#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-icmp' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID465" $Ipt -A $Me -p icmp -m string --string '"ISSPNGRQ"' --icmp-type 8 $Tail # '"ICMP ISS Pinger"' arachnids,158 classtype:attempted-recon sid:465 LogAs="SID466" $Ipt -A $Me -p icmp -m string --string '"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"' --icmp-type 8/0 $Tail # '"ICMP L3retriever Ping"' arachnids,311 classtype:attempted-recon sid:466 LogAs="SID472" $Ipt -A $Me -p icmp --icmp-type 5/1 $Tail # '"ICMP redirect host"' arachnids,135 cve,CVE-1999-0265 classtype:bad-unknown sid:472 LogAs="SID473" $Ipt -A $Me -p icmp --icmp-type 5/0 $Tail # '"ICMP redirect net"' arachnids,199 cve,CVE-1999-0265 classtype:bad-unknown sid:473 LogAs="SID475" $Ipt -A $Me -p icmp -m ipv4options --rr --icmp-type 0 $Tail # '"ICMP traceroute ipopts"' arachnids,238 classtype:attempted-recon sid:475 LogAs="SID476" $Ipt -A $Me -p icmp -m string --string '"EEEEEEEEEEEE"' --icmp-type 8/0 $Tail # '"ICMP webtrends scanner"' arachnids,307 classtype:attempted-recon sid:476 LogAs="SID477" $Ipt -A $Me -p icmp --icmp-type 4/0 $Tail # '"ICMP Source Quench"' classtype:bad-unknown sid:477 LogAs="SID480" $Ipt -A $Me -p icmp -m string --string '"89:;<=>?"' --icmp-type 8 $Tail # '"ICMP PING speedera"' sid:480 classtype:misc-activity LogAs="SID481" $Ipt -A $Me -p icmp -m string --string '"TJPingPro by Jim"' --icmp-type 8 $Tail # '"ICMP TJPingPro1.1Build 2 Windows"' arachnids,167 sid:481 classtype:misc-activity LogAs="SID482" $Ipt -A $Me -p icmp -m string --string '"WhatsUp - A Netw"' --icmp-type 8 $Tail # '"ICMP PING WhatsupGold Windows"' arachnids,168 sid:482 classtype:misc-activity LogAs="SID483" $Ipt -A $Me -p icmp -m string --string '"ªªªªªªªªªªªªªªªª"' --icmp-type 8 $Tail # '"ICMP PING CyberKit 2.2 Windows"' arachnids,154 sid:483 classtype:misc-activity LogAs="SID484" $Ipt -A $Me -p icmp --icmp-type 8 -m string --string '"Cinco Network, Inc."' $Tail # '"ICMP PING Sniffer Pro/NetXRay network scan"' sid:484 classtype:misc-activity LogAs="SID485" $Ipt -A $Me -p icmp --icmp-type 3/13 $Tail # '"ICMP Destination Unreachable (Communication Administratively Prohibited)"' sid:485 classtype:misc-activity LogAs="SID486" $Ipt -A $Me -p icmp --icmp-type 3/10 $Tail # '"ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)"' sid:486 classtype:misc-activity LogAs="SID487" $Ipt -A $Me -p icmp --icmp-type 3/9 $Tail # '"ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)"' sid:487 classtype:misc-activity LogAs="SID1813" $Ipt -A $Me -p icmp -m string --string '"mailto:ops@digisle.com"' $Tail # '"ICMP digital island bandwidth query"' classtype:misc-activity sid:1813 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done