On Thu, Jan 23, 2014 at 7:11 PM, André Nunes Batista < andrenbati...@gmail.com> wrote:
> Hello debianers! > > Hello Andre, > I run fwsnort to update and improve on my iptables rule sets. On > updating it's rules though I got this error message: > > # iptables-restore < /path/to/fwsnort.save > iptables-restore v1.4.14: Invalid hex char '|' Error occurred at line: > 4013 Try `iptables-restore -h' or 'iptables-restore --help' for more > information. > > The line mentioned on the error contains the rule bellow: > > -A FWSNORT_OUTPUT_ESTAB -p tcp -m tcp -m string --string "PRIVMSG " > --algo bm -m string --hex-string "|2d2d2d2d2d2d2d2d2d2d2d2d||2d||2d|| > 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|| > 2d||2d||2d||2d||2d||2d||2d||2d||2d||2d||2d|" --algo bm --from 72 -m > comment --comment "sid:2017291; msg:ET TROJAN ATTACKER IRCBot - PRIVMSG > Response - net command output; classtype:trojan-activity; rev:5; > FWS:1.6.2;" -j LOG --log-ip-options --log-tcp-options --log-prefix > "[3006] SID2017291 ESTAB " > > Upon removing this line, iptables-restore did it's job without > complaining. Since this line was automagically generated by "fwsnort > --update-rules ; fwsnort --ipt-sync", I wonder if it's worth a bug > report. > > Yes, that looks to be a bug - fwsnort should just consolidate all of those consecutive |2d| hex chars into a single |2d2d2d....| block. I'll get this fixed for the next release. Thanks, --Mike > -- > André N. Batista > GNUPG/PGP KEY: 6722CF80 > >
