#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-icmp-info' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID363" $Ipt -A $Me -p icmp --icmp-type 9 $Tail # '"ICMP IRDP router advertisement"' bugtraq,578 cve,CVE-1999-0875 arachnids,173 sid:363 classtype:misc-activity LogAs="SID364" $Ipt -A $Me -p icmp --icmp-type 10 $Tail # '"ICMP IRDP router selection"' bugtraq,578 cve,CVE-1999-0875 arachnids,174 sid:364 classtype:misc-activity LogAs="SID366" $Ipt -A $Me -p icmp -m string --string '""' --icmp-type 8 $Tail # '"ICMP PING *NIX"' sid:366 classtype:misc-activity LogAs="SID368" $Ipt -A $Me -p icmp --icmp-type 8 -m string --string '" "' $Tail # '"ICMP PING BSDtype"' arachnids,152 sid:368 classtype:misc-activity LogAs="SID369" $Ipt -A $Me -p icmp --icmp-type 8 -m string --string '" "' $Tail # '"ICMP PING BayRS Router"' arachnids,438 arachnids,444 sid:369 classtype:misc-activity LogAs="SID370" $Ipt -A $Me -p icmp -m string --string '" "' --icmp-type 8 $Tail # '"ICMP PING BeOS4.x"' arachnids,151 sid:370 classtype:misc-activity LogAs="SID371" $Ipt -A $Me -p icmp -m string --string '"«Í«Í«Í«Í«Í«Í«Í«Í"' --icmp-type 8 $Tail # '"ICMP PING Cisco Type.x"' arachnids,153 sid:371 classtype:misc-activity LogAs="SID372" $Ipt -A $Me -p icmp -m string --string '"Pinging from Del"' --icmp-type 8 $Tail # '"ICMP PING Delphi-Piette Windows"' arachnids,155 sid:372 classtype:misc-activity LogAs="SID373" $Ipt -A $Me -p icmp --icmp-type 8 -m string --string '" "' $Tail # '"ICMP PING Flowpoint2200 or Network Management Software"' arachnids,156 sid:373 classtype:misc-activity LogAs="SID374" $Ipt -A $Me -p icmp -m string --string '"© Sustainable So"' --icmp-type 8 $Tail # '"ICMP PING IP NetMonitor Macintosh"' arachnids,157 sid:374 classtype:misc-activity LogAs="SID376" $Ipt -A $Me -p icmp -m string --string '"0123456789abcdefghijklmnop"' --icmp-type 8 $Tail # '"ICMP PING Microsoft Windows"' arachnids,159 sid:376 classtype:misc-activity LogAs="SID377" $Ipt -A $Me -p icmp -m string --string '"================"' --icmp-type 8 $Tail # '"ICMP PING Network Toolbox 3 Windows"' arachnids,161 sid:377 classtype:misc-activity LogAs="SID378" $Ipt -A $Me -p icmp -m string --string '"OMeterObeseArmad"' --icmp-type 8 $Tail # '"ICMP PING Ping-O-MeterWindows"' arachnids,164 sid:378 classtype:misc-activity LogAs="SID379" $Ipt -A $Me -p icmp -m string --string '"Data"' --icmp-type 8 $Tail # '"ICMP PING Pinger Windows"' arachnids,163 sid:379 classtype:misc-activity LogAs="SID380" $Ipt -A $Me -p icmp -m string --string '"ˆ "' --icmp-type 8 $Tail # '"ICMP PING Seer Windows"' arachnids,166 sid:380 classtype:misc-activity LogAs="SID382" $Ipt -A $Me -p icmp -m string --string '"abcdefghijklmnop"' --icmp-type 8 $Tail # '"ICMP PING Windows"' arachnids,169 sid:382 classtype:misc-activity LogAs="SID384" $Ipt -A $Me -p icmp --icmp-type 8/0 $Tail # '"ICMP PING"' sid:384 classtype:misc-activity LogAs="SID386" $Ipt -A $Me -p icmp --icmp-type 18/0 $Tail # '"ICMP Address Mask Reply"' sid:386 classtype:misc-activity LogAs="SID387" $Ipt -A $Me -p icmp --icmp-type 18 $Tail # '"ICMP Address Mask Reply (Undefined Code!)"' sid:387 classtype:misc-activity LogAs="SID388" $Ipt -A $Me -p icmp --icmp-type 17/0 $Tail # '"ICMP Address Mask Request"' sid:388 classtype:misc-activity LogAs="SID389" $Ipt -A $Me -p icmp --icmp-type 17 $Tail # '"ICMP Address Mask Request (Undefined Code!)"' sid:389 classtype:misc-activity LogAs="SID390" $Ipt -A $Me -p icmp --icmp-type 6/0 $Tail # '"ICMP Alternate Host Address"' sid:390 classtype:misc-activity LogAs="SID391" $Ipt -A $Me -p icmp --icmp-type 6 $Tail # '"ICMP Alternate Host Address (Undefined Code!)"' sid:391 classtype:misc-activity LogAs="SID392" $Ipt -A $Me -p icmp --icmp-type 31/0 $Tail # '"ICMP Datagram Conversion Error"' sid:392 classtype:misc-activity LogAs="SID393" $Ipt -A $Me -p icmp --icmp-type 31 $Tail # '"ICMP Datagram Conversion Error (Undefined Code!)"' sid:393 classtype:misc-activity LogAs="SID394" $Ipt -A $Me -p icmp --icmp-type 3/7 $Tail # '"ICMP Destination Unreachable (Destination Host Unknown)"' sid:394 classtype:misc-activity LogAs="SID395" $Ipt -A $Me -p icmp --icmp-type 3/6 $Tail # '"ICMP Destination Unreachable (Destination Network Unknown)"' sid:395 classtype:misc-activity LogAs="SID396" $Ipt -A $Me -p icmp --icmp-type 3/4 $Tail # '"ICMP Destination Unreachable (Fragmentation Needed and DF bit was set)"' sid:396 classtype:misc-activity LogAs="SID397" $Ipt -A $Me -p icmp --icmp-type 3/14 $Tail # '"ICMP Destination Unreachable (Host Precedence Violation)"' sid:397 classtype:misc-activity LogAs="SID398" $Ipt -A $Me -p icmp --icmp-type 3/12 $Tail # '"ICMP Destination Unreachable (Host Unreachable for Type of Service)"' sid:398 classtype:misc-activity LogAs="SID399" $Ipt -A $Me -p icmp --icmp-type 3/1 $Tail # '"ICMP Destination Unreachable (Host Unreachable)"' sid:399 classtype:misc-activity LogAs="SID400" $Ipt -A $Me -p icmp --icmp-type 3/11 $Tail # '"ICMP Destination Unreachable (Network Unreachable for Type of Service)"' sid:400 classtype:misc-activity LogAs="SID401" $Ipt -A $Me -p icmp --icmp-type 3/0 $Tail # '"ICMP Destination Unreachable (Network Unreachable)"' sid:401 classtype:misc-activity LogAs="SID402" $Ipt -A $Me -p icmp --icmp-type 3/3 $Tail # '"ICMP Destination Unreachable (Port Unreachable)"' sid:402 classtype:misc-activity LogAs="SID403" $Ipt -A $Me -p icmp --icmp-type 3/15 $Tail # '"ICMP Destination Unreachable (Precedence Cutoff in effect)"' sid:403 classtype:misc-activity LogAs="SID404" $Ipt -A $Me -p icmp --icmp-type 3/2 $Tail # '"ICMP Destination Unreachable (Protocol Unreachable)"' sid:404 classtype:misc-activity LogAs="SID405" $Ipt -A $Me -p icmp --icmp-type 3/8 $Tail # '"ICMP Destination Unreachable (Source Host Isolated)"' sid:405 classtype:misc-activity LogAs="SID406" $Ipt -A $Me -p icmp --icmp-type 3/5 $Tail # '"ICMP Destination Unreachable (Source Route Failed)"' sid:406 classtype:misc-activity LogAs="SID407" $Ipt -A $Me -p icmp --icmp-type 3 $Tail # '"ICMP Destination Unreachable (Undefined Code!)"' sid:407 classtype:misc-activity LogAs="SID408" $Ipt -A $Me -p icmp --icmp-type 0/0 $Tail # '"ICMP Echo Reply"' sid:408 classtype:misc-activity LogAs="SID409" $Ipt -A $Me -p icmp --icmp-type 0 $Tail # '"ICMP Echo Reply (Undefined Code!)"' sid:409 classtype:misc-activity LogAs="SID410" $Ipt -A $Me -p icmp --icmp-type 11/1 $Tail # '"ICMP Fragment Reassembly Time Exceeded"' sid:410 classtype:misc-activity LogAs="SID411" $Ipt -A $Me -p icmp --icmp-type 34/0 $Tail # '"ICMP IPV6 I-Am-Here"' sid:411 classtype:misc-activity LogAs="SID412" $Ipt -A $Me -p icmp --icmp-type 34 $Tail # '"ICMP IPV6 I-Am-Here (Undefined Code!"' sid:412 classtype:misc-activity LogAs="SID413" $Ipt -A $Me -p icmp --icmp-type 33/0 $Tail # '"ICMP IPV6 Where-Are-You"' sid:413 classtype:misc-activity LogAs="SID414" $Ipt -A $Me -p icmp --icmp-type 33 $Tail # '"ICMP IPV6 Where-Are-You (Undefined Code!)"' sid:414 classtype:misc-activity LogAs="SID415" $Ipt -A $Me -p icmp --icmp-type 16/0 $Tail # '"ICMP Information Reply"' sid:415 classtype:misc-activity LogAs="SID416" $Ipt -A $Me -p icmp --icmp-type 16 $Tail # '"ICMP Information Reply (Undefined Code!)"' sid:416 classtype:misc-activity LogAs="SID417" $Ipt -A $Me -p icmp --icmp-type 15/0 $Tail # '"ICMP Information Request"' sid:417 classtype:misc-activity LogAs="SID418" $Ipt -A $Me -p icmp --icmp-type 15 $Tail # '"ICMP Information Request (Undefined Code!)"' sid:418 classtype:misc-activity LogAs="SID419" $Ipt -A $Me -p icmp --icmp-type 32/0 $Tail # '"ICMP Mobile Host Redirect"' sid:419 classtype:misc-activity LogAs="SID420" $Ipt -A $Me -p icmp --icmp-type 32 $Tail # '"ICMP Mobile Host Redirect (Undefined Code!)"' sid:420 classtype:misc-activity LogAs="SID421" $Ipt -A $Me -p icmp --icmp-type 36/0 $Tail # '"ICMP Mobile Registration Reply"' sid:421 classtype:misc-activity LogAs="SID422" $Ipt -A $Me -p icmp --icmp-type 36 $Tail # '"ICMP Mobile Registration Reply (Undefined Code!)"' sid:422 classtype:misc-activity LogAs="SID423" $Ipt -A $Me -p icmp --icmp-type 35/0 $Tail # '"ICMP Mobile Registration Request"' sid:423 classtype:misc-activity LogAs="SID424" $Ipt -A $Me -p icmp --icmp-type 35 $Tail # '"ICMP Mobile Registration Request (Undefined Code!"' sid:424 classtype:misc-activity LogAs="SID425" $Ipt -A $Me -p icmp --icmp-type 12/2 $Tail # '"ICMP Parameter Problem (Bad Length)"' sid:425 classtype:misc-activity LogAs="SID426" $Ipt -A $Me -p icmp --icmp-type 12/1 $Tail # '"ICMP Parameter Problem (Missing a Required Option)"' sid:426 classtype:misc-activity LogAs="SID427" $Ipt -A $Me -p icmp --icmp-type 12/0 $Tail # '"ICMP Parameter Problem (Unspecified Error)"' sid:427 classtype:misc-activity LogAs="SID428" $Ipt -A $Me -p icmp --icmp-type 12 $Tail # '"ICMP Parameter Problem (Undefined Code!)"' sid:428 classtype:misc-activity LogAs="SID429" $Ipt -A $Me -p icmp --icmp-type 40/0 $Tail # '"ICMP Photuris (Reserved)"' sid:429 classtype:misc-activity LogAs="SID430" $Ipt -A $Me -p icmp --icmp-type 40/1 $Tail # '"ICMP Photuris (Unknown Security Parameters Index)"' sid:430 classtype:misc-activity LogAs="SID431" $Ipt -A $Me -p icmp --icmp-type 40/2 $Tail # '"ICMP Photuris (Valid Security Parameters, But Authentication Failed)"' sid:431 classtype:misc-activity LogAs="SID432" $Ipt -A $Me -p icmp --icmp-type 40/3 $Tail # '"ICMP Photuris (Valid Security Parameters, But Decryption Failed)"' sid:432 classtype:misc-activity LogAs="SID433" $Ipt -A $Me -p icmp --icmp-type 40 $Tail # '"ICMP Photuris (Undefined Code!)"' sid:433 classtype:misc-activity LogAs="SID436" $Ipt -A $Me -p icmp --icmp-type 5/3 $Tail # '"ICMP Redirect (for TOS and Host)"' sid:436 classtype:misc-activity LogAs="SID437" $Ipt -A $Me -p icmp --icmp-type 5/2 $Tail # '"ICMP Redirect (for TOS and Network)"' sid:437 classtype:misc-activity LogAs="SID438" $Ipt -A $Me -p icmp --icmp-type 5 $Tail # '"ICMP Redirect (Undefined Code!)"' sid:438 classtype:misc-activity LogAs="SID439" $Ipt -A $Me -p icmp --icmp-type 19/0 $Tail # '"ICMP Reserved for Security (Type 19)"' sid:439 classtype:misc-activity LogAs="SID440" $Ipt -A $Me -p icmp --icmp-type 19 $Tail # '"ICMP Reserved for Security (Type 19) (Undefined Code!)"' sid:440 classtype:misc-activity LogAs="SID441" $Ipt -A $Me -p icmp --icmp-type 9/0 $Tail # '"ICMP Router Advertisement"' arachnids,173 sid:441 classtype:misc-activity LogAs="SID443" $Ipt -A $Me -p icmp --icmp-type 10/0 $Tail # '"ICMP Router Selection"' arachnids,174 sid:443 classtype:misc-activity LogAs="SID445" $Ipt -A $Me -p icmp --icmp-type 39/0 $Tail # '"ICMP SKIP"' sid:445 classtype:misc-activity LogAs="SID446" $Ipt -A $Me -p icmp --icmp-type 39 $Tail # '"ICMP SKIP (Undefined Code!"' sid:446 classtype:misc-activity LogAs="SID448" $Ipt -A $Me -p icmp --icmp-type 4 $Tail # '"ICMP Source Quench (Undefined Code!)"' sid:448 classtype:misc-activity LogAs="SID449" $Ipt -A $Me -p icmp --icmp-type 11/0 $Tail # '"ICMP Time-To-Live Exceeded in Transit"' sid:449 classtype:misc-activity LogAs="SID450" $Ipt -A $Me -p icmp --icmp-type 11 $Tail # '"ICMP Time-To-Live Exceeded in Transit (Undefined Code!)"' sid:450 classtype:misc-activity LogAs="SID451" $Ipt -A $Me -p icmp --icmp-type 14/0 $Tail # '"ICMP Timestamp Reply"' sid:451 classtype:misc-activity LogAs="SID452" $Ipt -A $Me -p icmp --icmp-type 14 $Tail # '"ICMP Timestamp Reply (Undefined Code!)"' sid:452 classtype:misc-activity LogAs="SID453" $Ipt -A $Me -p icmp --icmp-type 13/0 $Tail # '"ICMP Timestamp Request"' sid:453 classtype:misc-activity LogAs="SID454" $Ipt -A $Me -p icmp --icmp-type 13 $Tail # '"ICMP Timestamp Request (Undefined Code!)"' sid:454 classtype:misc-activity LogAs="SID456" $Ipt -A $Me -p icmp --icmp-type 30/0 $Tail # '"ICMP Traceroute"' sid:456 classtype:misc-activity LogAs="SID457" $Ipt -A $Me -p icmp --icmp-type 30 $Tail # '"ICMP Traceroute (Undefined Code!)"' sid:457 classtype:misc-activity LogAs="SID458" $Ipt -A $Me -p icmp --icmp-type 1/0 $Tail # '"ICMP Unassigned! (Type 1)"' sid:458 classtype:misc-activity LogAs="SID459" $Ipt -A $Me -p icmp --icmp-type 1 $Tail # '"ICMP Unassigned! (Type 1) (Undefined Code)"' sid:459 classtype:misc-activity LogAs="SID460" $Ipt -A $Me -p icmp --icmp-type 2/0 $Tail # '"ICMP Unassigned! (Type 2)"' sid:460 classtype:misc-activity LogAs="SID461" $Ipt -A $Me -p icmp --icmp-type 2 $Tail # '"ICMP Unassigned! (Type 2) (Undefined Code)"' sid:461 classtype:misc-activity LogAs="SID462" $Ipt -A $Me -p icmp --icmp-type 7/0 $Tail # '"ICMP Unassigned! (Type 7)"' sid:462 classtype:misc-activity LogAs="SID463" $Ipt -A $Me -p icmp --icmp-type 7 $Tail # '"ICMP Unassigned! (Type 7) (Undefined Code!)"' sid:463 classtype:misc-activity LogAs="SID365" $Ipt -A $Me -p icmp --icmp-type 8 $Tail # '"ICMP PING (Undefined Code!)"' classtype:misc-activity sid:365 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done