#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-dns' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID255" $Ipt -A $Me -p tcp --dport 53 -m string --string '"ü"' $Tail # '"DNS zone transfer TCP"' cve,CAN-1999-0532 arachnids,212 classtype:attempted-recon sid:255 LogAs="SID1948" $Ipt -A $Me -p udp --dport 53 -m string --string '"ü"' $Tail # '"DNS zone transfer UDP"' cve,CAN-1999-0532 arachnids,212 classtype:attempted-recon sid:1948 LogAs="SID1435" $Ipt -A $Me -p tcp --dport 53 -m string --string '"authors"' --string '"bind"' $Tail # '"DNS named authors attempt"' nocase-ignored nocase-ignored nessus,10728 arachnids,480 classtype:attempted-recon sid:1435 LogAs="SID256" $Ipt -A $Me -p udp --dport 53 -m string --string '"authors"' --string '"bind"' $Tail # '"DNS named authors attempt"' nocase-ignored nocase-ignored nessus,10728 arachnids,480 classtype:attempted-recon sid:256 LogAs="SID257" $Ipt -A $Me -p tcp --dport 53 -m string --string '"version"' --string '"bind"' $Tail # '"DNS named version attempt"' nocase-ignored nocase-ignored nocase-ignored nessus,10028 arachnids,278 classtype:attempted-recon sid:257 LogAs="SID1616" $Ipt -A $Me -p udp --dport 53 -m string --string '"version"' --string '"bind"' $Tail # '"DNS named version attempt"' nocase-ignored nocase-ignored nessus,10028 arachnids,278 classtype:attempted-recon sid:1616 LogAs="SID253" $Ipt -A $Me -p udp --sport 53 -m string --string '"…€"' --string '"À <"' $Tail # '"DNS SPOOF query response PTR with TTL of 1 min. and no authority"' classtype:bad-unknown sid:253 LogAs="SID254" $Ipt -A $Me -p udp --sport 53 -m string --string '"€"' --string '"À <"' $Tail # '"DNS SPOOF query response with TTL of 1 min. and no authority"' classtype:bad-unknown sid:254 LogAs="SID258" $Ipt -A $Me -p tcp --dport 53 -m string --string '"../../../"' $Tail # '"DNS EXPLOIT named 8.2->8.2.1"' cve,CVE-1999-0833 bugtraq,788 classtype:attempted-admin sid:258 LogAs="SID303" $Ipt -A $Me -p tcp --dport 53 -m string --string '"«Í € a"' $Tail # '"DNS EXPLOIT named tsig overflow attempt"' cve,CVE-2001-0010 bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303 LogAs="SID314" $Ipt -A $Me -p udp --dport 53 -m string --string '"€?"' $Tail # '"DNS EXPLOIT named tsig overflow attempt"' classtype:attempted-admin sid:314 cve,CVE-2001-0010 bugtraq,2303 LogAs="SID259" $Ipt -A $Me -p tcp --dport 53 -m string --string '"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"' $Tail # '"DNS EXPLOIT named overflow (ADM)"' cve,CVE-1999-0833 bugtraq,788 classtype:attempted-admin sid:259 LogAs="SID260" $Ipt -A $Me -p tcp --dport 53 -m string --string '"ADMROCKS"' $Tail # '"DNS EXPLOIT named overflow (ADMROCKS)"' cve,CVE-1999-0833 url,www.cert.org/advisories/CA-1999-14.html bugtraq,788 classtype:attempted-admin sid:260 LogAs="SID261" $Ipt -A $Me -p tcp --dport 53 -m string --string '"Í€è×ÿÿÿ/bin/sh"' $Tail # '"DNS EXPLOIT named overflow attempt"' url,www.cert.org/advisories/CA-1998-05.html classtype:attempted-admin sid:261 LogAs="SID262" $Ipt -A $Me -p tcp --dport 53 -m string --string '"1À°?1Û³ÿ1ÉÍ€1À"' $Tail # '"DNS EXPLOIT x86 Linux overflow attempt"' classtype:attempted-admin sid:262 LogAs="SID264" $Ipt -A $Me -p tcp --dport 53 -m string --string '"1À°Í€…ÀuLëL^°"' $Tail # '"DNS EXPLOIT x86 Linux overflow attempt"' classtype:attempted-admin sid:264 LogAs="SID265" $Ipt -A $Me -p tcp --dport 53 -m string --string '"‰÷)ljó‰ù‰ò¬<þ"' $Tail # '"DNS EXPLOIT x86 Linux overflow attempt (ADMv2)"' classtype:attempted-admin sid:265 LogAs="SID266" $Ipt -A $Me -p tcp --dport 53 -m string --string '"ën^Æš1ɉNÆF"' $Tail # '"DNS EXPLOIT x86 FreeBSD overflow attempt"' classtype:attempted-admin sid:266 LogAs="SID267" $Ipt -A $Me -p tcp --dport 53 -m string --string '"À ’ Ð#¿ø"' $Tail # '"DNS EXPLOIT sparc overflow attempt"' classtype:attempted-admin sid:267 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done