#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-web-frontpage' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID1248" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/fp30reg.dll"' $Tail # '"WEB-FRONTPAGE rad fp30reg.dll access"' nocase-ignored classtype:web-application-activity arachnids,555 bugtraq,2906 cve,CAN-2001-0341 url,www.microsoft.com/technet/security/bulletin/MS01-035.asp sid:1248 LogAs="SID1249" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/fp4areg.dll"' $Tail # '"WEB-FRONTPAGE frontpage rad fp4areg.dll access"' nocase-ignored cve,CAN-2001-0341 bugtraq,2906 classtype:web-application-activity sid:1249 LogAs="SID937" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_rpc"' $Tail # '"WEB-FRONTPAGE _vti_rpc access"' nocase-ignored bugtraq,2144 classtype:web-application-activity sid:937 LogAs="SID939" $Ipt -A $Me -p tcp --dport 80 -m string --string '"POST"' --string '"/author.dll"' $Tail # '"WEB-FRONTPAGE posting"' nocase-ignored classtype:web-application-activity sid:939 LogAs="SID940" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_bin/shtml.dll"' $Tail # '"WEB-FRONTPAGE shtml.dll access"' nocase-ignored arachnids,292 classtype:web-application-activity sid:940 LogAs="SID941" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/admcgi/contents.htm"' $Tail # '"WEB-FRONTPAGE contents.htm access"' nocase-ignored classtype:web-application-activity sid:941 LogAs="SID942" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_private/orders.htm"' $Tail # '"WEB-FRONTPAGE orders.htm access"' nocase-ignored classtype:web-application-activity sid:942 LogAs="SID943" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/fpsrvadm.exe"' $Tail # '"WEB-FRONTPAGE fpsrvadm.exe access"' nocase-ignored classtype:web-application-activity sid:943 LogAs="SID944" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/fpremadm.exe"' $Tail # '"WEB-FRONTPAGE fpremadm.exe access"' nocase-ignored classtype:web-application-activity sid:944 LogAs="SID945" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/admisapi/fpadmin.htm"' $Tail # '"WEB-FRONTPAGE fpadmin.htm access"' nocase-ignored classtype:web-application-activity sid:945 LogAs="SID946" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/Fpadmcgi.exe"' $Tail # '"WEB-FRONTPAGE fpadmcgi.exe access"' nocase-ignored classtype:web-application-activity sid:946 LogAs="SID947" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_private/orders.txt"' $Tail # '"WEB-FRONTPAGE orders.txt access"' nocase-ignored classtype:web-application-activity sid:947 LogAs="SID948" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_private/form_results.txt"' $Tail # '"WEB-FRONTPAGE form_results access"' nocase-ignored classtype:web-application-activity sid:948 LogAs="SID949" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_private/registrations.htm"' $Tail # '"WEB-FRONTPAGE registrations.htm access"' nocase-ignored classtype:web-application-activity sid:949 LogAs="SID950" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfgwiz.exe"' $Tail # '"WEB-FRONTPAGE cfgwiz.exe access"' nocase-ignored classtype:web-application-activity sid:950 LogAs="SID951" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/authors.pwd"' $Tail # '"WEB-FRONTPAGE authors.pwd access"' nocase-ignored cve,CVE-1999-0386 nessus,10078 classtype:web-application-activity sid:951 LogAs="SID952" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_bin/_vti_aut/author.exe"' $Tail # '"WEB-FRONTPAGE author.exe access"' nocase-ignored classtype:web-application-activity sid:952 LogAs="SID953" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/administrators.pwd"' $Tail # '"WEB-FRONTPAGE administrators.pwd access"' nocase-ignored bugtraq,1205 classtype:web-application-activity sid:953 LogAs="SID954" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_private/form_results.htm"' $Tail # '"WEB-FRONTPAGE form_results.htm access"' nocase-ignored classtype:web-application-activity sid:954 LogAs="SID955" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_pvt/access.cnf"' $Tail # '"WEB-FRONTPAGE access.cnf access"' nocase-ignored classtype:web-application-activity sid:955 LogAs="SID956" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_private/register.txt"' $Tail # '"WEB-FRONTPAGE register.txt access"' nocase-ignored classtype:web-application-activity sid:956 LogAs="SID957" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_private/registrations.txt"' $Tail # '"WEB-FRONTPAGE registrations.txt access"' nocase-ignored classtype:web-application-activity sid:957 LogAs="SID958" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_pvt/service.cnf"' $Tail # '"WEB-FRONTPAGE service.cnf access"' nocase-ignored classtype:web-application-activity sid:958 LogAs="SID959" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/service.pwd"' $Tail # '"WEB-FRONTPAGE service.pwd"' nocase-ignored bugtraq,1205 classtype:web-application-activity sid:959 LogAs="SID960" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_pvt/service.stp"' $Tail # '"WEB-FRONTPAGE service.stp access"' nocase-ignored classtype:web-application-activity sid:960 LogAs="SID961" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_pvt/services.cnf"' $Tail # '"WEB-FRONTPAGE services.cnf access"' nocase-ignored classtype:web-application-activity sid:961 LogAs="SID962" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_bin/shtml.exe"' $Tail # '"WEB-FRONTPAGE shtml.exe access"' nocase-ignored nessus,10405 cve,CAN-2000-0413 cve,CAN-2000-0709 bugtraq,1608 bugtraq,1174 classtype:web-application-activity sid:962 LogAs="SID963" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_pvt/svcacl.cnf"' $Tail # '"WEB-FRONTPAGE svcacl.cnf access"' nocase-ignored classtype:web-application-activity sid:963 LogAs="SID964" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/users.pwd"' $Tail # '"WEB-FRONTPAGE users.pwd access"' nocase-ignored classtype:web-application-activity sid:964 LogAs="SID965" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_pvt/writeto.cnf"' $Tail # '"WEB-FRONTPAGE writeto.cnf access"' nocase-ignored classtype:web-application-activity sid:965 LogAs="SID966" $Ipt -A $Me -p tcp --dport 80 -m string --string '"..../"' $Tail # '"WEB-FRONTPAGE .... request"' nocase-ignored bugtraq,989 cve,CAN-2000-0153 arachnids,248 classtype:web-application-attack sid:966 LogAs="SID967" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/dvwssr.dll"' $Tail # '"WEB-FRONTPAGE dvwssr.dll access"' nocase-ignored bugtraq,1108 cve,CVE-2000-0260 arachnids,271 url,www.microsoft.com/technet/security/bulletin/ms00-025.asp classtype:web-application-activity sid:967 LogAs="SID968" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_private/register.htm"' $Tail # '"WEB-FRONTPAGE register.htm access"' nocase-ignored classtype:web-application-activity sid:968 LogAs="SID1288" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_vti_bin/"' $Tail # '"WEB-FRONTPAGE /_vti_bin/ access"' nocase-ignored classtype:web-application-activity sid:1288 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done