[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Re: fwsnort invalid hex char
From: Michael Rash <mbr () cipherdyne ! org>
Date: 2014-01-24 1:27:15
Message-ID: CABv+sEc5JworL9_fy4GMjOfQtKURVZ_+4u45KDbw6asNc8tzEQ () mail ! gmail ! com
[Download RAW message or body]
On Thu, Jan 23, 2014 at 7:11 PM, Andr=E9 Nunes Batista <
andrenbatista@gmail.com> wrote:
> Hello debianers!
>
>
Hello Andre,
> I run fwsnort to update and improve on my iptables rule sets. On
> updating it's rules though I got this error message:
>
> # iptables-restore < /path/to/fwsnort.save
> iptables-restore v1.4.14: Invalid hex char '|' Error occurred at line:
> 4013 Try `iptables-restore -h' or 'iptables-restore --help' for more
> information.
>
> The line mentioned on the error contains the rule bellow:
>
> -A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp -m string --string "PRIVMSG "
> --algo bm -m string --hex-string "|2d2d2d2d2d2d2d2d2d2d2d2d||2d||2d||
> 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||
> 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||
> 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||
> 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|" --algo bm --from 72 -m
> comment --comment "sid:2017291; msg:ET TROJAN ATTACKER IRCBot - PRIVMSG
> Response - net command output; classtype:trojan-activity; rev:5;
> FWS:1.6.2;" -j LOG --log-ip-options --log-tcp-options --log-prefix
> "[3006] SID2017291 ESTAB "
>
> Upon removing this line, iptables-restore did it's job without
> complaining. Since this line was automagically generated by "fwsnort
> --update-rules ; fwsnort --ipt-sync", I wonder if it's worth a bug
> report.
>
>
Yes, that looks to be a bug - fwsnort should just consolidate all of those
consecutive |2d| hex chars into a single |2d2d2d....| block. I'll get this
fixed for the next release.
Thanks,
--Mike
> --
> Andr=E9 N. Batista
> GNUPG/PGP KEY: 6722CF80
>
>
[Attachment #3 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Thu, Jan 23, \
2014 at 7:11 PM, André Nunes Batista <span dir="ltr"><<a \
href="mailto:andrenbatista@gmail.com" \
target="_blank">andrenbatista@gmail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hello debianers!<br> \
<br></blockquote><div><br></div><div>Hello Andre,</div><div> </div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> I run fwsnort to update and improve on my iptables rule \
sets. On<br> updating it's rules though I got this error message:<br>
<br>
# iptables-restore < /path/to/fwsnort.save<br>
iptables-restore v1.4.14: Invalid hex char '|' Error occurred at line:<br>
4013 Try `iptables-restore -h' or 'iptables-restore --help' for more<br>
information.<br>
<br>
The line mentioned on the error contains the rule bellow:<br>
<br>
-A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp -m string --string "PRIVMSG "<br>
--algo bm -m string --hex-string "|2d2d2d2d2d2d2d2d2d2d2d2d||2d||2d||<br>
2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||<br>
2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||<br>
2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||<br>
2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|" --algo bm --from 72 -m<br>
comment --comment "sid:2017291; msg:ET TROJAN ATTACKER IRCBot - PRIVMSG<br>
Response - net command output; classtype:trojan-activity; rev:5;<br>
FWS:1.6.2;" -j LOG --log-ip-options --log-tcp-options --log-prefix<br>
"[3006] SID2017291 ESTAB "<br>
<br>
Upon removing this line, iptables-restore did it's job without<br>
complaining. Since this line was automagically generated by "fwsnort<br>
--update-rules ; fwsnort --ipt-sync", I wonder if it's worth a bug<br>
report.<br>
<span class="HOEnZb"><font \
color="#888888"><br></font></span></blockquote><div><br></div><div>Yes, that looks to \
be a bug - fwsnort should just consolidate all of those consecutive |2d| hex chars \
into a single |2d2d2d....| block. I'll get this fixed for the next \
release.</div> <div><br></div><div>Thanks,</div><div><br></div><div>--Mike</div><div><br></div><div> \
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="HOEnZb"><font color="#888888">
--<br>
André N. Batista<br>
GNUPG/PGP KEY: 6722CF80<br>
<br>
</font></span></blockquote></div><br></div></div>
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CABv+sEc5JworL9_fy4GMjOfQtKURVZ_+4u45KDbw6asNc8tzEQ@mail.gmail.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic