0.6 (05/30/2009):
    - (Franck Joncourt) Updated fwsnort to use the "! <option> <arg>" syntax
      instead of the older "<option> ! <arg>" for the iptables command line.
    - (Franck Joncourt) For the --hex-string and --string matches, if the
      argument exceeds 128 bytes (iptables 1.4.2) then iptables fails with an
      error "iptables v1.4.2: STRING too long".  Fixes this with a patch that
      adds a new variable in fwsnort.conf "MAX_STRING_LEN", so that the size of
      the content can be limited. If the content (null terminated string) is
      more than MAX_STRING_LEN chars, fwsnort throws the rule away.
    - Bug fix to allow fwsnort to properly translate snort rules that have
      "content" fields with embedded escaped semicolons (e.g. "\;").  This
      allows fwsnort to translate about 58 additional rules from the Emerging
      Threats rule set.
    - Bug fix to allow case insensitive matches to work properly with the
      --include-re-caseless and --exclude-re-caseless arguments.
    - Bug fix to move the 'rawbytes' keyword to the list of keywords that are
      ignored since iptables does a raw match anyway as it doesn't run any
      preprocessors in the Snort sense.
    - Added the --snort-rfile argument so that a specific Snort rules file (or
      list of files separated by commas) is parsed.
    - Added a small hack to choose the first port from a port list until the
      iptables 'multiport' match is supported.
    - Updated to consolidate spaces in hex matches in the fwsnort.sh script
      since the spaces are not part of patterns to be searched anyway.
    - Updated to the latest complete rule set from Emerging Threats (see
      http://www.emergingthreats.net/).
    - Added the "fwsnort-nobuildreqs.spec" file for building fwsnort on
      systems (such as Debian) that do not install/upgrade software via RPM.
      This file omits the "BuildRequires: perl-ExtUtils-MakeMaker" directive,
      and this fixes errors like the following on an Ubuntu system when
      building fwsnort with rpmbuild:

      rpm: To install rpm packages on Debian systems, use alien. See README.Debian.
      error: cannot open Packages index using db3 - No such file or directory (2)
      error: cannot open Packages database in /var/lib/rpm

fwsnort-1.0.5 (08/21/2008):
    - Replaced the bleeding-all.rules file with the emerging-all.rules file.
      This is because Matt Jonkman now releases his rule sets at
      http://www.emergingthreats.net/
    - Restructured perl module paths to make it easy to introduce a "nodeps"
      distribution of fwsnort that does not contain any perl modules.  This
      allows better integration with systems that already have all necessary
      modules installed (including the IPTables::ChainMgr and IPTables::Parse
      modules).  The main driver for this work is to make all cipherdyne.org
      projects easily integrated with distributions based on Debian, and
      Franck Joncourt has been instrumental in making this process a reality.
      All perl modules are now placed within the "deps" directory, and the
      install.pl script checks to see if this directory exists - a separate
      fwsnort-nodeps-<ver> tarball will be distributed without this directory.
      The Debian package for fwsnort can then reference the -nodeps tarball,
      and a new "fwsnort-nodeps.spec" file has been added to build an RPM from
      the fwsnort sources that does not install any perl modules.
    - Updated to import perl modules from /usr/lib/fwsnort, but only if this
      path actually exists in the filesystem.  This is similar to the strategy
      implemented by psad.  A new variable FWSNORT_LIBS_DIR was added to the
      fwsnort.conf to support this.
    - Added support for multiple Snort rule directories as a comma-separated
      list for the argument to --snort-rdir.
    - Moved 'threshold' to the unsupported list since there will be several
      signatures that use this feature to detect the Dan Kaminsky DNS attack,
      and fwsnort does not yet support the usage of the iptables --limit
      match.

fwsnort-1.0.4 (01/22/2008):
    - (Grant Ferley) Submitted patch to exclude loopback interfaces from
      iptables allow rules parsing.  This behavior can be reversed with the
      existing --no-exclude-loopback command line argument.
    - (Grant Ferley) Submitted patch to IPTables::Parse to take into account
      iptables policy output that contains "0" instead of "all" to represent
      any protocol.
    - (Grant Ferley) Submitted patch to IPTables::Parse to set sport and dport
      to '0:0' if the protocol is 'all'.
    - Bugfix to allow negated networks to be specified within iptables allow
      rules or within the fwsnort.conf file.
    - Updated install.pl to set the LC_ALL environmental variable to "C". This
      should fix potential locale problems (this fix was borrowed from the
      fwknop project).

fwsnort-1.0.3 (11/22/2007):
    - Added --include-re-caseless and --exclude-re-caseless options to have
      --include-regex and --exclude-regex options match case insensitively.
    - Major signature update from Bleeding Threats. This update includes a
      large number of new signatures with PCRE statements, with an emphasis on
      detecting SQL injection attacks directed at internal webservers from
      external sources.
    - Added the ability to interpret PCRE statements that include simple
      string matches separated by ".*" and ".+" as multiple iptables string
      matches. The only negative consequence in terms of signature detection
      is that ordering is not preserved; that is, the PCRE "/UNION.+SELECT/"
      would only match a packet that contains "UNION" followed by "SELECT",
      whereas an iptables rule that uses a string match for UNION and a
      separate string match for SELECT would match a packet that contains both
      strings but in reverse. Typically this is not a huge concern, and the
      PCRE translation can be disabled with a new option --no-pcre.
    - Added asn1 keyword to unsupported list.

fwsnort-1.0.2 (08/26/2007):
    - Bugfix to make sure to add in header lengths for depth and offset values
      since the string match extension compares bytes from the start of the
      data link header.

fwsnort-1.0.1 (08/26/2007):
    - Bugfix for ipt_rule_test() function name.
    - Added the ability to automatically resolve command paths if any commands
      cannot be found at the locations specified in the fwsnort.conf file.

fwsnort-1.0 (04/19/2007):
    - Major update to include support for the NFQUEUE and QUEUE targets with
      new command line options --NFQUEUE and --QUEUE.  This changes the
      default LOG target to the NFQUEUE or QUEUE targets instead, and at the
      same time builds a parallel Snort rule set in the
      /etc/fwsnort/snort_rules_queue directory.  Every Snort rule in this
      directory has at least one "content" keyword, which fwsnort uses in the
      resulting iptables policy.  This policy only sends those packets to
      snort_inline via the NFQUEUE or QUEUE target that match a content field
      within some Snort rule.  The end result is that snort_inline should run
      faster because the vast majority of packets (which are not malicious)
      are processed via the Linux kernel without ever having to be sent to
      userspace for analysis.  There is a tradeoff here in terms of attack
      detection; snort_inline does not receive all packets associated with a
      stream, so it cannot detect attacks quite as effectively (snort_inline
      does not have an opportunity to look at reassembled buffers).  However,
      this trade off may be acceptable for large sites where performance is
      more important.
    - Bug fix to remove any existing jump rules from the built-in INPUT,
      OUTPUT, and FORWARD chains before creating a new jump rules.  This
      allows the fwsnort.sh script to be executed multiple times without
      creating a new jump rule into the fwsnort chains for each execution.
    - Added the -X command line argument to allow fwsnort to delete all of
      the fwsnort chains; this emulates the iptables command line argument
      of the same name.
    - Minor output enhancements and bugfixes to give more insight into the
      translation process.  For example, if fwsnort is run in --snort-sid
      mode but is unable to translate the specified signatures, the user is
      notified.  Also, any existing /etc/fwsnort/fwsnort.sh script is not
      archived and erased until fwsnort is actually going to write a new one.
    - Added sid values to iptables comment match string.
    - Bugfix for iptables string match --from and --to values to skip past
      packet headers.  This is an approximation until a new --payload option
      can be added to the string match extension.
    - Added a single iptables rule testing API internally within fwsnort;
      this adds a measure of consistency and removes some duplicate code.
    - Added fwsnort mailing list at SourceForge.

fwsnort-0.9.0 (03/22/2007):
    - Added support for multiple content matches since this is supported by
      iptables.  This made a 10% increase in the fwsnort translation rate -
      about 60% of all Snort-2.3.3 rules can be translated now.
    - Added emulation for distance and within from previous content match
      based on --from and --to (string match extension) and the length of
      the previous pattern.
    - Added the ability to include the Snort "msg", "classtype", "reference",
      "priority", and "rev" fields in each iptables rule with the comment
      match.  This can be disabled with a new command line argument
      --no-ipt-comments.  The fwsnort version is also included within this
      string.
    - Added the ability to include the iptables rule number for each rule in
      the fwsnort chains.  This is useful to easily know which iptables rule
      is being triggered by network traffic (so it can be disabled if
      necessary).  This can be disabled with --no-ipt-rule-nums.
    - Added the --include-regex and --exclude-regex command line arguments.
      These arguments allow rules to be included/excluded based on a regular
      expression supplied on the command line.
    - Updated to include the original Snort rule as a comment within the
      fwsnort.sh script without having to use --verbose.
    - Bugfix to force install of IPTables::Parse since it had been updated in
      the fwsnort-0.8.2 release.
    - Changed the IGNORE_ADDR variable to WHITELIST since this name better
      describes the actual function of this var.  Updated to allow multiple
      WHITELIST lines.
    - Added the BLACKLIST variable to allow a true blacklist to be
      instantiated with either the DROP or REJECT targets.  The syntax for the
      BLACKLIST variable is "BLACKLIST  <ip or network>  <target>", where
      "target" is either "DROP" or "REJECT".
    - Added -F and -L command line arguments to flush and list iptables rules.
      This is similar to the iptables command line args of the same names.
    - Bugfix to ensure that traffic directed into the INPUT or coming from the
      OUTPUT chains is treated as going toward or originating from the
      HOME_NET.  After all the HOME_NET variable may contain an internal
      network but omit the IP assigned to an external interface on the
      firewall.
    - Added "--log-ip-options" and "--log-tcp-options" to fwsnort LOG rules by
      default (in the generated fwsnort.sh script).  This can be disabled with
      --no-log-ip-opts and --no-log-tcp-opts arguments on the fwsnort command
      line.
    - Added the ability to include --log-tcp-sequence to LOG rules in
      fwsnort.sh with a new argument --ipt-log-tcp-seq on the fwsnort command
      line.
    - Updated to handle negative string matches with "--string ! <string>".
    - Updated to output all unsupported options of the /var/log/fwsnort.log
      file to assist in the development of addition keyword emulation.

fwsnort-0.8.2 (02/17/2007):
    - Updated to newer IPTables::Parse module that uses the array of hash
      references method of returning iptables policy data.
    - Added --Dump-ipt and --Dump-snort rules to allow iptables policy and
      Snort rules to be dumped to STDOUT.
    - Added bleeding-all.rules file from http://www.bleedingsnort.com/
    - Added patches/bm_goodshift_fix.patch patch file that fixes an
      initialization bug in the Boyer-Moore text search implementation in the
      kernel (linux-2.6.x/lib/ts_bm.c) which caused slightly repetitive
      patterns to only match at specific offsets with the string match
      extension.
    - Bugfix to ensure that a depth cannot be less that an offset (these
      translate to the --to and --from command line arguments to iptables).
    - Bugfix to escape '$' chars in iptables search strings.
    - Added cd_rpmbuilder to make it easy to automatically build RPM files of
      fwsnort.
    - Added support for the iptables OUTPUT chain.
    - Added the ChangeLog.svn file so that all of the changed files and
      corresponding svn commit messages can be viewed (this file is built from
      release to release).

fwsnort-0.8.1 (11/11/2005):
    - Updated to use the string match extension "--algo bm" argument if
      fwsnort is being run on a 2.6.14 (or greater) kernel.
    - Updated to handle the Snort "offset" and "depth" keywords via the
      --from and --to options to the string match extension in the 2.6.14
      kernel.
    - Created RPM package of fwsnort.
    - Minor man page updates.

fwsnort-0.8.0 (07/11/2005):
    - Completely re-structured fwsnort w.r.t. how it creates Netfilter
      chains.  There are no longer any per-interface chains (this
      greatly simplifies the Netfilter chains).
    - Added three new chains "FWSNORT_INPUT_ESTAB", "FWSNORT_OUTPUT_ESTAB"
      and "FWSNORT_FORWARD_ESTAB" to which tcp connections in the
      ESTABLISHED state are jumped.  This allows fwsnort to use the
      Netfilter tcp connection tracking mechanism to ignore Stick and Snot
      style attacks (similar to the flow:established Snort rule option).
    - Added true variable resolution (i.e. HTTP_SERVERS -> HOME_NET -> any)
      for the Snort rule header.  This directly emulates the behavior of
      the Snort IDS.
    - Added IP protocol support in the translation of the Snort rule
      header.  The Snort rule translation rate is now at about 53% for
      Snort-2.3.
    - Bugfix for ipopts Snort option (several arguments are not supported
      by the ipv4options extension).
    - Better tests for Netfiler TTL, TOS, and ipv4options matches.
    - Replaced IGNORE_IP and IGNORE_NET keywords with single IGNORE_ADDR
      keywork in fwsnort.conf.
    - Updated to correctly handle ICMP type and code rules (itype and
      icode Snort options) via the "--icmp-types type/code" convention.
    - Added support for emulating the dsize Snort option through the use
      of the Netfilter length match.
    - Changed --type argument to --include-types and added list support
      so it accepts things like "chat,ddos".  Also added --exclude-types
      command line argument.
    - Added support for multiple sid's (as a comma separated list) in
      --snort-sids argument.  Also added --exclude-sids argument to remove
      a list of sids from translation.
    - Added support for the replace Snort option (originally from the
      Snort_inline project).  The requires the replace string patch.
    - Added support for restricting jump rules to a list of interfaces
      via the --restrict-intf argument.
    - Added kernel patch to extend the maximum packet length that the
      string match extension will attempt to search from 1024 bytes to
      2048 bytes (requires a kernel re-compile of course).
    - Added DRP and REJ strings to logging prefix if --ipt-drop or
      --ipt-reject is specified.
    - Added snortspoof.pl, which is a simple perl script that emulates
      the Stick and Snot tools.

fwsnort-0.7.0 (06/05/2005):
    - Added support for the Snort pass action by using the ACCEPT target.
    - Added support for the Snort log action by using the ULOG target
      (which can then log the packet via the pcap writer).
    - Added support for all fwsnort alerts to be logged via the ULOG
      target instead of the LOG target.
    - Added support for the "resp" keyword to allow it to drive the
      Netfilter argument to the REJECT target.
    - Added "pcre" to the unsupported list... this knocks the fwsnort
      translation rate down to about 50% for Snort-2.3 rules (pcre is
      heavily utilized).
    - Added "priority" and "rev" to comment lines.

fwsnort-0.6.5 (03/20/2005):
    - Updated to not attempt to download Snort rules from snort.org
      because the rules are no longer available for automatic downloads
    - Changed the install.pl script and the --update-rules mode for
      fwsnort to download the latest signature set from
      http://www.bleedingsnort.com/.
      (Snort.org is now offering pay-service around their rule sets).
    - Added signature test for the "flowbits" keyword.

fwsnort-0.6.4 (12/18/2004):
    - Updated to Snort-2.3 rules.  FWSnort can convert a total of 1710
      out of 2559 total Snort-2.3 rules.
    - Updated to new Snort rules download link for --update-rules mode:
      http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
    - Updated to standard [+], [-], and [*] prefixes for info, warning
      and die logging messages.
    - Added --replace-string patches.

fwsnort-0.6.3 (04/04/2004):
    - Added ignore functionality for both IPs and networks
    - Split --ipt-block into --ipt-drop and --ipt-reject to add DROP
      or REJECT rules respectively.
    - Added --add-deleted option to allow rules in the "deleted.rules"
      file to be added.

fwsnort-0.6.2 (03/19/2004):
    - Added --internal-net and --dmz-net options so that internal and
      dmz networks can be manually specified without having to parse
      the output of ifconfig.  This is most useful for running fwsnort
      on a linux system that is acting as a bridge where no ip addresses
      are assigned to the interfaces.
    - Bugfix for missing icmp-port-unreachable rejects for UDP packets.

fwsnort-0.6.1 (02/01/2004):
    - Bugfix for not adding dmz interface rules to INPUT chain.
    - Bugfix for not getting the DMZ interface network.

fwsnort-0.6 (01/04/2004):
    - Speed increase and disk access decrease by writing iptables
      commands to the iptables script only after all lines have been
      generated.
    - Bugfix for DMZ interface.
    - Bugfix for multiple ip_proto fields.
    - Removed the ip protocol as an allowed protocol for translation.
    - Bugfix for negated port numbers.
    - Removed "<-" rule direction since not even snort supports this.
    - Fixed snort rule updates from snort.org.

fwsnort-0.5 (12/21/2003):
    - Added "-j REJECT --reject-with tcp-reset" for tcp sessions
      if the --ipt-block option is specified.
    - Added ability to download latest snort rules from snort.org.
    - Added --no-ipt-jumps.
    - Added better checking for iptables build characteristics such
      as the LOG target and wether or not the ipv4options extension
      is compiled in.
    - Added config preservation code from psad in install.pl.