'Re: fwsnort invalid hex char'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-user
Subject:    Re: fwsnort invalid hex char
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2014-01-24 1:27:15
Message-ID: CABv+sEc5JworL9_fy4GMjOfQtKURVZ_+4u45KDbw6asNc8tzEQ () mail ! gmail ! com
[Download RAW message or body]

On Thu, Jan 23, 2014 at 7:11 PM, Andr=E9 Nunes Batista <
andrenbatista@gmail.com> wrote:

> Hello debianers!
>
>
Hello Andre,


> I run fwsnort to update and improve on my iptables rule sets. On
> updating it's rules though I got this error message:
>
> # iptables-restore < /path/to/fwsnort.save
> iptables-restore v1.4.14: Invalid hex char '|' Error occurred at line:
> 4013 Try `iptables-restore -h' or 'iptables-restore --help' for more
> information.
>
> The line mentioned on the error contains the rule bellow:
>
> -A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp -m string --string "PRIVMSG "
> --algo bm -m string --hex-string "|2d2d2d2d2d2d2d2d2d2d2d2d||2d||2d||
> 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||
> 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||
> 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||
> 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|" --algo bm --from 72 -m
> comment --comment "sid:2017291; msg:ET TROJAN ATTACKER IRCBot - PRIVMSG
> Response - net command output; classtype:trojan-activity; rev:5;
> FWS:1.6.2;" -j LOG --log-ip-options --log-tcp-options --log-prefix
> "[3006] SID2017291 ESTAB "
>
> Upon removing this line, iptables-restore did it's job without
> complaining. Since this line was automagically generated by "fwsnort
> --update-rules ; fwsnort --ipt-sync",  I wonder if it's worth a bug
> report.
>
>
Yes, that looks to be a bug - fwsnort should just consolidate all of those
consecutive |2d| hex chars into a single |2d2d2d....| block.  I'll get this
fixed for the next release.

Thanks,

--Mike



> --
> Andr=E9 N. Batista
> GNUPG/PGP KEY: 6722CF80
>
>

[Attachment #3 (text/html)]

<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Thu, Jan 23, \
2014 at 7:11 PM, André Nunes Batista <span dir="ltr">&lt;<a \
href="mailto:andrenbatista@gmail.com" \
target="_blank">andrenbatista@gmail.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hello debianers!<br> \
<br></blockquote><div><br></div><div>Hello Andre,</div><div> </div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> I run fwsnort to update and improve on my iptables rule \
sets. On<br> updating it&#39;s rules though I got this error message:<br>
<br>
# iptables-restore &lt; /path/to/fwsnort.save<br>
iptables-restore v1.4.14: Invalid hex char &#39;|&#39; Error occurred at line:<br>
4013 Try `iptables-restore -h&#39; or &#39;iptables-restore --help&#39; for more<br>
information.<br>
<br>
The line mentioned on the error contains the rule bellow:<br>
<br>
-A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp -m string --string &quot;PRIVMSG &quot;<br>
--algo bm -m string --hex-string &quot;|2d2d2d2d2d2d2d2d2d2d2d2d||2d||2d||<br>
2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||<br>
2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||<br>
2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||<br>
2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|&quot; --algo bm --from 72 -m<br>
comment --comment &quot;sid:2017291; msg:ET TROJAN ATTACKER IRCBot - PRIVMSG<br>
Response - net command output; classtype:trojan-activity; rev:5;<br>
FWS:1.6.2;&quot; -j LOG --log-ip-options --log-tcp-options --log-prefix<br>
&quot;[3006] SID2017291 ESTAB &quot;<br>
<br>
Upon removing this line, iptables-restore did it&#39;s job without<br>
complaining. Since this line was automagically generated by &quot;fwsnort<br>
--update-rules ; fwsnort --ipt-sync&quot;,  I wonder if it&#39;s worth a bug<br>
report.<br>
<span class="HOEnZb"><font \
color="#888888"><br></font></span></blockquote><div><br></div><div>Yes, that looks to \
be a bug - fwsnort should just consolidate all of those consecutive |2d| hex chars \
into a single |2d2d2d....| block.  I&#39;ll get this fixed for the next \
release.</div> <div><br></div><div>Thanks,</div><div><br></div><div>--Mike</div><div><br></div><div> \
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
                solid;padding-left:1ex"><span class="HOEnZb"><font color="#888888">
--<br>
André N. Batista<br>
GNUPG/PGP KEY: 6722CF80<br>
<br>
</font></span></blockquote></div><br></div></div>


-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CABv+sEc5JworL9_fy4GMjOfQtKURVZ_+4u45KDbw6asNc8tzEQ@mail.gmail.com


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic