#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-scan' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID613" $Ipt -A $Me -p tcp --sport 10101 -m ttl --ttl-gt 220 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@8=0"' --tcp-flags ALL SYN $Tail # '"SCAN myscan"' arachnids,439 classtype:attempted-recon sid:613 LogAs="SID616" $Ipt -A $Me -p tcp --dport 113 -m string --string '"VERSION"' $Tail # '"SCAN ident version request"' arachnids,303 classtype:attempted-recon sid:616 LogAs="SID618" $Ipt -A $Me -p tcp --dport 3128 --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"SCAN Squid Proxy attempt"' classtype:attempted-recon sid:618 LogAs="SID615" $Ipt -A $Me -p tcp --dport 1080 --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"SCAN SOCKS Proxy attempt"' url,help.undernet.org/proxyscan/ classtype:attempted-recon sid:615 LogAs="SID620" $Ipt -A $Me -p tcp --dport 8080 --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"SCAN Proxy Port 8080 attempt"' classtype:attempted-recon sid:620 LogAs="SID621" $Ipt -A $Me -p tcp --tcp-flags ALL FIN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"SCAN FIN"' arachnids,27 classtype:attempted-recon sid:621 LogAs="SID622" $Ipt -A $Me -p tcp --tcp-flags ALL SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4=1958810375"' $Tail # '"SCAN ipEye SYN scan"' arachnids,236 classtype:attempted-recon sid:622 LogAs="SID623" $Ipt -A $Me -p tcp --tcp-flags ALL NONE -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4=0"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@8=0"' $Tail # '"SCAN NULL"' arachnids,4 classtype:attempted-recon sid:623 LogAs="SID624" $Ipt -A $Me -p tcp --tcp-flags ALL FIN,SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"SCAN SYN FIN"' arachnids,198 classtype:attempted-recon sid:624 LogAs="SID625" $Ipt -A $Me -p tcp --tcp-flags ALL ACK,FIN,PSH,SYN,RST,URG -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"SCAN XMAS"' arachnids,144 classtype:attempted-recon sid:625 LogAs="SID1228" $Ipt -A $Me -p tcp --tcp-flags ALL FIN,PSH,URG -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"SCAN nmap XMAS"' arachnids,30 classtype:attempted-recon sid:1228 LogAs="SID628" $Ipt -A $Me -p tcp --tcp-flags ALL ACK -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@8=0"' $Tail # '"SCAN nmap TCP"' arachnids,28 classtype:attempted-recon sid:628 LogAs="SID629" $Ipt -A $Me -p tcp --tcp-flags ALL FIN,PSH,SYN,URG $Tail # '"SCAN nmap fingerprint attempt"' arachnids,05 classtype:attempted-recon sid:629 LogAs="SID630" $Ipt -A $Me -p tcp -m u32 --u32 '"2&0xFFFF=39426"' --tcp-flags ALL FIN,SYN $Tail # '"SCAN synscan portscan"' arachnids,441 classtype:attempted-recon sid:630 LogAs="SID626" $Ipt -A $Me -p tcp -m string --string '"AAAAAAAAAAAAAAAA"' --tcp-flags ALL ACK,PSH -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' $Tail # '"SCAN cybercop os PA12 attempt"' arachnids,149 classtype:attempted-recon sid:626 LogAs="SID627" $Ipt -A $Me -p tcp -m string --string '"AAAAAAAAAAAAAAAA"' --tcp-flags ALL FIN,SYN,URG -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@8=0"' $Tail # '"SCAN cybercop os SFU12 probe"' arachnids,150 classtype:attempted-recon sid:627 LogAs="SID634" $Ipt -A $Me -p udp --dport 10080:10081 -m string --string '"Amanda"' $Tail # '"SCAN Amanda client version request"' nocase-ignored classtype:attempted-recon sid:634 LogAs="SID635" $Ipt -A $Me -p udp --dport 49 -m string --string '"€"' $Tail # '"SCAN XTACACS logout"' arachnids,408 classtype:bad-unknown sid:635 LogAs="SID636" $Ipt -A $Me -p udp --dport 7 -m string --string '"cybercop"' $Tail # '"SCAN cybercop udp bomb"' arachnids,363 classtype:bad-unknown sid:636 LogAs="SID637" $Ipt -A $Me -p udp -m string --string '"helpquite"' $Tail # '"SCAN Webtrends Scanner UDP Probe"' arachnids,308 classtype:attempted-recon sid:637 LogAs="SID1638" $Ipt -A $Me -p tcp --dport 22 -m string --string '"Version_Mapper"' $Tail # '"SCAN SSH Version map attempt"' nocase-ignored classtype:network-scan sid:1638 LogAs="SID1917" $Ipt -A $Me -p udp --dport 1900 -m string --string '"M-SEARCH "' --string '"ssdp:discover"' $Tail # '"SCAN UPnP service discover attempt"' classtype:network-scan sid:1917 LogAs="SID1918" $Ipt -A $Me -p icmp -m string --string '"SolarWinds.Net"' --icmp-type 8/0 $Tail # '"SCAN SolarWinds IP scan attempt"' classtype:network-scan sid:1918 LogAs="SID1133" $Ipt -A $Me -p tcp --dport 80 -m string --string '"AAAAAAAAAAAAAAAA"' --tcp-flags ALL FIN,PSH,SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@8=0"' $Tail # '"SCAN cybercop os probe"' arachnids,145 classtype:attempted-recon sid:1133 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done