#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-deleted' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID325" $Ipt -A $Me -p tcp --dport 79 -m string --string '"0"' $Tail # '"FINGER probe 0 attempt"' arachnids,378 classtype:attempted-recon sid:325 LogAs="SID511" $Ipt -A $Me -p tcp --sport 5631 -m string --string '"Invalid login"' $Tail # '"MISC Invalid PCAnywhere Login"' classtype:unsuccessful-user sid:511 LogAs="SID506" $Ipt -A $Me -p tcp --dport 27374 -m state --state ESTABLISHED -m string --string '"GET "' $Tail # '"MISC ramen worm incoming"' nocase-ignored arachnids,460 classtype:bad-unknown sid:506 LogAs="SID558" $Ipt -A $Me -p tcp -m state --state ESTABLISHED -m string --string '"GNUTELLA OK"' $Tail # '"INFO Outbound GNUTella client request"' classtype:misc-activity sid:558 LogAs="SID559" $Ipt -A $Me -p tcp --tcp-flags ACK ACK -m string --string '"GNUTELLA CONNECT"' $Tail # '"P2P Inbound GNUTella client request"' classtype:misc-activity sid:559 LogAs="SID1121" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cgi-dos/args.bat"' $Tail # '"WEB-MISC O'Reilly args.bat access"' nocase-ignored classtype:attempted-recon sid:1121 LogAs="SID855" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/edit.pl"' $Tail # '"WEB-CGI edit.pl access"' nocase-ignored bugtraq,2713 classtype:attempted-recon sid:855 LogAs="SID1619" $Ipt -A $Me -p tcp --dport 80 -m string --string '".htr"' $Tail # '"EXPERIMENTAL WEB-IIS .htr request"' nocase-ignored classtype:web-application-activity bugtraq,4474 cve,CAN-2002-0071 sid:1619 LogAs="SID1114" $Ipt -A $Me -p tcp --dport 80 -m string --string '"get //"' $Tail # '"WEB-MISC prefix-get //"' nocase-ignored classtype:attempted-recon sid:1114 LogAs="SID1749" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/traace.axd"' $Tail # '"EXPERIMENTAL WEB-IIS .NET trace.axd access"' nocase-ignored classtype:web-application-attack sid:1749 LogAs="SID1049" $Ipt -A $Me -p tcp --dport 80 -m string --string '"GET "' --string '"/../../../../../../../../../../../"' $Tail # '"WEB-MISC iPlanet ../../ DOS attempt"' bugtraq,2282 cve,CAN-2001-0252 classtype:web-application-attack sid:1049 LogAs="SID496" $Ipt -A $Me -p tcp --sport 80 -m string --string '"Directory of"' $Tail # '"ATTACK RESPONSES directory listing"' nocase-ignored classtype:unknown sid:496 LogAs="SID1768" $Ipt -A $Me -p tcp --dport 80 -m string --string '":"' --string '""' --string '""' $Tail # '"WEB-IIS header field buffer overflow attempt"' classtype:web-application-attack bugtraq,4476 sid:1768 LogAs="SID1698" $Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"EXECUTE_SYSTEM"' $Tail # '"ORACLE execute_system attempt"' nocase-ignored classtype:protocol-command-decode sid:1698 LogAs="SID1227" $Ipt -A $Me -p tcp --sport 6000:6005 -m state --state ESTABLISHED $Tail # '"X11 outbound client connection detected"' arachnids,126 classtype:misc-activity sid:1227 LogAs="SID1477" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/swc"' $Tail # '"WEB-CGI swc attempt"' nocase-ignored classtype:attempted-recon sid:1477 LogAs="SID874" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/bin/shA-cA/usr/openwin"' $Tail # '"WEB-CGI w3-msql solaris x86 access"' nocase-ignored cve,CVE-1999-0276 arachnids,211 classtype:attempted-recon sid:874 LogAs="SID318" $Ipt -A $Me -p udp --dport 67 -m string --string '"echo netrjs stre"' $Tail # '"EXPLOIT bootp x86 bsd overfow"' classtype:attempted-admin sid:318 bugtraq,324 cve,CVE-1999-0914 LogAs="SID319" $Ipt -A $Me -p udp --dport 67 -m string --string '"A90/bin/sh"' $Tail # '"EXPLOIT bootp x86 linux overflow"' cve,CVE-1999-0799 cve,CAN-1999-0798 cve,CAN-1999-0389 classtype:attempted-admin sid:319 LogAs="SID114" $Ipt -A $Me -p tcp --sport 12346 --tcp-flags ACK ACK -m string --string '"NetBus"' $Tail # '"BACKDOOR netbus active"' arachnids,401 sid:114 classtype:misc-activity LogAs="SID111" $Ipt -A $Me -p tcp --dport 12346 -m string --string '"GetInfo "' $Tail # '"BACKDOOR netbus getinfo"' arachnids,403 classtype:misc-activity sid:111 LogAs="SID112" $Ipt -A $Me -p tcp --sport 80 --tcp-flags ACK ACK -m string --string '"server: BO/"' $Tail # '"BACKDOOR BackOrifice access"' arachnids,400 sid:112 classtype:misc-activity LogAs="SID116" $Ipt -A $Me -p udp --dport 31337 -m string --string '"c9"' $Tail # '"BACKDOOR BackOrifice access"' arachnids,399 sid:116 classtype:misc-activity LogAs="SID164" $Ipt -A $Me -p udp --sport 2140 --dport 60000 $Tail # '"BACKDOOR DeepThroat 3.1 Server Active on Network"' arachnids,106 sid:164 classtype:misc-activity LogAs="SID165" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"KeyLogger Is Enabled On port"' $Tail # '"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"' arachnids,106 sid:165 classtype:misc-activity LogAs="SID166" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"22"' $Tail # '"BACKDOOR DeepThroat 3.1 Show Picture Client Request"' arachnids,106 sid:166 classtype:misc-activity LogAs="SID167" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"32"' $Tail # '"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"' arachnids,106 sid:167 classtype:misc-activity LogAs="SID168" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"33"' $Tail # '"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"' arachnids,106 sid:168 classtype:misc-activity LogAs="SID169" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"34"' $Tail # '"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"' arachnids,106 sid:169 classtype:misc-activity LogAs="SID170" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"110"' $Tail # '"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"' arachnids,106 sid:170 classtype:misc-activity LogAs="SID171" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"35"' $Tail # '"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"' arachnids,106 sid:171 classtype:misc-activity LogAs="SID172" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"70"' $Tail # '"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"' arachnids,106 sid:172 classtype:misc-activity LogAs="SID173" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"71"' $Tail # '"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"' arachnids,106 sid:173 classtype:misc-activity LogAs="SID174" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"31"' $Tail # '"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"' arachnids,106 sid:174 classtype:misc-activity LogAs="SID175" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"125"' $Tail # '"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"' arachnids,106 sid:175 classtype:misc-activity LogAs="SID176" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"04"' $Tail # '"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"' arachnids,106 sid:176 classtype:misc-activity LogAs="SID177" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"KeyLogger Shut Down"' $Tail # '"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"' arachnids,106 sid:177 classtype:misc-activity LogAs="SID179" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"21"' $Tail # '"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"' arachnids,106 sid:179 classtype:misc-activity LogAs="SID180" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"64"' $Tail # '"BACKDOOR DeepThroat 3.1 Process List Client request"' arachnids,106 sid:180 classtype:misc-activity LogAs="SID181" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"121"' $Tail # '"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"' arachnids,106 sid:181 classtype:misc-activity LogAs="SID182" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"89"' $Tail # '"BACKDOOR DeepThroat 3.1 Registry Add Client Request"' arachnids,106 sid:182 classtype:misc-activity LogAs="SID122" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"13"' $Tail # '"BACKDOOR DeepThroat 3.1 System Info Client Request"' arachnids,106 sid:122 classtype:misc-activity LogAs="SID124" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"09"' $Tail # '"BACKDOOR DeepThroat 3.1 FTP Status Client Request"' arachnids,106 sid:124 classtype:misc-activity LogAs="SID125" $Ipt -A $Me -p udp --sport 2140 --dport 60000 -m string --string '"Retreaving"' $Tail # '"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"' arachnids,106 sid:125 classtype:misc-activity LogAs="SID126" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"12"' $Tail # '"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"' arachnids,106 sid:126 classtype:misc-activity LogAs="SID127" $Ipt -A $Me -p udp --sport 2140 --dport 60000 -m string --string '"Host"' $Tail # '"BACKDOOR DeepThroat 3.1 Server Status From Server"' arachnids,106 sid:127 classtype:misc-activity LogAs="SID128" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"10"' $Tail # '"BACKDOOR DeepThroat 3.1 Server Status Client Request"' arachnids,106 sid:128 classtype:misc-activity LogAs="SID129" $Ipt -A $Me -p udp --sport 2140 --dport 60000 -m string --string '"C - "' $Tail # '"BACKDOOR DeepThroat 3.1 Drive Info From Server"' arachnids,106 sid:129 classtype:misc-activity LogAs="SID130" $Ipt -A $Me -p udp --sport 2140 --dport 60000 -m string --string '"Comp Name"' $Tail # '"BACKDOOR DeepThroat 3.1 System Info From Server"' arachnids,106 sid:130 classtype:misc-activity LogAs="SID131" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"130"' $Tail # '"BACKDOOR DeepThroat 3.1 Drive Info Client Request"' arachnids,106 sid:131 classtype:misc-activity LogAs="SID132" $Ipt -A $Me -p udp --sport 2140 --dport 60000 -m string --string '"FTP Server changed to"' $Tail # '"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"' arachnids,106 sid:132 classtype:misc-activity LogAs="SID133" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"16"' $Tail # '"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"' arachnids,106 sid:133 classtype:misc-activity LogAs="SID134" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"17"' $Tail # '"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"' arachnids,106 sid:134 classtype:misc-activity LogAs="SID135" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"91"' $Tail # '"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"' arachnids,106 sid:135 classtype:misc-activity LogAs="SID136" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"92"' $Tail # '"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"' arachnids,106 sid:136 classtype:misc-activity LogAs="SID137" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"911"' $Tail # '"BACKDOOR DeepThroat 3.1 Rehash Client Request"' arachnids,106 sid:137 classtype:misc-activity LogAs="SID138" $Ipt -A $Me -p udp --sport 60000 --dport 3150 -m string --string '"shutd0wnM0therF***eR"' $Tail # '"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"' arachnids,106 sid:138 classtype:misc-activity LogAs="SID140" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"88"' $Tail # '"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"' arachnids,106 sid:140 classtype:misc-activity LogAs="SID142" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"40"' $Tail # '"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"' arachnids,106 sid:142 classtype:misc-activity LogAs="SID143" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"20"' $Tail # '"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"' arachnids,106 sid:143 classtype:misc-activity LogAs="SID149" $Ipt -A $Me -p udp --sport 60000 --dport 3150 -m string --string '"#"' $Tail # '"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"' arachnids,106 sid:149 classtype:misc-activity LogAs="SID150" $Ipt -A $Me -p udp --sport 3150 --dport 60000 -m string --string '"#"' $Tail # '"BACKDOOR DeepThroat 3.1 Server Active on Network"' arachnids,106 sid:150 classtype:misc-activity LogAs="SID151" $Ipt -A $Me -p udp --sport 60000 --dport 2140 $Tail # '"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"' arachnids,106 sid:151 classtype:misc-activity LogAs="SID154" $Ipt -A $Me -p udp --sport 3150 --dport 60000 -m string --string '"Wrong Password"' $Tail # '"BACKDOOR DeepThroat 3.1 Wrong Password"' arachnids,106 sid:154 classtype:misc-activity LogAs="SID156" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"37"' $Tail # '"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"' arachnids,106 sid:156 classtype:misc-activity LogAs="SID113" $Ipt -A $Me -p udp --sport 4120 -m string --string '"--Ahhhhhhhhhh"' $Tail # '"BACKDOOR DeepThroat access"' arachnids,405 sid:113 classtype:misc-activity LogAs="SID186" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"07"' $Tail # '"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"' arachnids,106 sid:186 classtype:misc-activity LogAs="SID187" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"41"' $Tail # '"BACKDOOR DeepThroat 3.1 Delete File Client Request"' arachnids,106 sid:187 classtype:misc-activity LogAs="SID188" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"38"' $Tail # '"BACKDOOR DeepThroat 3.1 Kill Window Client Request"' arachnids,106 sid:188 classtype:misc-activity LogAs="SID189" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"23"' $Tail # '"BACKDOOR DeepThroat 3.1 Disable Window Client Request"' arachnids,106 sid:189 classtype:misc-activity LogAs="SID190" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"24"' $Tail # '"BACKDOOR DeepThroat 3.1 Enable Window Client Request"' arachnids,106 sid:190 classtype:misc-activity LogAs="SID191" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"60"' $Tail # '"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"' arachnids,106 sid:191 classtype:misc-activity LogAs="SID192" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"26"' $Tail # '"BACKDOOR DeepThroat 3.1 Hide Window Client Request"' arachnids,106 sid:192 classtype:misc-activity LogAs="SID193" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"25"' $Tail # '"BACKDOOR DeepThroat 3.1 Show Window Client Request"' arachnids,106 sid:193 classtype:misc-activity LogAs="SID194" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"63"' $Tail # '"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"' arachnids,106 sid:194 classtype:misc-activity LogAs="SID196" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"30"' $Tail # '"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"' arachnids,106 sid:196 classtype:misc-activity LogAs="SID197" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"39"' $Tail # '"BACKDOOR DeepThroat 3.1 Create Directory Client Request"' arachnids,106 sid:197 classtype:misc-activity LogAs="SID198" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"370"' $Tail # '"BACKDOOR DeepThroat 3.1 All Window List Client Request"' arachnids,106 sid:198 classtype:misc-activity LogAs="SID199" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"36"' $Tail # '"BACKDOOR DeepThroat 3.1 Play Sound Client Request"' arachnids,106 sid:199 classtype:misc-activity LogAs="SID200" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"14"' $Tail # '"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"' arachnids,106 sid:200 classtype:misc-activity LogAs="SID201" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"15"' $Tail # '"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"' arachnids,106 sid:201 classtype:misc-activity LogAs="SID202" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"100"' $Tail # '"BACKDOOR DeepThroat 3.1 Get NET File Client Request"' arachnids,106 sid:202 classtype:misc-activity LogAs="SID203" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"117"' $Tail # '"BACKDOOR DeepThroat 3.1 Find File Client Request"' arachnids,106 sid:203 classtype:misc-activity LogAs="SID204" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"118"' $Tail # '"BACKDOOR DeepThroat 3.1 Find File Client Request"' arachnids,106 sid:204 classtype:misc-activity LogAs="SID205" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"199"' $Tail # '"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"' arachnids,106 sid:205 classtype:misc-activity LogAs="SID206" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"02"' $Tail # '"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"' arachnids,106 sid:206 classtype:misc-activity LogAs="SID207" $Ipt -A $Me -p udp --sport 60000 --dport 2140 -m string --string '"03"' $Tail # '"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"' arachnids,106 sid:207 classtype:misc-activity LogAs="SID252" $Ipt -A $Me -p udp --dport 53 -m string --string '" "' $Tail # '"DNS named iquery attempt"' arachnids,277 cve,CVE-1999-0009 bugtraq,134 url,www.rfc-editor.org/rfc/rfc1035.txt classtype:attempted-recon sid:252 LogAs="SID148" $Ipt -A $Me -p udp --sport 2140 --dport 60000 -m string --string '"KeyLogger Is Enabled On port"' $Tail # '"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"' arachnids,106 sid:148 classtype:misc-activity LogAs="SID338" $Ipt -A $Me -p tcp --dport 21 -m string --string '"SITE EXEC %020d|%.f%.f|"' $Tail # '"FTP EXPLOIT format string"' nocase-ignored cve,CVE-2000-0573 bugtraq,1387 arachnids,453 classtype:attempted-user sid:338 LogAs="SID339" $Ipt -A $Me -p tcp --dport 21 -m string --string '" 1RR̀hsh"' $Tail # '"FTP EXPLOIT OpenBSD x86 ftpd"' cve,CVE-2001-0053 bugtraq,2124 arachnids,446 classtype:attempted-user sid:339 LogAs="SID340" $Ipt -A $Me -p tcp --dport 21 -m string --string '"PWD/i"' $Tail # '"FTP EXPLOIT overflow"' classtype:attempted-admin sid:340 LogAs="SID341" $Ipt -A $Me -p tcp --dport 21 -m string --string '"XXXXX/"' $Tail # '"FTP EXPLOIT overflow"' classtype:attempted-admin sid:341 LogAs="SID342" $Ipt -A $Me -p tcp --dport 21 -m string --string '"  "' $Tail # '"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"' bugtraq,1387 cve,CAN-2000-0573 arachnids,451 classtype:attempted-user sid:342 LogAs="SID343" $Ipt -A $Me -p tcp --dport 21 -m string --string '"1PPP~̀11"' $Tail # '"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"' arachnids,228 bugtraq,1387 cve,CAN-2000-0573 classtype:attempted-admin sid:343 LogAs="SID344" $Ipt -A $Me -p tcp --dport 21 -m string --string '"111ɰF̀11"' $Tail # '"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"' bugtraq,1387 cve,CAN-2000-0573 arachnids,287 classtype:attempted-admin sid:344 LogAs="SID345" $Ipt -A $Me -p tcp --dport 21 -m string --string '"SITE "' --string '" EXEC "' --string '" %p"' $Tail # '"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"' nocase-ignored nocase-ignored nocase-ignored bugtraq,1387 cve,CAN-2000-0573 arachnids,285 nessus,10452 classtype:attempted-admin sid:345 LogAs="SID346" $Ipt -A $Me -p tcp --dport 21 -m string --string '"f%.f%.f%.f%.f%."' $Tail # '"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"' arachnids,286 bugtraq,1387 cve,CAN-2000-0573 classtype:attempted-recon sid:346 LogAs="SID348" $Ipt -A $Me -p tcp --dport 21 -m string --string '"..11venglin@"' $Tail # '"FTP EXPLOIT wu-ftpd 2.6.0"' arachnids,440 bugtraq,1387 classtype:attempted-user sid:348 LogAs="SID349" $Ipt -A $Me -p tcp --dport 21 -m string --string '"MKD AAAAAA"' $Tail # '"FTP EXPLOIT MKD overflow"' bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:349 LogAs="SID350" $Ipt -A $Me -p tcp --dport 21 -m string --string '"11۰̀1̀"' $Tail # '"FTP EXPLOIT x86 linux overflow"' bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:350 LogAs="SID351" $Ipt -A $Me -p tcp --dport 21 -m string --string '"1ۉذ̀,"' $Tail # '"FTP EXPLOIT x86 linux overflow"' bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:351 LogAs="SID352" $Ipt -A $Me -p tcp --dport 21 -m string --string '"^p("' $Tail # '"FTP EXPLOIT x86 linux overflow"' bugtraq, 113 cve, CVE-1999-0368 classtype:attempted-admin sid:352 LogAs="SID455" $Ipt -A $Me -p icmp -m ipv4options --rr --icmp-type 0 $Tail # '"ICMP Traceroute ipopts"' arachnids,238 sid:455 classtype:misc-activity LogAs="SID1620" $Ipt -A $Me --proto ip_proto:!1 --proto ip_proto:!2 --proto ip_proto:!6 --proto ip_proto:!47 --proto ip_proto:!50 --proto ip_proto:!51 --proto ip_proto:!89 $Tail # '"BAD TRAFFIC Non-Standard IP protocol"' classtype:non-standard-protocol sid:1620 LogAs="SID573" $Ipt -A $Me -p tcp --dport 634:1400 -m string --string '",Lu["' $Tail # '"RPC AMD Overflow"' cve,CVE-1999-0704 arachnids,217 classtype:attempted-admin sid:573 LogAs="SID600" $Ipt -A $Me -p tcp -m string --string '"/binF/sh"' $Tail # '"RPC EXPLOIT statdx"' arachnids,442 classtype:attempted-admin sid:600 LogAs="SID1282" $Ipt -A $Me -p udp -m string --string '"/binF/sh"' $Tail # '"RPC EXPLOIT statdx"' arachnids,442 classtype:attempted-admin sid:1282 LogAs="SID1094" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/web_store.cgi?page=../.."' $Tail # '"WEB-CGI webstore directory traversal"' bugtraq,1774 cve,CVE-2000-1005 classtype:web-application-attack sid:1094 LogAs="SID293" $Ipt -A $Me -p tcp --dport 143 -m string --string '"/bin/sh"' $Tail # '"IMAP EXPLOIT overflow"' classtype:attempted-admin sid:293 LogAs="SID295" $Ipt -A $Me -p tcp --dport 143 -m string --string '"@̀/"' $Tail # '"IMAP EXPLOIT x86 linux overflow"' bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:295 LogAs="SID296" $Ipt -A $Me -p tcp --dport 143 -m string --string '"4^^ 1҉V"' $Tail # '"IMAP EXPLOIT x86 linux overflow"' bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:296 LogAs="SID297" $Ipt -A $Me -p tcp --dport 143 -m string --string '"5^F0F0F0"' $Tail # '"IMAP EXPLOIT x86 linux overflow"' bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:297 LogAs="SID298" $Ipt -A $Me -p tcp --dport 143 -m string --string '"8^؀F F"' $Tail # '"IMAP EXPLOIT x86 linux overflow"' bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:298 LogAs="SID299" $Ipt -A $Me -p tcp --dport 143 -m string --string '"X^1ۃ^&"' $Tail # '"IMAP EXPLOIT x86 linux overflow"' bugtraq,130 cve, CVE-1999-0005 classtype:attempted-admin sid:299 LogAs="SID617" $Ipt -A $Me -p tcp --dport 22 -m string --string '"\`"' $Tail # '"SCAN ssh-research-scanner"' classtype:attempted-recon sid:617 LogAs="SID592" $Ipt -A $Me -p udp --dport 32770: -m string --string '""' $Tail # '"RPC rstatd query"' arachnids,9 classtype:attempted-recon sid:592 LogAs="SID1278" $Ipt -A $Me -p tcp --dport 32770: -m string --string '""' $Tail # '"RPC rstatd query"' arachnids,9 classtype:attempted-recon sid:1278 LogAs="SID1883" $Ipt -A $Me -p tcp --sport 80 -m string --string '"uid="' --string '"(nobody)"' $Tail # '"ATTACK-RESPONSES id check returned nobody"' classtype:bad-unknown sid:1883 LogAs="SID1884" $Ipt -A $Me -p tcp --sport 80 -m string --string '"uid="' --string '"(web)"' $Tail # '"ATTACK-RESPONSES id check returned web"' classtype:bad-unknown sid:1884 LogAs="SID1885" $Ipt -A $Me -p tcp --sport 80 -m string --string '"uid="' --string '"(http)"' $Tail # '"ATTACK-RESPONSES id check returned http"' classtype:bad-unknown sid:1885 LogAs="SID1886" $Ipt -A $Me -p tcp --sport 80 -m string --string '"uid="' --string '"(apache)"' $Tail # '"ATTACK-RESPONSES id check returned apache"' classtype:bad-unknown sid:1886 LogAs="SID2102" $Ipt -A $Me -p tcp --dport 139 -m string --string '""' --string '"SMB%"' --string '""' $Tail # '"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"' cve,CAN-2002-0724 url,www.microsoft.com/technet/security/bulletin/MS02-045.asp url,www.corest.com/common/showdoc.php?idx=262 classtype:denial-of-service sid:2102 LogAs="SID656" $Ipt -A $Me -p tcp --dport 25 -m string --string '"S [3ɱ+"' $Tail # '"SMTP EXPLOIT x86 windows CSMMail overflow"' bugtraq,895 cve,CVE-2000-0042 classtype:attempted-admin sid:656 LogAs="SID269" $Ipt -A $Me -p tcp -m u32 --u32 '"2&0xFFFF=3868"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4=3868"' --tcp-flags ALL SYN $Tail # '"DOS Land attack"' cve,CVE-1999-0016 classtype:attempted-dos sid:269 LogAs="SID1138" $Ipt -A $Me -p tcp --dport 80 -m string --string '" /%%"' $Tail # '"WEB-MISC Cisco Web DOS attempt"' arachnids,275 classtype:attempted-dos sid:1138 LogAs="SID666" $Ipt -A $Me -p tcp --dport 25 -m string --string '"rcpt to: | sed '1,/^$/d'|"' $Tail # '"SMTP sendmail 8.4.1 exploit"' nocase-ignored arachnids,120 classtype:attempted-user sid:666 LogAs="SID720" $Ipt -A $Me -p tcp --sport 110 -m string --string '"Suddlently"' $Tail # '"Virus - SnowWhite Trojan Incoming"' sid:720 classtype:misc-activity LogAs="SID722" $Ipt -A $Me -p tcp --sport 110 -m string --string '"NAVIDAD.EXE"' $Tail # '"Virus - Possible NAVIDAD Worm"' nocase-ignored sid:722 classtype:misc-activity LogAs="SID723" $Ipt -A $Me -p tcp --sport 110 -m string --string '"myromeo.exe"' $Tail # '"Virus - Possible MyRomeo Worm"' nocase-ignored sid:723 classtype:misc-activity LogAs="SID724" $Ipt -A $Me -p tcp --sport 110 -m string --string '"myjuliet.chm"' $Tail # '"Virus - Possible MyRomeo Worm"' nocase-ignored sid:724 classtype:misc-activity LogAs="SID725" $Ipt -A $Me -p tcp --sport 110 -m string --string '"ble bla"' $Tail # '"Virus - Possible MyRomeo Worm"' nocase-ignored sid:725 classtype:misc-activity LogAs="SID726" $Ipt -A $Me -p tcp --sport 110 -m string --string '"I Love You"' $Tail # '"Virus - Possible MyRomeo Worm"' sid:726 classtype:misc-activity LogAs="SID727" $Ipt -A $Me -p tcp --sport 110 -m string --string '"Sorry... Hey you !"' $Tail # '"Virus - Possible MyRomeo Worm"' sid:727 classtype:misc-activity LogAs="SID728" $Ipt -A $Me -p tcp --sport 110 -m string --string '"my picture from shake-beer"' $Tail # '"Virus - Possible MyRomeo Worm"' sid:728 classtype:misc-activity LogAs="SID731" $Ipt -A $Me -p tcp --sport 110 -m string --string '"qazwsx.hsq"' $Tail # '"Virus - Possible QAZ Worm"' MCAFEE,98775 sid:731 classtype:misc-activity LogAs="SID733" $Ipt -A $Me -p tcp --dport 25 -m string --string '"nongmin_cn"' $Tail # '"Virus - Possible QAZ Worm Calling Home"' MCAFEE,98775 sid:733 classtype:misc-activity LogAs="SID734" $Ipt -A $Me -p tcp --sport 110 -m string --string '"Software provide by [MATRiX]"' $Tail # '"Virus - Possible Matrix worm"' nocase-ignored sid:734 classtype:misc-activity LogAs="SID735" $Ipt -A $Me -p tcp --sport 110 -m string --string '"Matrix has you..."' $Tail # '"Virus - Possible MyRomeo Worm"' sid:735 classtype:misc-activity LogAs="SID736" $Ipt -A $Me -p tcp --dport 25 --tcp-flags ALL ACK,PSH -m string --string '"funguscrack@hotmail.com"' $Tail # '"Virus - Successful eurocalculator execution"' nocase-ignored sid:736 classtype:misc-activity LogAs="SID737" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="' --string '"eurocalculator.exe"' $Tail # '"Virus - Possible eurocalculator.exe file"' nocase-ignored sid:737 classtype:misc-activity LogAs="SID738" $Ipt -A $Me -p tcp --dport 110 --tcp-flags ALL ACK,PSH -m string --string '"Pikachu Pokemon"' $Tail # '"Virus - Possible Pikachu Pokemon Virus"' MCAFEE,98696 sid:738 classtype:misc-activity LogAs="SID739" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'666TEST.VBS"" $Tail # '"Virus - Possible Triplesix Worm"' nocase-ignored MCAFEE,10389 sid:739 classtype:misc-activity LogAs="SID740" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'tune.vbs"" $Tail # '"Virus - Possible Tune.vbs"' nocase-ignored MCAFEE,10497 sid:740 classtype:misc-activity LogAs="SID741" $Ipt -A $Me -p tcp --sport 110 -m string --string '"Market share tipoff"' $Tail # '"Virus - Possible NAIL Worm"' MCAFEE,10109 sid:741 classtype:misc-activity LogAs="SID742" $Ipt -A $Me -p tcp --sport 110 -m string --string '"name =\"WWIII"' $Tail # '"Virus - Possible NAIL Worm"' MCAFEE,10109 sid:742 classtype:misc-activity LogAs="SID743" $Ipt -A $Me -p tcp --sport 110 -m string --string '"New Developments"' $Tail # '"Virus - Possible NAIL Worm"' MCAFEE,10109 sid:743 classtype:misc-activity LogAs="SID744" $Ipt -A $Me -p tcp --sport 110 -m string --string '"Good Times"' $Tail # '"Virus - Possible NAIL Worm"' MCAFEE,10109 sid:744 classtype:misc-activity LogAs="SID745" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'XPASS.XLS"" $Tail # '"Virus - Possible Papa Worm"' nocase-ignored MCAFEE,10145 sid:745 classtype:misc-activity LogAs="SID746" $Ipt -A $Me -p tcp --sport 110 -m string --string '"LINKS.VBS"' $Tail # '"Virus - Possible Freelink Worm"' MCAFEE,10225 sid:746 classtype:misc-activity LogAs="SID747" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'SETUP.EXE"" $Tail # '"Virus - Possible Simbiosis Worm"' nocase-ignored sid:747 classtype:misc-activity LogAs="SID748" $Ipt -A $Me -p tcp --sport 110 -m string --string '"name =\"BADASS.EXE\""' $Tail # '"Virus - Possible BADASS Worm"' MCAFEE,10388 sid:748 classtype:misc-activity LogAs="SID749" $Ipt -A $Me -p tcp --sport 110 -m string --string '"name =\"File_zippati.exe\""' $Tail # '"Virus - Possible ExploreZip.B Worm"' MCAFEE,10471 sid:749 classtype:misc-activity LogAs="SID751" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'KAK.HTA"" $Tail # '"Virus - Possible wscript.KakWorm"' nocase-ignored MCAFEE,10509 sid:751 classtype:misc-activity LogAs="SID752" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'Suppl.doc"" $Tail # '"Virus Possible Suppl Worm"' nocase-ignored MCAFEE,10361 sid:752 classtype:misc-activity LogAs="SID753" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'THEOBBQ.EXE"" $Tail # '"Virus - Possible NewApt.Worm - theobbq.exe"' nocase-ignored MCAFEE,10540 sid:753 classtype:misc-activity LogAs="SID754" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'MONEY.DOC"" $Tail # '"Virus - Possible Word Macro - VALE"' nocase-ignored MCAFEE,10502 sid:754 classtype:misc-activity LogAs="SID755" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'irok.exe"" $Tail # '"Virus - Possible IROK Worm"' nocase-ignored MCAFEE,98552 sid:755 classtype:misc-activity LogAs="SID756" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'Fix2001.exe"" $Tail # '"Virus - Possible Fix2001 Worm"' nocase-ignored MCAFEE,10355 sid:756 classtype:misc-activity LogAs="SID757" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'Y2K.EXE"" $Tail # '"Virus - Possible Y2K Zelu Trojan"' nocase-ignored MCAFEE,10505 sid:757 classtype:misc-activity LogAs="SID758" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'THE_FLY.CHM"" $Tail # '"Virus - Possible The_Fly Trojan"' nocase-ignored MCAFEE,10478 sid:758 classtype:misc-activity LogAs="SID759" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'DINHEIRO.DOC"" $Tail # '"Virus - Possible Word Macro - VALE"' nocase-ignored MCAFEE,10502 sid:759 classtype:misc-activity LogAs="SID760" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'ICQ_GREETINGS.EXE"" $Tail # '"Virus - Possible Passion Worm"' nocase-ignored MCAFEE,10467 sid:760 classtype:misc-activity LogAs="SID761" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'COOLER3.EXE"" $Tail # '"Virus - Possible NewApt.Worm - cooler3.exe"' nocase-ignored MCAFEE,10540 sid:761 classtype:misc-activity LogAs="SID762" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'PARTY.EXE"" $Tail # '"Virus - Possible NewApt.Worm - party.exe"' nocase-ignored MCAFEE,10540 sid:762 classtype:misc-activity LogAs="SID763" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'HOG.EXE"" $Tail # '"Virus - Possible NewApt.Worm - hog.exe"' nocase-ignored MCAFEE,10540 sid:763 classtype:misc-activity LogAs="SID764" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'GOAL1.EXE"" $Tail # '"Virus - Possible NewApt.Worm - goal1.exe"' nocase-ignored MCAFEE,10540 sid:764 classtype:misc-activity LogAs="SID765" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'PIRATE.EXE"" $Tail # '"Virus - Possible NewApt.Worm - pirate.exe"' nocase-ignored MCAFEE,10540 sid:765 classtype:misc-activity LogAs="SID766" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'VIDEO.EXE"" $Tail # '"Virus - Possible NewApt.Worm - video.exe"' nocase-ignored MCAFEE,10540 sid:766 classtype:misc-activity LogAs="SID767" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'BABY.EXE"" $Tail # '"Virus - Possible NewApt.Worm - baby.exe"' nocase-ignored MCAFEE,10540 sid:767 classtype:misc-activity LogAs="SID768" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'COOLER1.EXE"" $Tail # '"Virus - Possible NewApt.Worm - cooler1.exe"' nocase-ignored MCAFEE,10540 sid:768 classtype:misc-activity LogAs="SID769" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'BOSS.EXE"" $Tail # '"Virus - Possible NewApt.Worm - boss.exe"' nocase-ignored MCAFEE,10540 sid:769 classtype:misc-activity LogAs="SID770" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'G-ZILLA.EXE"" $Tail # '"Virus - Possible NewApt.Worm - g-zilla.exe"' nocase-ignored MCAFEE,10540 sid:770 classtype:misc-activity LogAs="SID771" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'Toadie.exe"" $Tail # '"Virus - Possible ToadieE-mail Trojan"' nocase-ignored MCAFEE,10540 sid:771 classtype:misc-activity LogAs="SID773" $Ipt -A $Me -p tcp --sport 110 -m string --string '"X-Spanska:Yes"' $Tail # '"Virus - Possible Happy99 Virus"' MCAFEE,10144 sid:773 classtype:misc-activity LogAs="SID774" $Ipt -A $Me -p tcp --sport 110 -m string --string '"name =\"links.vbs\""' $Tail # '"Virus - Possible CheckThis Trojan"' sid:774 classtype:misc-activity LogAs="SID775" $Ipt -A $Me -p tcp --sport 110 -m string --string '"BubbleBoy is back!"' $Tail # '"Virus - Possible Bubbleboy Worm"' MCAFEE,10418 sid:775 classtype:misc-activity LogAs="SID776" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'COPIER.EXE"" $Tail # '"Virus - Possible NewApt.Worm - copier.exe"' nocase-ignored MCAFEE,10540 sid:776 classtype:misc-activity LogAs="SID777" $Ipt -A $Me -p tcp --sport 110 -m string --string '"name =\"pics4you.exe\""' $Tail # '"Virus - Possible MyPics Worm"' MCAFEE,10467 sid:777 classtype:misc-activity LogAs="SID778" $Ipt -A $Me -p tcp --sport 110 -m string --string '"name =\"X-MAS.EXE\""' $Tail # '"Virus - Possible Babylonia - X-MAS.exe"' MCAFEE,10461 sid:778 classtype:misc-activity LogAs="SID779" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'GADGET.EXE"" $Tail # '"Virus - Possible NewApt.Worm - gadget.exe"' nocase-ignored MCAFEE,10540 sid:779 classtype:misc-activity LogAs="SID780" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'IRNGLANT.EXE"" $Tail # '"Virus - Possible NewApt.Worm - irnglant.exe"' nocase-ignored MCAFEE,10540 sid:780 classtype:misc-activity LogAs="SID781" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'CASPER.EXE"" $Tail # '"Virus - Possible NewApt.Worm - casper.exe"' nocase-ignored MCAFEE,10540 sid:781 classtype:misc-activity LogAs="SID782" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'FBORFW.EXE"" $Tail # '"Virus - Possible NewApt.Worm - fborfw.exe"' nocase-ignored MCAFEE,10540 sid:782 classtype:misc-activity LogAs="SID783" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'SADDAM.EXE"" $Tail # '"Virus - Possible NewApt.Worm - saddam.exe"' nocase-ignored MCAFEE,10540 sid:783 classtype:misc-activity LogAs="SID784" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'BBOY.EXE"" $Tail # '"Virus - Possible NewApt.Worm - bboy.exe"' nocase-ignored MCAFEE,10540 sid:784 classtype:misc-activity LogAs="SID785" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'MONICA.EXE"" $Tail # '"Virus - Possible NewApt.Worm - monica.exe"' nocase-ignored MCAFEE,10540 sid:785 classtype:misc-activity LogAs="SID786" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'GOAL.EXE"" $Tail # '"Virus - Possible NewApt.Worm - goal.exe"' nocase-ignored MCAFEE,10540 sid:786 classtype:misc-activity LogAs="SID787" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'PANTHER.EXE"" $Tail # '"Virus - Possible NewApt.Worm - panther.exe"' nocase-ignored MCAFEE,10540 sid:787 classtype:misc-activity LogAs="SID788" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'CHESTBURST.EXE"" $Tail # '"Virus - Possible NewApt.Worm - chestburst.exe"' nocase-ignored MCAFEE,10540 sid:788 classtype:misc-activity LogAs="SID790" $Ipt -A $Me -p tcp --sport 110 -m string --string '"name =\"THE_FLY.CHM\""' $Tail # '"Virus - Possible Common Sense Worm"' sid:790 classtype:misc-activity LogAs="SID791" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'CUPID2.EXE"" $Tail # '"Virus - Possible NewApt.Worm - cupid2.exe"' nocase-ignored MCAFEE,10540 sid:791 classtype:misc-activity LogAs="SID792" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'RESUME1.DOC"" $Tail # '"Virus - Possible Resume Worm"' nocase-ignored MCAFEE,98661 sid:792 classtype:misc-activity LogAs="SID794" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'Explorer.doc"" $Tail # '"Virus - Possible Resume Worm"' nocase-ignored MCAFEE,98661 sid:794 classtype:misc-activity LogAs="SID795" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="' --string '".txt.vbs"' $Tail # '"Virus - Possible Worm - txt.vbs file"' nocase-ignored sid:795 classtype:misc-activity LogAs="SID796" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="' --string '".xls.vbs"' $Tail # '"Virus - Possible Worm - xls.vbs file"' nocase-ignored sid:796 classtype:misc-activity LogAs="SID797" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="' --string '".jpg.vbs"' $Tail # '"Virus - Possible Worm - jpg.vbs file"' nocase-ignored sid:797 classtype:misc-activity LogAs="SID798" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="' --string '".gif.vbs"' $Tail # '"Virus - Possible Worm - gif.vbs file"' nocase-ignored sid:798 classtype:misc-activity LogAs="SID799" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'TIMOFONICA.TXT.vbs"" $Tail # '"Virus - Possible Timofonica Worm"' nocase-ignored MCAFEE,98674 sid:799 classtype:misc-activity LogAs="SID800" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'NORMAL.DOT"" $Tail # '"Virus - Possible Resume Worm"' nocase-ignored MCAFEE,98661 sid:800 classtype:misc-activity LogAs="SID801" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="' --string '".doc.vbs"' $Tail # '"Virus - Possible Worm - doc.vbs file"' nocase-ignored sid:801 classtype:misc-activity LogAs="SID789" $Ipt -A $Me -p tcp --sport 110 -m string --string '"filename="'FARTER.EXE"" $Tail # '"Virus - Possible NewApt.Worm - farter.exe"' nocase-ignored MCAFEE,1054 sid:789 classtype:misc-activity ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done