Re: [Fwsnort-discuss] Bad argument 2a02
Brought to you by:
mbr
From: Balazs C. <bc...@ip...> - 2013-02-02 09:47:48
|
Hi Mike, The iptables version is 1.3.5. Do I need to upgrade? Yes, the error is reproducible: [root@sgproxy /etc/fwsnort]# fwsnort --snort-sid 1633 [+] Testing /sbin/iptables for supported capabilities... [+] Parsing Snort rules files... [+] Found sid: 1633 in chat.rules Successful translation. [+] Logfile: /var/log/fwsnort/fwsnort.log [+] iptables script (individual commands): /var/lib/fwsnort/fwsnort_iptcmds.sh Main fwsnort iptables-save file: /var/lib/fwsnort/fwsnort.save You can instantiate the fwsnort policy with the following command: /sbin/iptables-restore < /var/lib/fwsnort/fwsnort.save Or just execute: /var/lib/fwsnort/fwsnort.sh [root@sgproxy /etc/fwsnort]# /var/lib/fwsnort/fwsnort.sh [+] Splicing fwsnort 1 rules into the iptables policy... Bad argument `|2a02|' Error occurred at line: 34 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Please let me know if you have any tips Thanks for your help :-) Balazs >>> Michael Rash <mb...@ci...> 2/1/2013 10:01 PM >>> On Feb 01, 2013, Balazs Czviin wrote: > Hi All, Hello Balazs, > I am in need of help. I am a total fwsnort rookie. I managed to get it installed, got the rules, which then were parsed by the setup. After trying to run the generated script for the first time, I am greeted with this: > > [+] Splicing fwsnort 9422 rules into the iptables policy... > Bad argument `|2a02|' > Error occurred at line: 61 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > This is the offending line, but I assume there would be more as I see many more with the --hex-string 2a02 line. What am I missing? > > -A FWSNORT_FORWARD -s 64.12.24.0/24 -d 192.168.250.0/24 -p tcp -m tcp -m string --hex-string "|00040007|" --algo bm --from 70 --to 74 -m string --hex-string "|2a02|" --algo bm --to 66 -m comment --comment "sid:1633; msg:CHAT AIM receive message; classtype:policy-violation; rev:6; FWS:1.6.3;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[126] SID1633 " Hmmm, I don't seem to be able to reproduce that problem. The syntax of the rule above is correct, and when I place it my /var/lib/fwsnort/fwsnort.save file iptables-restore is able to handle it. Which version of iptables are you running? If you restrict the fwsnort rule translate to just SID 1633 with "fwsnort --snort-sid 1633" and then execute /var/lib/fwsnort/fwsnort.sh is the error reproducible? Thanks, --Mike > Thanks in advance > Balazs > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_jan > _______________________________________________ > Fwsnort-discuss mailing list > Fws...@li... > https://lists.sourceforge.net/lists/listinfo/fwsnort-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Fwsnort-discuss mailing list Fws...@li... https://lists.sourceforge.net/lists/listinfo/fwsnort-discuss |