Re: [Fwsnort-discuss] Exclude regex question
Brought to you by:
mbr
From: Andrew M. <an...@me...> - 2012-12-19 07:45:21
|
Hello Michael, Here are the results with the snapshot link you sent me. It looks as though the issue has been resolved: > # fwsnort > ... > [+] Generated iptables rules for 10366 out of 14976 signatures: 69.22% > > # fwsnort --include-regex=bm > ... > [+] Generated iptables rules for 55 out of 730 signatures: 7.53% > > # fwsnort --exclude-regex=bm > ... > [+] Generated iptables rules for 10311 out of 14246 signatures: 72.38% Thank you so much! Cheers, Andrew On Dec 17, 2012, at 7:31 PM, Michael Rash <mb...@ci...> wrote: > On Dec 17, 2012, Andrew Merenbach wrote: > >> Hi all, >> >> Wondering if there is a possible issue with exclusion regexes in the fwsnort script, or if maybe I'm simply misusing it. I just downloaded the 1.6.2 source (to verify). Line numbers are prepended. >> >> 644 ### regex filters >> 645 if ($exclude_re) { >> 646 next RULE unless $rule =~ $exclude_re; >> 647 } >> 648 >> 649 if ($include_re) { >> 650 next RULE unless $rule =~ $include_re; >> 651 } >> >> It appears that the include and exclude regexes are doing the same thing at the moment, and I am unable to get the exclude regex to actually exclude. >> >> I sought this out after I encountered the same issue that Oscar was seeing with converting IPTables rules and I tried to exclude anything with "bm" in it. I am wondering if line 646 should instead be: >> >> 646 next RULE unless $rule !~ $exclude_re; >> >> or, perhaps better yet: >> >> 646 next RULE if $rule =~ $exclude_re; >> >> That is, skip this rule unless the regex does not match (or skip the rule if the regex does match). > > Thanks for catching that. I've applied your fix above for the > fwsnort-1.6.3 release and added you to the CREDITS file: > > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwsnort.git;a=commitdiff;h=bf229236b79e3a33fb9507c384ca783d368de93f > > fwsnort-1.6.3 is very close to being released as well. If you would > like to test it to see if things seem to work properly, here is a > snapshot of the latest code: > > http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwsnort.git;a=snapshot;h=bf229236b79e3a33fb9507c384ca783d368de93f;sf=tgz > > Thanks, > > --Mike > > >> If anyone can set me straight (i.e., PEBKAC), I will certainly appreciate it. Thanks for your help. >> >> Cheers, >> Andrew >> ------------------------------------------------------------------------------ >> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial >> Remotely access PCs and mobile devices and provide instant support >> Improve your efficiency, and focus on delivering more value-add services >> Discover what IT Professionals Know. Rescue delivers >> http://p.sf.net/sfu/logmein_12329d2d >> _______________________________________________ >> Fwsnort-discuss mailing list >> Fws...@li... >> https://lists.sourceforge.net/lists/listinfo/fwsnort-discuss > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Fwsnort-discuss mailing list > Fws...@li... > https://lists.sourceforge.net/lists/listinfo/fwsnort-discuss |