#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-smtp' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID655" $Ipt -A $Me -p tcp --sport 113 --dport 25 -m string --string '"D/"' $Tail # '"SMTP sendmail 8.6.9 exploit"' arachnids,140 cve,CVE-1999-0204 classtype:attempted-admin sid:655 LogAs="SID658" $Ipt -A $Me -p tcp --dport 25 -m string --string '"charset = \"\""' $Tail # '"SMTP exchange mime DOS"' classtype:attempted-dos sid:658 LogAs="SID662" $Ipt -A $Me -p tcp --dport 25 -m string --string '"mail from: \"|"' $Tail # '"SMTP sendmail 5.5.5 exploit"' nocase-ignored arachnids,119 classtype:attempted-admin sid:662 LogAs="SID665" $Ipt -A $Me -p tcp --dport 25 -m string --string '"MAIL FROM: |/usr/ucb/tail"' $Tail # '"SMTP sendmail 5.6.5 exploit"' nocase-ignored arachnids,122 classtype:attempted-user sid:665 LogAs="SID667" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Croot Mprog, P=/bin/"' $Tail # '"SMTP sendmail 8.6.10 exploit"' arachnids,123 classtype:attempted-user sid:667 LogAs="SID668" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Croot Mprog,P=/bin"' $Tail # '"SMTP sendmail 8.6.10 exploit"' arachnids,124 classtype:attempted-user sid:668 LogAs="SID669" $Ipt -A $Me -p tcp --dport 25 -m string --string '"CrootMprog"' $Tail # '"SMTP sendmail 8.6.9 exploit"' arachnids,142 cve,CVE-1999-0204 classtype:attempted-user sid:669 LogAs="SID670" $Ipt -A $Me -p tcp --dport 25 -m string --string '"C:daemonR"' $Tail # '"SMTP sendmail 8.6.9 exploit"' cve,CVE-1999-0204 arachnids,139 classtype:attempted-user sid:670 LogAs="SID671" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Croot Mprog"' $Tail # '"SMTP sendmail 8.6.9c exploit"' arachnids,141 cve,CVE-1999-0204 classtype:attempted-user sid:671 LogAs="SID631" $Ipt -A $Me -p tcp --dport 25 -m string --string '"ehlo cybercopquit"' $Tail # '"SMTP ehlo cybercop attempt"' arachnids,372 classtype:protocol-command-decode sid:631 LogAs="SID632" $Ipt -A $Me -p tcp --dport 25 -m string --string '"expn cybercop"' $Tail # '"SMTP expn cybercop attempt"' arachnids,371 classtype:protocol-command-decode sid:632 LogAs="SID2087" $Ipt -A $Me -p tcp --dport 25 -m string --string '"From:"' --string '"-><><><><><><><><><><><><><><><><><><><><><>"' --string '"("' --string '")"' $Tail # '"SMTP From comment overflow attempt"' cve,CAN-2002-1337 url,www.kb.cert.org/vuls/id/398025 classtype:attempted-admin sid:2087 LogAs="SID2087" $Ipt -A $Me -p tcp --sport 25 -m string --string '"From:"' --string '"-><><><><><><><><><><><><><><><><><><><><><>"' --string '"("' --string '")"' $Tail # '"SMTP From comment overflow attempt"' cve,CAN-2002-1337 url,www.kb.cert.org/vuls/id/398025 classtype:attempted-admin sid:2087 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done