#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-dos' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID270" $Ipt -A $Me -p udp -m u32 --u32 '"2&0xFFFF=242"' -m u32 --u32 '"3&0xE0=0x20"' $Tail # '"DOS Teardrop attack"' cve,CAN-1999-0015 url,www.cert.org/advisories/CA-1997-28.html bugtraq,124 classtype:attempted-dos sid:270 LogAs="SID271" $Ipt -A $Me -p udp --sport 19 --dport 7 $Tail # '"DOS UDP echo+chargen bomb"' cve,CAN-1999-0635 cve,CVE-1999-0103 classtype:attempted-dos sid:271 LogAs="SID271" $Ipt -A $Me -p udp --dport 19 --sport 7 $Tail # '"DOS UDP echo+chargen bomb"' cve,CAN-1999-0635 cve,CVE-1999-0103 classtype:attempted-dos sid:271 LogAs="SID272" $Ipt -A $Me -m string --string '""' --proto ip_proto: 2 -m u32 --u32 '"3&0x20=0x20"' $Tail # '"DOS IGMP dos attack"' cve,CVE-1999-0918 classtype:attempted-dos sid:272 LogAs="SID273" $Ipt -A $Me -m string --string '""' --proto ip_proto:2 -m u32 --u32 '"3&0x20=0x20"' $Tail # '"DOS IGMP dos attack"' cve,CVE-1999-0918 classtype:attempted-dos sid:273 LogAs="SID274" $Ipt -A $Me -p icmp -m string --string '"+++ath"' --icmp-type 8 $Tail # '"DOS ath"' nocase-ignored cve,CAN-1999-1228 arachnids,264 classtype:attempted-dos sid:274 LogAs="SID275" $Ipt -A $Me -p tcp --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4=6060842"' -m u32 --u32 '"2&0xFFFF=413"' $Tail # '"DOS NAPTHA"' cve,CAN-2000-1039 url,www.microsoft.com/technet/security/bulletin/MS00-091.asp url,www.cert.org/advisories/CA-2000-21.html url,razor.bindview.com/publish/advisories/adv_NAPTHA.html bugtraq,2022 classtype:attempted-dos sid:275 LogAs="SID275" $Ipt -A $Me -p tcp --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4=6060842"' -m u32 --u32 '"2&0xFFFF=413"' $Tail # '"DOS NAPTHA"' cve,CAN-2000-1039 url,www.microsoft.com/technet/security/bulletin/MS00-091.asp url,www.cert.org/advisories/CA-2000-21.html url,razor.bindview.com/publish/advisories/adv_NAPTHA.html bugtraq,2022 classtype:attempted-dos sid:275 LogAs="SID276" $Ipt -A $Me -p tcp --dport 7070 -m string --string '"ÿôÿý"' $Tail # '"DOS Real Audio Server"' bugtraq,1288 cve,CVE-2000-0474 arachnids,411 classtype:attempted-dos sid:276 LogAs="SID277" $Ipt -A $Me -p tcp --dport 7070 -m string --string '"/viewsource/template.html?"' $Tail # '"DOS Real Server template.html"' nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:277 LogAs="SID278" $Ipt -A $Me -p tcp --dport 8080 -m string --string '"/viewsource/template.html?"' $Tail # '"DOS Real Server template.html"' nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:278 LogAs="SID281" $Ipt -A $Me -p udp --dport 9 -m string --string '"NAMENAME"' $Tail # '"DOS Ascend Route"' bugtraq,714 cve,CVE-1999-0060 arachnids,262 classtype:attempted-dos sid:281 LogAs="SID1257" $Ipt -A $Me -p tcp --dport 135:139 --tcp-flags URG URG $Tail # '"DOS Winnuke attack"' bugtraq,2010 cve,CVE-1999-0153 classtype: attempted-dos sid:1257 LogAs="SID1605" $Ipt -A $Me -p tcp --dport 6004 -m string --string '"ÿÿÿÿÿÿ"' $Tail # '"DOS iParty DOS attempt"' classtype:misc-attack cve,CAN-1999-1566 sid:1605 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done