#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-misc' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID500" $Ipt -A $Me -m ipv4options --lsrr $Tail # '"MISC source route lssr"' bugtraq,646 cve,CVE-1999-0909 arachnids,418 classtype:bad-unknown sid:500 LogAs="SID502" $Ipt -A $Me -m ipv4options --ssrr $Tail # '"MISC source route ssrr"' arachnids,422 classtype:bad-unknown sid:502 LogAs="SID503" $Ipt -A $Me -p tcp --sport 20 --dport :1023 --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"MISC Source Port 20 to <1024"' arachnids,06 classtype:bad-unknown sid:503 LogAs="SID504" $Ipt -A $Me -p tcp --sport 53 --dport :1023 --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"MISC source port 53 to <1024"' arachnids,07 classtype:bad-unknown sid:504 LogAs="SID505" $Ipt -A $Me -p tcp --dport 1417 -m string --string '">"' $Tail # '"MISC Insecure TIMBUKTU Password"' arachnids,229 classtype:bad-unknown sid:505 LogAs="SID507" $Ipt -A $Me -p tcp --dport 5631 -m string --string '"ADMINISTRATOR"' $Tail # '"MISC PCAnywhere Attempted Administrator Login"' classtype:attempted-admin sid:507 LogAs="SID508" $Ipt -A $Me -p tcp --dport 70 -m string --string '"ftp:"' --string '"@/"' $Tail # '"MISC gopher proxy"' nocase-ignored arachnids,409 classtype:bad-unknown sid:508 LogAs="SID512" $Ipt -A $Me -p tcp --sport 5631:5632 -m string --string '"Invalid login"' $Tail # '"MISC PCAnywhere Failed Login"' arachnids,240 classtype:unsuccessful-user sid:512 LogAs="SID513" $Ipt -A $Me -p tcp --sport 7161 --tcp-flags ALL ACK,SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"MISC Cisco Catalyst Remote Access"' arachnids,129 cve,CVE-1999-0430 classtype:bad-unknown sid:513 LogAs="SID514" $Ipt -A $Me -p tcp --dport 27374 -m string --string '"GET "' $Tail # '"MISC ramen worm"' nocase-ignored arachnids,461 classtype:bad-unknown sid:514 LogAs="SID516" $Ipt -A $Me -p udp --dport 161 -m string --string '"+@Ñ"' $Tail # '"MISC SNMP NT UserList"' classtype:attempted-recon sid:516 LogAs="SID517" $Ipt -A $Me -p udp --dport 177 -m string --string '""' $Tail # '"MISC xdmcp query"' arachnids,476 classtype:attempted-recon sid:517 LogAs="SID1867" $Ipt -A $Me -p udp --dport 177 -m string --string '""' $Tail # '"MISC xdmcp info query"' nessus,10891 classtype:attempted-recon sid:1867 LogAs="SID1393" $Ipt -A $Me -p tcp -s $AIM_SERVERS -m string --string '"aim:AddGame?"' $Tail # '"MISC AIM AddGame attempt"' nocase-ignored url,www.w00w00.org/files/w00aimexp/ bugtraq,3769 cve,CAN-2002-0005 classtype:misc-attack sid:1393 LogAs="SID1752" $Ipt -A $Me -p tcp -s $AIM_SERVERS -m string --string '"aim:AddExternalApp?"' $Tail # '"MISC AIM AddExternalApp attempt"' nocase-ignored url,www.w00w00.org/files/w00aimexp/ classtype:misc-attack sid:1752 LogAs="SID1504" $Ipt -A $Me -p udp --dport 7001 -m string --string '"çe "' $Tail # '"MISC AFS access"' nessus,10441 classtype:misc-activity sid:1504 LogAs="SID1887" $Ipt -A $Me -p tcp --dport 443 -m string --string '"TERM=xterm"' $Tail # '"MISC OpenSSL Worm traffic"' nocase-ignored classtype:web-application-attack url,www.cert.org/advisories/CA-2002-27.html sid:1887 LogAs="SID1889" $Ipt -A $Me -p udp --sport 2002 --dport 2002 -m string --string '"EE@"' $Tail # '"MISC slapper worm admin traffic"' classtype:trojan-activity url,www.cert.org/advisories/CA-2002-27.html url,isc.incidents.org/analysis.html?id=167 sid:1889 LogAs="SID1447" $Ipt -A $Me -p tcp --dport 3389 -m string --string '" à"' $Tail # '"MISC MS Terminal server request (RDP)"' cve,CAN-2001-0540 classtype:protocol-command-decode sid:1447 LogAs="SID1448" $Ipt -A $Me -p tcp --dport 3389 -m string --string '""' --string '"à"' $Tail # '"MISC MS Terminal server request"' cve,CAN-2001-0540 classtype:protocol-command-decode sid:1448 LogAs="SID1819" $Ipt -A $Me -p tcp --dport 2533 -m string --string '"C"' $Tail # '"MISC Alcatel PABX 4400 connection attempt"' classtype:misc-activity nessus,11019 sid:1819 LogAs="SID2039" $Ipt -A $Me -p udp --dport 67 -m string --string '""' --string '" "' --string '"%"' --string '"%"' --string '"%"' $Tail # '"MISC bootp hostname format string attempt"' bugtraq,4701 classtype:misc-attack sid:2039 LogAs="SID1966" $Ipt -A $Me -p udp --dport 27155 -m string --string '"gstsearch"' $Tail # '"MISC GlobalSunTech Access Point Information Disclosure attempt"' bugtraq,6100 classtype:misc-activity sid:1966 LogAs="SID2041" $Ipt -A $Me -p udp --sport 49 -m string --string '"€"' --string '""' $Tail # '"MISC xtacacs failed login response"' classtype:misc-activity sid:2041 LogAs="SID2043" $Ipt -A $Me -p udp --sport 500 --dport 500 -m string --string '""' --string '""' $Tail # '"MISC isakmp login failed"' classtype:misc-activity sid:2043 LogAs="SID2047" $Ipt -A $Me -p tcp --dport 873 -m string --string '"#list"' $Tail # '"MISC rsyncd module list access"' classtype:misc-activity sid:2047 LogAs="SID2008" $Ipt -A $Me -p tcp --sport 2401 -m string --string '"E Fatal error, aborting."' --string '": no such user"' $Tail # '"MISC CVS invalid user authentication response"' classtype:misc-attack sid:2008 LogAs="SID2009" $Ipt -A $Me -p tcp --sport 2401 -m string --string '"error "' --string '": no such repository"' --string '"I HATE YOU"' $Tail # '"MISC CVS invalid repository response"' classtype:misc-attack sid:2009 LogAs="SID2010" $Ipt -A $Me -p tcp --sport 2401 -m string --string '"free(): warning: chunk is already free"' $Tail # '"MISC CVS double free exploit attempt response"' classtype:misc-attack cve,CAN-2003-0015 bugtraq,6650 sid:2010 LogAs="SID2011" $Ipt -A $Me -p tcp --sport 2401 -m string --string '"E protocol error: invalid directory syntax in"' $Tail # '"MISC CVS invalid directory response"' classtype:misc-attack cve,CAN-2003-0015 bugtraq,6650 sid:2011 LogAs="SID2012" $Ipt -A $Me -p tcp --sport 2401 -m string --string '"E protocol error: Root request missing"' $Tail # '"MISC CVS missing cvsroot response"' classtype:misc-attack sid:2012 LogAs="SID2013" $Ipt -A $Me -p tcp --sport 2401 -m string --string '"cvs server: cannot find module"' --string '"error"' $Tail # '"MISC CVS invalid module response"' classtype:misc-attack sid:2013 LogAs="SID2159" $Ipt -A $Me -p tcp --dport 179 -m state --state ESTABLISHED -m string --string '"ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ"' --string '""' $Tail # '"MISC BGP invalid type (0)"' classtype:bad-unknown sid:2159 LogAs="SID2159" $Ipt -A $Me -p tcp --sport 179 -m state --state ESTABLISHED -m string --string '"ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ"' --string '""' $Tail # '"MISC BGP invalid type (0)"' classtype:bad-unknown sid:2159 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done