#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-ddos' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID221" $Ipt -A $Me -p icmp -m u32 --u32 '"2&0xFFFF=678"' --icmp-type 8 -m string --string '"1234"' $Tail # '"DDOS TFN Probe"' arachnids,443 classtype:attempted-recon sid:221 LogAs="SID222" $Ipt -A $Me -p icmp --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 0"' -m string --string '"AAAAAAAAAA"' $Tail # '"DDOS tfn2k icmp possible communication"' arachnids,425 classtype:attempted-dos sid:222 LogAs="SID223" $Ipt -A $Me -p udp --dport 31335 -m string --string '"PONG"' $Tail # '"DDOS Trin00 Daemon to Master PONG message detected"' arachnids,187 classtype:attempted-recon sid:223 LogAs="SID228" $Ipt -A $Me -p icmp --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 456"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4&0xFFFF=icmp_seq: 0"' $Tail # '"DDOS TFN client command BE"' arachnids,184 classtype:attempted-dos sid:228 LogAs="SID230" $Ipt -A $Me -p tcp --dport 20432 -m state --state ESTABLISHED $Tail # '"DDOS shaft client to handler"' arachnids,254 classtype:attempted-dos sid:230 LogAs="SID231" $Ipt -A $Me -p udp --dport 31335 -m string --string '"l44"' $Tail # '"DDOS Trin00 Daemon to Master message detected"' arachnids,186 classtype:attempted-dos sid:231 LogAs="SID232" $Ipt -A $Me -p udp --dport 31335 -m string --string '"*HELLO*"' $Tail # '"DDOS Trin00 Daemon to Master *HELLO* message detected"' arachnids,185 url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm classtype:attempted-dos sid:232 LogAs="SID233" $Ipt -A $Me -p tcp --dport 27665 -m string --string '"betaalmostdone"' $Tail # '"DDOS Trin00 Attacker to Master default startup password"' arachnids,197 classtype:attempted-dos sid:233 LogAs="SID234" $Ipt -A $Me -p tcp --dport 27665 -m string --string '"gOrave"' $Tail # '"DDOS Trin00 Attacker to Master default password"' classtype:attempted-dos sid:234 LogAs="SID235" $Ipt -A $Me -p tcp --dport 27665 -m string --string '"killme"' $Tail # '"DDOS Trin00 Attacker to Master default mdie password"' classtype:bad-unknown sid:235 LogAs="SID237" $Ipt -A $Me -p udp --dport 27444 -m string --string '"l44adsl"' $Tail # '"DDOS Trin00 Master to Daemon default password attempt"' arachnids,197 classtype:attempted-dos sid:237 LogAs="SID238" $Ipt -A $Me -p icmp --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id:123"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4&0xFFFF=icmp_seq:0"' -m string --string '"shell bound to port"' $Tail # '"DDOS TFN server response"' arachnids,182 classtype:attempted-dos sid:238 LogAs="SID239" $Ipt -A $Me -p udp --dport 18753 -m string --string '"alive tijgu"' $Tail # '"DDOS shaft handler to agent"' arachnids,255 classtype:attempted-dos sid:239 LogAs="SID240" $Ipt -A $Me -p udp --dport 20433 -m string --string '"alive"' $Tail # '"DDOS shaft agent to handler"' arachnids,256 classtype:attempted-dos sid:240 LogAs="SID241" $Ipt -A $Me -p tcp --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4=674711609"' $Tail # '"DDOS shaft synflood"' arachnids,253 classtype:attempted-dos sid:241 LogAs="SID241" $Ipt -A $Me -p tcp --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4=674711609"' $Tail # '"DDOS shaft synflood"' arachnids,253 classtype:attempted-dos sid:241 LogAs="SID243" $Ipt -A $Me -p udp --dport 6838 -m string --string '"newserver"' $Tail # '"DDOS mstream agent to handler"' classtype:attempted-dos sid:243 LogAs="SID244" $Ipt -A $Me -p udp --dport 10498 -m string --string '"stream/"' $Tail # '"DDOS mstream handler to agent"' cve,CAN-2000-0138 classtype:attempted-dos sid:244 LogAs="SID245" $Ipt -A $Me -p udp --dport 10498 -m string --string '"ping"' $Tail # '"DDOS mstream handler ping to agent"' cve,CAN-2000-0138 classtype:attempted-dos sid:245 LogAs="SID246" $Ipt -A $Me -p udp --dport 10498 -m string --string '"pong"' $Tail # '"DDOS mstream agent pong to handler"' classtype:attempted-dos sid:246 LogAs="SID247" $Ipt -A $Me -p tcp --dport 12754 -m string --string '">"' $Tail # '"DDOS mstream client to handler"' cve,CAN-2000-0138 classtype:attempted-dos sid:247 LogAs="SID248" $Ipt -A $Me -p tcp --sport 12754 -m string --string '">"' $Tail # '"DDOS mstream handler to client"' cve,CAN-2000-0138 classtype:attempted-dos sid:248 LogAs="SID249" $Ipt -A $Me -p tcp --dport 15104 --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"DDOS mstream client to handler"' arachnids,111 cve,CAN-2000-0138 classtype:attempted-dos sid:249 LogAs="SID250" $Ipt -A $Me -p tcp --sport 15104 -m string --string '">"' $Tail # '"DDOS mstream handler to client"' cve,CAN-2000-0138 classtype:attempted-dos sid:250 LogAs="SID251" $Ipt -A $Me -p icmp --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 51201"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4&0xFFFF=icmp_seq: 0"' $Tail # '"DDOS - TFN client command LE"' arachnids,183 classtype:attempted-dos sid:251 LogAs="SID224" $Ipt -A $Me -p icmp -s 3.3.3.3/32 --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 666"' $Tail # '"DDOS Stacheldraht server spoof"' arachnids,193 classtype:attempted-dos sid:224 LogAs="SID225" $Ipt -A $Me -p icmp -m string --string '"sicken"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 669"' $Tail # '"DDOS Stacheldraht gag server response"' arachnids,195 classtype:attempted-dos sid:225 LogAs="SID226" $Ipt -A $Me -p icmp -m string --string '"ficken"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 667"' $Tail # '"DDOS Stacheldraht server response"' arachnids,191 classtype:attempted-dos sid:226 LogAs="SID227" $Ipt -A $Me -p icmp -m string --string '"spoofworks"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 1000"' $Tail # '"DDOS Stacheldraht client spoofworks"' arachnids,192 classtype:attempted-dos sid:227 LogAs="SID236" $Ipt -A $Me -p icmp -m string --string '"gesundheit!"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 668"' $Tail # '"DDOS Stacheldraht client check gag"' arachnids,194 classtype:attempted-dos sid:236 LogAs="SID229" $Ipt -A $Me -p icmp -m string --string '"skillz"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id: 666"' $Tail # '"DDOS Stacheldraht client check skillz"' arachnids,190 classtype:attempted-dos sid:229 LogAs="SID1854" $Ipt -A $Me -p icmp -m string --string '"niggahbitch"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id:9015"' $Tail # '"DDOS Stacheldraht handler->agent (niggahbitch)"' url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1854 LogAs="SID1854" $Ipt -A $Me -p icmp -m string --string '"niggahbitch"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id:9015"' $Tail # '"DDOS Stacheldraht handler->agent (niggahbitch)"' url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1854 LogAs="SID1855" $Ipt -A $Me -p icmp -m string --string '"skillz"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id:6666"' $Tail # '"DDOS Stacheldraht agent->handler (skillz)"' url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1855 LogAs="SID1855" $Ipt -A $Me -p icmp -m string --string '"skillz"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id:6666"' $Tail # '"DDOS Stacheldraht agent->handler (skillz)"' url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1855 LogAs="SID1856" $Ipt -A $Me -p icmp -m string --string '"ficken"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id:6667"' $Tail # '"DDOS Stacheldraht handler->agent (ficken)"' url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1856 LogAs="SID1856" $Ipt -A $Me -p icmp -m string --string '"ficken"' --icmp-type 0 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@2&0xFFFF=icmp_id:6667"' $Tail # '"DDOS Stacheldraht handler->agent (ficken)"' url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1856 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done