Debian Bug report logs - #693000
fwsnort: various bugs

version graph

Package: fwsnort; Maintainer for fwsnort is Franck Joncourt <franck@debian.org>; Source for fwsnort is src:fwsnort.

Reported by: Dwight Davis <sivad_thgiwd@yahoo.ca>

Date: Sun, 11 Nov 2012 22:51:01 UTC

Severity: important

Tags: fixed-upstream, patch

Found in version fwsnort/1.6.2-1

Fixed in version fwsnort/1.6.3-1

Done: Franck Joncourt <franck@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Franck Joncourt <franck@debian.org>:
Bug#693000; Package fwsnort. (Sun, 11 Nov 2012 22:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dwight Davis <sivad_thgiwd@yahoo.ca>:
New Bug report received and forwarded. Copy sent to Franck Joncourt <franck@debian.org>. (Sun, 11 Nov 2012 22:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dwight Davis <sivad_thgiwd@yahoo.ca>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fwsnort: various bugs
Date: Sun, 11 Nov 2012 14:49:53 -0800 (PST)
[Message part 1 (text/plain, inline)]
Package: fwsnort
Version: 1.6.2-1
Severity: important
Tags: patch

I first ran fwsnort without cutting any rules out, this resulted in 15000 rules
in the input chain. My i5 -2.6Ghz computer couldn't handle this. With one core
pegged, throughput dropped from ~470kBs to ~350kBs. So I had a closer look at
the script to reduce the number of rules generated. These are my notes and a
patch

-----------------------------
I ran the fwsnort like so;

sids="1841,626"

include="attack-responses,backdoor,bad-
traffic,ddos,dns,dos,exploit,icmp,imap,local,misc,pop3,rpc,scan,shellcode,smtp,snmp,virus
,web-attacks,web-client,web-misc,x11,emerging-all"

fwsnort --verbose --snort-rdir=/etc/snort/rules,/etc/fwsnort/snort_rules
--include-type="$include" --exclude-sid="$sids" --exclude-regex="(ET|GPL)\s+(WEB_SPECIFIC_APPS|SQL|P2P|NETBIOS|GAMES|POLICY|INFO|INAPPROPRIATE|TFTP|TELNET|MOBILE_MALWARE|ACTIVEX|USER_AGENTS|FTP|SCADA|CHAT)"

-----------------------------

line 608 - rfile=/etc/snort/rules/deleted.rules and doesn't match

line 646 - exclude and include regex behaved the same

line 3404 - the {http_uri http_method urilen} options will not match in
        $snort_opts{'filter'} since they are in $snort_opts{'ignore'} causing
        errors when using --strict. Since they are already 'ignored', they do
        not have to be added to unsupported

lines 4234 to 4237 - I have no idea the reason for this code. It breaks having
a
        comma separated list of directories with the --snort-rdir option

line 4409 - add error message


When EXTERNAL_NET is set to 'any' the outbound rules get put into the INPUT
chain.

I checked this by running (assumes no multiple addrs in HOME_NET and
EXTERNAL_NET)
        grep -A4 '\-> \$EXTERNAL' fwsnort_iptcmds.sh | grep INPUT | wc -l

A workaround - set EXTERNAL_NET to 0.0.0.0/0



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6.6-grsec (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fwsnort depends on:
ii  debconf [debconf-2.0]   1.5.46
ii  iptables                1.4.14-3
ii  libiptables-parse-perl  1.1-1
ii  libnet-ip-perl          1.25-3
ii  perl                    5.14.2-14

Versions of packages fwsnort recommends:
ii  snort-rules-default  2.9.2.2-3

fwsnort suggests no packages.

-- Configuration Files:
/etc/fwsnort/fwsnort.conf changed [not included]

-- debconf information excluded

-- debsums errors found:
debsums: changed file /usr/sbin/fwsnort (from fwsnort package)
[fwsnort.diff (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#693000; Package fwsnort. (Mon, 19 Nov 2012 10:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Franck Joncourt <franck@debian.org>:
Extra info received and forwarded to list. (Mon, 19 Nov 2012 10:18:03 GMT) Full text and rfc822 format available.

Message #10 received at 693000@bugs.debian.org (full text, mbox):

From: Franck Joncourt <franck@debian.org>
To: Dwight Davis <sivad_thgiwd@yahoo.ca>, 693000@bugs.debian.org
Subject: Re: Bug#693000: fwsnort: various bugs
Date: Mon, 19 Nov 2012 10:38:40 +0100
Hi,

Le 11/11/2012 23:49, Dwight Davis a écrit :
> Package: fwsnort
> Version: 1.6.2-1
> Severity: important
> Tags: patch
>
> I first ran fwsnort without cutting any rules out, this resulted in 15000 rules
> in the input chain. My i5 -2.6Ghz computer couldn't handle this. With one core
> pegged, throughput dropped from ~470kBs to ~350kBs. So I had a closer look at
> the script to reduce the number of rules generated. These are my notes and a
> patch
[...]

Your bugs looks legitimate at a first glance according to upstream. We are going 
to look at your patch and fix this for the next release.

Thanks for your report.

--
Franck



Added tag(s) fixed-upstream and pending. Request was from Franck Joncourt <franck@debian.org> to control@bugs.debian.org. (Sun, 23 Dec 2012 19:51:07 GMT) Full text and rfc822 format available.

Reply sent to Franck Joncourt <franck@debian.org>:
You have taken responsibility. (Thu, 03 Jan 2013 21:36:06 GMT) Full text and rfc822 format available.

Notification sent to Dwight Davis <sivad_thgiwd@yahoo.ca>:
Bug acknowledged by developer. (Thu, 03 Jan 2013 21:36:06 GMT) Full text and rfc822 format available.

Message #17 received at 693000-close@bugs.debian.org (full text, mbox):

From: Franck Joncourt <franck@debian.org>
To: 693000-close@bugs.debian.org
Subject: Bug#693000: fixed in fwsnort 1.6.3-1
Date: Thu, 03 Jan 2013 21:32:28 +0000
Source: fwsnort
Source-Version: 1.6.3-1

We believe that the bug you reported is fixed in the latest version of
fwsnort, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Franck Joncourt <franck@debian.org> (supplier of updated fwsnort package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 23 Dec 2012 18:14:04 +0100
Source: fwsnort
Binary: fwsnort
Architecture: source all
Version: 1.6.3-1
Distribution: unstable
Urgency: low
Maintainer: Franck Joncourt <franck@debian.org>
Changed-By: Franck Joncourt <franck@debian.org>
Description: 
 fwsnort    - Snort-to-iptables rule translator
Closes: 693000 693362
Changes: 
 fwsnort (1.6.3-1) unstable; urgency=low
 .
   * New po-debconf translation - Brazilian Portuguese (Closes: #693362)
   * Imported Upstream version 1.6.3
     - Closes: #693000
     - Fixed hyphens in manpage. Removed t_upstream_manpage.diff patch.
Checksums-Sha1: 
 4ab11a9263e4eaf87a72370c3017fb830247a748 1219 fwsnort_1.6.3-1.dsc
 faa2615a3e1b2a801b6750880ca0715796ea025d 96740 fwsnort_1.6.3.orig.tar.gz
 a7da22e0a68bdd2d1673fe1ffae1e187d48d1ab1 7579 fwsnort_1.6.3-1.debian.tar.gz
 c5241c343319fa74c423c837f77dd790fe9adb2b 69078 fwsnort_1.6.3-1_all.deb
Checksums-Sha256: 
 a208e8533b434d253adca10662d13152de87bbd829ac1666c9f575416572d7a8 1219 fwsnort_1.6.3-1.dsc
 d2110508f61c31d5ca5ddbb2452d0b10ae533e094499bc287f3382371c8bd5f2 96740 fwsnort_1.6.3.orig.tar.gz
 c61ca7f78dc120aa981ddbb9077aaf317d979df15ef9e92b2afcf1af0e990dbe 7579 fwsnort_1.6.3-1.debian.tar.gz
 71ded4ae4bc1d7123cf023e277364baf0b3595b812780329cfe8375eaa6c0b39 69078 fwsnort_1.6.3-1_all.deb
Files: 
 e5fe780ee98319599d383ecc4c4db005 1219 admin optional fwsnort_1.6.3-1.dsc
 7a61a03c4b523b4fb2b1cc73bcb3bac7 96740 admin optional fwsnort_1.6.3.orig.tar.gz
 b0e9570892f2ef02007acb476fcb7700 7579 admin optional fwsnort_1.6.3-1.debian.tar.gz
 15874e7f461c4db4ee925674c873d6ae 69078 admin optional fwsnort_1.6.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDl9qEACgkQxJBTTnXAif5GtQCfcIsrlrAyPzcNrYbpVZ8OJ4qk
CkkAn3mK8b6Xjk2zw6eOZnlTMt3C9ErR
=k044
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 03 Jun 2013 07:26:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:05:41 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.