#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-shellcode' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID647" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"  "' $Tail # '"SHELLCODE sparc setuid 0"' arachnids,282 classtype:system-call-detect sid:647 LogAs="SID647" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"  "' $Tail # '"SHELLCODE sparc setuid 0"' arachnids,282 classtype:system-call-detect sid:647 LogAs="SID649" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"̀"' $Tail # '"SHELLCODE x86 setgid 0"' arachnids,284 classtype:system-call-detect sid:649 LogAs="SID649" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"̀"' $Tail # '"SHELLCODE x86 setgid 0"' arachnids,284 classtype:system-call-detect sid:649 LogAs="SID650" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"̀"' $Tail # '"SHELLCODE x86 setuid 0"' arachnids,436 classtype:system-call-detect sid:650 LogAs="SID650" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"̀"' $Tail # '"SHELLCODE x86 setuid 0"' arachnids,436 classtype:system-call-detect sid:650 LogAs="SID638" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"%%%%"' $Tail # '"SHELLCODE SGI NOOP"' arachnids,356 classtype:shellcode-detect sid:638 LogAs="SID638" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"%%%%"' $Tail # '"SHELLCODE SGI NOOP"' arachnids,356 classtype:shellcode-detect sid:638 LogAs="SID639" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"\$4\$4\$4\$4"' $Tail # '"SHELLCODE SGI NOOP"' arachnids,357 classtype:shellcode-detect sid:639 LogAs="SID639" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"\$4\$4\$4\$4"' $Tail # '"SHELLCODE SGI NOOP"' arachnids,357 classtype:shellcode-detect sid:639 LogAs="SID640" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"OOOO"' $Tail # '"SHELLCODE AIX NOOP"' classtype:shellcode-detect sid:640 LogAs="SID640" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"OOOO"' $Tail # '"SHELLCODE AIX NOOP"' classtype:shellcode-detect sid:640 LogAs="SID641" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"GGGG"' $Tail # '"SHELLCODE Digital UNIX NOOP"' arachnids,352 classtype:shellcode-detect sid:641 LogAs="SID641" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"GGGG"' $Tail # '"SHELLCODE Digital UNIX NOOP"' arachnids,352 classtype:shellcode-detect sid:641 LogAs="SID642" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE HP-UX NOOP"' arachnids,358 classtype:shellcode-detect sid:642 LogAs="SID642" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE HP-UX NOOP"' arachnids,358 classtype:shellcode-detect sid:642 LogAs="SID643" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '" 9 9 9 9"' $Tail # '"SHELLCODE HP-UX NOOP"' arachnids,359 classtype:shellcode-detect sid:643 LogAs="SID643" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '" 9 9 9 9"' $Tail # '"SHELLCODE HP-UX NOOP"' arachnids,359 classtype:shellcode-detect sid:643 LogAs="SID644" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE sparc NOOP"' arachnids,345 classtype:shellcode-detect sid:644 LogAs="SID644" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE sparc NOOP"' arachnids,345 classtype:shellcode-detect sid:644 LogAs="SID645" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"@@@@"' $Tail # '"SHELLCODE sparc NOOP"' arachnids,353 classtype:shellcode-detect sid:645 LogAs="SID645" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"@@@@"' $Tail # '"SHELLCODE sparc NOOP"' arachnids,353 classtype:shellcode-detect sid:645 LogAs="SID646" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE sparc NOOP"' arachnids,355 classtype:shellcode-detect sid:646 LogAs="SID646" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE sparc NOOP"' arachnids,355 classtype:shellcode-detect sid:646 LogAs="SID648" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE x86 NOOP"' arachnids,181 classtype:shellcode-detect sid:648 LogAs="SID648" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE x86 NOOP"' arachnids,181 classtype:shellcode-detect sid:648 LogAs="SID651" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE x86 stealth NOOP"' arachnids,291 classtype:shellcode-detect sid:651 LogAs="SID651" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE x86 stealth NOOP"' arachnids,291 classtype:shellcode-detect sid:651 LogAs="SID653" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE x86 unicode NOOP"' classtype:shellcode-detect sid:653 LogAs="SID653" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '""' $Tail # '"SHELLCODE x86 unicode NOOP"' classtype:shellcode-detect sid:653 LogAs="SID652" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"/bin/sh"' $Tail # '"SHELLCODE Linux shellcode"' arachnids,343 classtype:shellcode-detect sid:652 LogAs="SID652" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"/bin/sh"' $Tail # '"SHELLCODE Linux shellcode"' arachnids,343 classtype:shellcode-detect sid:652 LogAs="SID1390" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"CCCCCCCCCCCCCCCCCCCCCCCC"' $Tail # '"SHELLCODE x86 inc ebx NOOP"' classtype:shellcode-detect sid:1390 LogAs="SID1390" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"CCCCCCCCCCCCCCCCCCCCCCCC"' $Tail # '"SHELLCODE x86 inc ebx NOOP"' classtype:shellcode-detect sid:1390 LogAs="SID1394" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '"aaaaaaaaaaaaaaaaaaaaa"' $Tail # '"SHELLCODE x86 NOOP"' classtype:shellcode-detect sid:1394 LogAs="SID1394" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '"aaaaaaaaaaaaaaaaaaaaa"' $Tail # '"SHELLCODE x86 NOOP"' classtype:shellcode-detect sid:1394 LogAs="SID1424" $Ipt -A $Me -p tcp --sport $SHELLCODE_PORTS -m string --string '" "' $Tail # '"SHELLCODE x86 EB OC NOOP"' classtype:shellcode-detect sid:1424 LogAs="SID1424" $Ipt -A $Me -p udp --sport $SHELLCODE_PORTS -m string --string '" "' $Tail # '"SHELLCODE x86 EB OC NOOP"' classtype:shellcode-detect sid:1424 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done