Re: [Fwsnort-discuss] Bad argument 2a02
Brought to you by:
mbr
Menu
▾
▴
Re: [Fwsnort-discuss] Bad argument 2a02
|
From: Balazs C. <bc...@ip...> - 2013-02-02 09:47:48
|
Hi Mike,
The iptables version is 1.3.5. Do I need to upgrade?
Yes, the error is reproducible:
[root@sgproxy /etc/fwsnort]# fwsnort --snort-sid 1633
[+] Testing /sbin/iptables for supported capabilities...
[+] Parsing Snort rules files...
[+] Found sid: 1633 in chat.rules
Successful translation.
[+] Logfile: /var/log/fwsnort/fwsnort.log
[+] iptables script (individual commands): /var/lib/fwsnort/fwsnort_iptcmds.sh
Main fwsnort iptables-save file: /var/lib/fwsnort/fwsnort.save
You can instantiate the fwsnort policy with the following command:
/sbin/iptables-restore < /var/lib/fwsnort/fwsnort.save
Or just execute: /var/lib/fwsnort/fwsnort.sh
[root@sgproxy /etc/fwsnort]# /var/lib/fwsnort/fwsnort.sh
[+] Splicing fwsnort 1 rules into the iptables policy...
Bad argument `|2a02|'
Error occurred at line: 34
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Please let me know if you have any tips
Thanks for your help :-)
Balazs
>>> Michael Rash <mb...@ci...> 2/1/2013 10:01 PM >>>
On Feb 01, 2013, Balazs Czviin wrote:
> Hi All,
Hello Balazs,
> I am in need of help. I am a total fwsnort rookie. I managed to get it installed, got the rules, which then were parsed by the setup. After trying to run the generated script for the first time, I am greeted with this:
>
> [+] Splicing fwsnort 9422 rules into the iptables policy...
> Bad argument `|2a02|'
> Error occurred at line: 61
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> This is the offending line, but I assume there would be more as I see many more with the --hex-string 2a02 line. What am I missing?
>
> -A FWSNORT_FORWARD -s 64.12.24.0/24 -d 192.168.250.0/24 -p tcp -m tcp -m string --hex-string "|00040007|" --algo bm --from 70 --to 74 -m string --hex-string "|2a02|" --algo bm --to 66 -m comment --comment "sid:1633; msg:CHAT AIM receive message; classtype:policy-violation; rev:6; FWS:1.6.3;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[126] SID1633 "
Hmmm, I don't seem to be able to reproduce that problem. The syntax of
the rule above is correct, and when I place it my
/var/lib/fwsnort/fwsnort.save file iptables-restore is able to handle
it. Which version of iptables are you running? If you restrict the
fwsnort rule translate to just SID 1633 with "fwsnort --snort-sid 1633"
and then execute /var/lib/fwsnort/fwsnort.sh is the error reproducible?
Thanks,
--Mike
> Thanks in advance
> Balazs
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Fwsnort-discuss mailing list
> Fws...@li...
> https://lists.sourceforge.net/lists/listinfo/fwsnort-discuss
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Fwsnort-discuss mailing list
Fws...@li...
https://lists.sourceforge.net/lists/listinfo/fwsnort-discuss
|