Re: [Fwsnort-discuss] Exclude regex question
Brought to you by:
mbr
Menu
▾
▴
Re: [Fwsnort-discuss] Exclude regex question
|
From: Andrew M. <an...@me...> - 2012-12-19 07:45:21
|
Hello Michael,
Here are the results with the snapshot link you sent me. It looks as though the issue has been resolved:
> # fwsnort
> ...
> [+] Generated iptables rules for 10366 out of 14976 signatures: 69.22%
>
> # fwsnort --include-regex=bm
> ...
> [+] Generated iptables rules for 55 out of 730 signatures: 7.53%
>
> # fwsnort --exclude-regex=bm
> ...
> [+] Generated iptables rules for 10311 out of 14246 signatures: 72.38%
Thank you so much!
Cheers,
Andrew
On Dec 17, 2012, at 7:31 PM, Michael Rash <mb...@ci...> wrote:
> On Dec 17, 2012, Andrew Merenbach wrote:
>
>> Hi all,
>>
>> Wondering if there is a possible issue with exclusion regexes in the fwsnort script, or if maybe I'm simply misusing it. I just downloaded the 1.6.2 source (to verify). Line numbers are prepended.
>>
>> 644 ### regex filters
>> 645 if ($exclude_re) {
>> 646 next RULE unless $rule =~ $exclude_re;
>> 647 }
>> 648
>> 649 if ($include_re) {
>> 650 next RULE unless $rule =~ $include_re;
>> 651 }
>>
>> It appears that the include and exclude regexes are doing the same thing at the moment, and I am unable to get the exclude regex to actually exclude.
>>
>> I sought this out after I encountered the same issue that Oscar was seeing with converting IPTables rules and I tried to exclude anything with "bm" in it. I am wondering if line 646 should instead be:
>>
>> 646 next RULE unless $rule !~ $exclude_re;
>>
>> or, perhaps better yet:
>>
>> 646 next RULE if $rule =~ $exclude_re;
>>
>> That is, skip this rule unless the regex does not match (or skip the rule if the regex does match).
>
> Thanks for catching that. I've applied your fix above for the
> fwsnort-1.6.3 release and added you to the CREDITS file:
>
> http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwsnort.git;a=commitdiff;h=bf229236b79e3a33fb9507c384ca783d368de93f
>
> fwsnort-1.6.3 is very close to being released as well. If you would
> like to test it to see if things seem to work properly, here is a
> snapshot of the latest code:
>
> http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwsnort.git;a=snapshot;h=bf229236b79e3a33fb9507c384ca783d368de93f;sf=tgz
>
> Thanks,
>
> --Mike
>
>
>> If anyone can set me straight (i.e., PEBKAC), I will certainly appreciate it. Thanks for your help.
>>
>> Cheers,
>> Andrew
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Fwsnort-discuss mailing list
>> Fws...@li...
>> https://lists.sourceforge.net/lists/listinfo/fwsnort-discuss
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Fwsnort-discuss mailing list
> Fws...@li...
> https://lists.sourceforge.net/lists/listinfo/fwsnort-discuss
|