fwsnort
fwsnort copied to clipboard
Published
20 hours ago •
mrash
mrash
Issue on emerging-all.rules files
Ubuntu 20 Server + psad 2.4.6 + fwsnort-1.6.8
fwsnort.sh script failing add iptables rules with last emerging-all.rules version
problem on ports with ! [!445,!1500]
seems a famliar issue?
root@2w1r:/usr/local/src/fwsnort-1.6.8# fwsnort
[+] Testing /sbin/iptables for supported capabilities...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Snort Rules File Success Fail Total
[+] attack-responses.rules 16 1 17
[+] backdoor.rules 65 11 76
[+] bad-traffic.rules 9 3 12
[+] chat.rules 29 1 30
[+] ddos.rules 18 14 32
[+] dns.rules 19 2 21
[+] dos.rules 9 7 16
[+] emerging-all.rules 11877 7035 18912
[+] experimental.rules 0 0 0
[+] exploit.rules 36 46 82
[+] finger.rules 13 1 14
[+] ftp.rules 21 49 70
[+] icmp-info.rules 65 28 93
[+] icmp.rules 18 4 22
[+] imap.rules 1 37 38
[+] info.rules 8 2 10
[+] local.rules 0 0 0
[+] misc.rules 42 18 60
[+] multimedia.rules 4 6 10
[+] mysql.rules 3 0 3
[+] netbios.rules 11 419 430
[+] nntp.rules 0 13 13
[+] oracle.rules 3 295 298
[+] other-ids.rules 3 0 3
[+] p2p.rules 18 0 18
[+] policy.rules 20 1 21
[+] pop2.rules 2 2 4
[+] pop3.rules 6 21 27
[+] porn.rules 21 0 21
[+] rpc.rules 37 91 128
[+] rservices.rules 13 0 13
[+] scan.rules 14 4 18
[+] shellcode.rules 21 0 21
[+] smtp.rules 14 45 59
[+] snmp.rules 17 0 17
[+] sql.rules 42 4 46
[+] telnet.rules 13 2 15
[+] tftp.rules 9 2 11
[+] virus.rules 0 1 1
[+] web-attacks.rules 46 0 46
[+] web-cgi.rules 348 2 350
[+] web-client.rules 9 16 25
[+] web-coldfusion.rules 35 0 35
[+] web-frontpage.rules 35 0 35
[+] web-iis.rules 112 7 119
[+] web-misc.rules 300 28 328
[+] web-php.rules 115 11 126
[+] x11.rules 2 0 2
=============================
13519 8229 21748
[+] Generated iptables rules for 13519 out of 21748 signatures: 62.16%
[+] Logfile: /var/log/fwsnort/fwsnort.log
[+] iptables script (individual commands): /var/lib/fwsnort/fwsnort_iptcmds.sh
Main fwsnort iptables-save file: /var/lib/fwsnort/fwsnort.save
You can instantiate the fwsnort policy with the following command:
/sbin/iptables-restore < /var/lib/fwsnort/fwsnort.save
Or just execute: /var/lib/fwsnort/fwsnort.sh
root@2w1r:/usr/local/src/fwsnort-1.6.8# bash /var/lib/fwsnort/fwsnort.sh
[+] Splicing fwsnort 13519 rules into the iptables policy...
iptables-restore v1.8.4 (legacy): invalid port/service `!445' specified
Error occurred at line: 9043
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
fwsnort_iptcmds.sh file output problem
### alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; content:"|20 77 1e 77 19 77 13 77 18 77 00 77 04|"; distance:0; fast_pattern; content:!"|00 00 00 00 00 00|"; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:trojan-activity; sid:2026525; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackCarat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_30;)
$IPTABLES -A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp ! --sport 80 -m multiport ! --dports 25,!445,!1500 -m length --length 850:1550 -m string --hex-string "|20771e77197713771877007704|" --algo bm --from 77 -m string --hex-string "|7777|" --algo bm --from 66 --to 68 -m string --hex-string "|77|" --algo bm --from 69 --to 70 -m string --hex-string "|77777777777777777777777777|" --algo bm --from 66 --to 79 -m string ! --hex-string "|000000000000|" --algo bm -m comment --comment "sid:2026525; msg:ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin; classtype:trojan-activity; reference:md5,514AB639CD556CEBD78107B4A68A202A; rev:6; FWS:1.6.8;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[2295] SID2026525 ESTAB "
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp -m tcp ! --sport 80 -m multiport ! --dports 25,!445,!1500 -m length --length 850:1550 -m string --hex-string "|20771e77197713771877007704|" --algo bm --from 77 -m string --hex-string "|7777|" --algo bm --from 66 --to 68 -m string --hex-string "|77|" --algo bm --from 69 --to 70 -m string --hex-string "|77777777777777777777777777|" --algo bm --from 66 --to 79 -m string ! --hex-string "|000000000000|" --algo bm -m comment --comment "sid:2026525; msg:ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin; classtype:trojan-activity; reference:md5,514AB639CD556CEBD78107B4A68A202A; rev:6; FWS:1.6.8;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[7029] SID2026525 ESTAB "
