Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : fwsnort-1.5 released The 1.5 release of fwsnort is available for download. This is a major release that moves to using the iptables-save format for instantiating the fwsnort policy, and this allows the run time for adding the fwsnort policy to the kernel to be drastically reduced. fwsnort now splices in the translated Snort rules into the iptables policy in the running kernel at the time of translation. So, any updates to the iptables policy that are made after fwsnort is executed and before fwsnort.sh is run would be lost. Hence, it is advisable to execute fwsnort.sh soon after running fwsnort. This is a reasonable tradeoff though considering the performance benefit as seen below - which gives an example of how long it takes to add an fwsnort iptables policy via the old strategy of executing one iptables command at a time vs. implementing the same policy with iptables-restore. First, fwsnort is used to translate the Snort web-misc.rules, web-cgi.rules, backdoor.rules files like so root minastirith etc fwsnort fwsnort --snort-rfile web-misc.rules,web-cgi.rules,backdoor.rules --no-ipt-sync Generated iptables rules for 713 out of 754 signatures 94.56pourcents Logfile var log fwsnort fwsnort.log iptables script individual commands etc fwsnort fwsnort_iptcmds.sh Main fwsnort iptables-save file etc fwsnort fwsnort.save You can instantiate the fwsnort policy with the following command sbin iptables-restore etc fwsnort fwsnort.save Or just execute etc fwsnort fwsnort.sh The output above illustrates the changes for the fwsnort-1.5 release. All of the previous behavior in fwsnort has been preserved in the etc fwsnort fwsnort_iptcmds.sh script. That is, each individual iptables command to add every fwsnort rule one by one is implemented in this script - this is analogous to how the fwsnort.sh script was built by older versions of fwsnort. But, with the 1.5 release the fwsnort.sh script now just executes the iptables-restore command against the new fwsnort.save file. If we execute the fwsnort_iptcmds.sh script and time its execution, we get the following on my desktop system root minastirith etc fwsnort time etc fwsnort fwsnort_iptcmds.sh Adding backdoor rules Rules added 122 Adding web-cgi rules Rules added 696 Adding web-misc rules Rules added 600 Finished. real 0m24.391s user 0m1.560s sys 0m11.500s root minastirith etc fwsnort iptables -v -nL wc -l 1509 So, the fwsnort policy together with the running iptables policy is about 1500 rules long, and it took over 24 seconds to add to the running kernel. Now, let's time the fwsnort.sh script instead which is just a wrapper around the iptables-restore command root minastirith etc fwsnort time etc fwsnort fwsnort.sh Splicing fwsnort rules into the iptables policy... Done. real 0m0.121s user 0m0.060s sys 0m0.040s root minastirith etc fwsnort iptables -v -nL wc -l 1509 Ok, over 24 seconds to instantiate the fwsnort policy for the old strategy, and about a 10th of a second for the new strategy for a speed up of 240 times This gets even better for an fwsnort policy with thousands of rules. Note that the number of iptables rules is the same between the two executions. The complete ChangeLog entries are displayed below Major update to use the iptables-save format instead of the older strategy of always just executing iptables commands directly which was very flow for large fwsnort policies . The etc fwsnort fwsnort.sh script now just executes sbin iptables-restore etc fwsnort fwsnort.save All fwsnort rules are now placed in the etc fwsnort fwsnort.save file, but the older fwsnort.sh output for the individual commands version is still available at etc fwsnort fwsnort_iptcmds.sh. This functionality extends to ip6tables policies as well. The fwsnort man page explain this in better detail As of fwsnort-1.5 all iptables rules built by fwsnort are written out to the etc fwsnort fwsnort.save file in iptables-save format. This allows a long fwsnort policy which may contain thousands of iptables rules translated from a large Snort signature set to be quickly instantiated via the iptables-restore command. A wrapper script etc fwsnort fwsnort.sh is also written out to make this easy. Hence, the typical work flow for fwsnort is to 1 run fwsnort, 2 note the Snort rules that fwsnort was able to successfully translate the number of such rules is printed to stdout , and then 3 execute the etc fwsnort fwsnort.sh wrapper script to instantiate the policy in the running kernel. Added the --rules-url argument so that the URL for updating the Emerging Threats rule set can be specified from the command line. The default is http rules.emergingthreats.net open snort-2.9.0 emerging-all.rules Updated to automatically check for the maximum length string that the string match supports, and this is used to through out any Snort rules with content matches longer than this length. Updated the iptables capabilities testing routines to add and delete testing rules to from the custom chain 'FWS_CAP_TEST'. This maintains a a cleaner separation between fwsnort and any existing iptables policy even during the capabilities testing phase. Added the --ipt-check-capabilities argument to have fwsnort test the capabilities of the local iptables firewall and exit. Added the --string-match-alg argument to allow the string matching algorithm used by fwsnort to be specified from the command line. The default algorithm is 'bm' for 'Boyer-Moore', but 'kmp' may also be specified short for the 'Knuth-Morris-Pratt' algorithm . Updated to the latest complete rule set from Emerging Threats see http www.emergingthreats.net .






Les derniers articles du site "cipherdyne.org System and Network Security" :

- Single Packet Authorization and Third Party Devices
- Software Release fwknop-2.6.7
- Android Fwknop2 Client and OpenWRT
- New Android Single Packet Authorization Client Fwknop2
- NAT and Single Packet Authorization
- Single Packet Authorization Threat Modeling
- RAM Disks and Saving Your SSD From AFL Fuzzing
- Integrating fwknop with the 'American Fuzzy Lop' Fuzzer
- Software Release fwknop-2.6.4
- Code Coverage Challenges For Open Source Projects

---

S'abonner au fil RSS global de la revue de presse

---