Release Notes: A bugfix for vulnerability CVE-2014-0039, in which an attacker-controlled fwsnort.conf file could be read by fwsnort when not running as root. This was caused by fwsnort reading './fwsnort.conf' when not running as root, and when a path to the config file was not explicitly set with -c on the command line. This behavior has been changed to require the user to specify a path to fwsnort.conf with -c when not running as root.
Release Notes: This release adds a new comprehensive test suite, a faster iptables/ip6tables capabilities testing routine, and fixes for hex string encoding for some Snort content matches with syntax-busting characters.
Release Notes: This release switches the default policy load stance to load all translated Snort rules into the running iptables policy by default. This was made possible after fwsnort made use of the iptables-save format for policy instantiation. Updated to use the NetAddr::IP module from CPAN. A bugfix for translated ICMP rules and ICMP type requirements in recent versions of iptables.
Release Notes: A bugfix for the 'Couldn't load target' error seen on some Linux systems. A bugfix for interpreting pattern ordering in Snort rules with relative pattern matches. Updated to the latest Emerging Threats rule set.
Release Notes: Snort fast_pattern support and iptables multiport match support were added. The --QUEUE and --NFQUEUE modes were enhanced. Support was added for the conntrack module for connection tracking. Case-insensitive pattern matching was added via the --icase argument to the iptables string match extension. A couple of minor bugs were fixed.
Release Notes: Support for ip6tables was added so that fwsnort can apply Snort rules to IPv6 traffic. The ability to create Perl commands that print application layer data that matches Snort rules was added via a new "--include-perl-triggers" argument. Better support for configuration variables within the fwsnort.conf file was added.
Release Notes: A bug was fixed to allow fwsnort to properly translate snort rules that have "content" fields with embedded escaped semicolons (e.g. "\;"). This allows fwsnort to translate about 58 additional rules from the Emerging Threats rule set. A bug was fixed to allow case insensitive matches to work properly with the --include-re-caseless and --exclude re-caseless arguments. The code was updated to the latest complete rule set from Emerging Threats. The --snort-rfile argument was added so that a specific Snort rules file (or list of files separated by commas) is parsed.
Release Notes: This release replaces the bleeding-all.rules file with the emerging-all.rules file because Matt Jonkman now releases his rule sets at emergingthreats.net. Restructured Perl module paths make it easy to introduce a "nodeps" distribution of fwsnort that does not contain any Perl modules, allowing better integration with systems that already have all necessary modules installed (including the IPTables::ChainMgr and IPTables::Parse modules). This release adds support for multiple Snort rule directories as a comma-separated list for the argument to --snort-rdir.
Release Notes: This version was updated to exclude loopback interfaces from iptables allow rules parsing. This behavior can be reversed with the existing --no-exclude-loopback command line argument. IPTables::Parse was updated to take into account iptables policy output that contains "0" instead of "all" to represent any protocol. IPTables::Parse was updated to set sport and dport to "0:0" if the protocol is "all". A bug was fixed to allow negated networks to be specified within iptables allow rules or within the fwsnort.conf file. install.pl was updated to set the LC_ALL environment variable to "C".
Release Notes: A major signature update from Bleeding Threats. This update includes a large number of new signatures with PCRE statements, with an emphasis on detecting SQL injection attacks directed at internal Web servers from external sources. The ability to interpret PCRE statements that include simple string matches separated by ".*" and ".+" as multiple iptables string matches has been added. The asn1 keyword has been added to the unsupported list.