#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-web-iis' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID1970" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/msadcs.dll"' --string '"Content-Type:"' --string !'""' $Tail # '"WEB-IIS MDAC Content-Type overflow attempt"' cve,CAN-2002-1142 url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 classtype:web-application-attack sid:1970 LogAs="SID1076" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/repost.asp"' $Tail # '"WEB-IIS repost.asp access"' nocase-ignored nessus,10372 classtype:web-application-activity sid:1076 LogAs="SID1806" $Ipt -A $Me -p tcp --dport 80 -m string --string '".htr"' --string '"Transfer-Encoding:"' --string '"chunked"' $Tail # '"WEB-IIS .htr chunked Transfer-Encoding"' nocase-ignored nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,5003 cve,CAN-2002-0364 sid:1806 LogAs="SID1618" $Ipt -A $Me -p tcp --dport 80 -m string --string '".asp"' --string '"Transfer-Encoding:"' --string '"chunked"' $Tail # '"WEB-IIS .asp chunked Transfer-Encoding"' nocase-ignored nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,4474 cve,CAN-2002-0079 sid:1618 LogAs="SID1626" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/StoreCSVS/InstantOrder.asmx"' $Tail # '"WEB-IIS /StoreCSVS/InstantOrder.asmx request"' nocase-ignored classtype:web-application-activity sid:1626 LogAs="SID1750" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/users.xml"' $Tail # '"WEB-IIS users.xml access"' nocase-ignored classtype:web-application-activity sid:1750 LogAs="SID1753" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/as_web.exe"' $Tail # '"WEB-IIS as_web.exe access"' nocase-ignored bugtraq,4670 classtype:web-application-activity sid:1753 LogAs="SID1754" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/as_web4.exe"' $Tail # '"WEB-IIS as_web4.exe access"' nocase-ignored bugtraq,4670 classtype:web-application-activity sid:1754 LogAs="SID1756" $Ipt -A $Me -p tcp --dport 80 -m string --string '"logged,true"' $Tail # '"WEB-IIS NewsPro administration authentication attempt"' classtype:web-application-activity sid:1756 LogAs="SID1772" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/pbserver/pbserver.dll"' $Tail # '"WEB-IIS pbserver access"' nocase-ignored url,www.microsoft.com/technet/security/bulletin/ms00-094.asp classtype:web-application-activity sid:1772 LogAs="SID1660" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/trace.axd"' $Tail # '"WEB-IIS trace.axd access"' nocase-ignored classtype:web-application-activity sid:1660 LogAs="SID1484" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/isapi/tstisapi.dll"' $Tail # '"WEB-IIS /isapi/tstisapi.dll access"' nocase-ignored cve,CAN-2001-0302 bugtraq,2381 classtype:web-application-activity sid:1484 LogAs="SID1485" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/mkilog.exe"' $Tail # '"WEB-IIS mkilog.exe access"' nocase-ignored classtype:web-application-activity sid:1485 LogAs="SID1486" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/ctss.idc"' $Tail # '"WEB-IIS ctss.idc access"' nocase-ignored classtype:web-application-activity sid:1486 LogAs="SID1487" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iisadmpwd/aexp2.htr"' $Tail # '"WEB-IIS /iisadmpwd/aexp2.htr access"' classtype:web-application-activity sid:1487 LogAs="SID969" $Ipt -A $Me -p tcp --dport 80 -m string --string '"LOCK "' $Tail # '"WEB-IIS WebDAV file lock attempt"' bugtraq,2736 classtype:web-application-activity sid:969 LogAs="SID971" $Ipt -A $Me -p tcp --dport 80 -m string --string '".printer"' $Tail # '"WEB-IIS ISAPI .printer access"' nocase-ignored cve,CAN-2001-0241 arachnids,533 classtype:web-application-activity sid:971 LogAs="SID1243" $Ipt -A $Me -p tcp --dport 80 -m string --string '".ida?"' $Tail # '"WEB-IIS ISAPI .ida attempt"' nocase-ignored arachnids,552 classtype:web-application-attack bugtraq,1065 cve,CAN-2000-0071 sid:1243 LogAs="SID1242" $Ipt -A $Me -p tcp --dport 80 -m string --string '".ida"' $Tail # '"WEB-IIS ISAPI .ida access"' nocase-ignored arachnids,552 classtype:web-application-activity cve,CAN-2000-0071 bugtraq,1065 sid:1242 LogAs="SID1244" $Ipt -A $Me -p tcp --dport 80 -m string --string '".idq?"' $Tail # '"WEB-IIS ISAPI .idq attempt"' nocase-ignored arachnids,553 classtype:web-application-attack cve,CAN-2000-0071 bugtraq,1065 sid:1244 LogAs="SID1245" $Ipt -A $Me -p tcp --dport 80 -m string --string '".idq"' $Tail # '"WEB-IIS ISAPI .idq access"' nocase-ignored arachnids,553 classtype:web-application-activity cve,CAN-2000-0071 bugtraq,1065 sid:1245 LogAs="SID972" $Ipt -A $Me -p tcp --dport 80 -m string --string '"%2e.asp"' $Tail # '"WEB-IIS %2E-asp access"' nocase-ignored bugtraq,1814 cve,CAN-1999-0253 classtype:web-application-activity sid:972 LogAs="SID973" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/*.idc"' $Tail # '"WEB-IIS *.idc attempt"' nocase-ignored bugtraq,1448 cve,CVE-1999-0874 classtype:web-application-attack sid:973 LogAs="SID974" $Ipt -A $Me -p tcp --dport 80 -m string --string '"..\\.."' $Tail # '"WEB-IIS Directory transversal attempt"' bugtraq,2218 cve,CAN-1999-0229 classtype:web-application-attack sid:974 LogAs="SID976" $Ipt -A $Me -p tcp --dport 80 -m string --string '".bat?"' $Tail # '"WEB-IIS .bat? access"' nocase-ignored bugtraq,2023 cve,CVE-1999-0233 url,support.microsoft.com/support/kb/articles/Q148/1/88.asp url,support.microsoft.com/support/kb/articles/Q155/0/56.asp classtype:web-application-activity sid:976 LogAs="SID977" $Ipt -A $Me -p tcp --dport 80 -m string --string '".cnf"' $Tail # '"WEB-IIS .cnf access"' nocase-ignored classtype:web-application-activity sid:977 LogAs="SID978" $Ipt -A $Me -p tcp --dport 80 -m string --string '"%20"' --string '"&CiRestriction=none"' --string '"&CiHiliteType=Full"' $Tail # '"WEB-IIS ASP contents view"' nocase-ignored nocase-ignored cve,CAN-2000-0302 bugtraq,1084 classtype:web-application-attack sid:978 LogAs="SID979" $Ipt -A $Me -p tcp --dport 80 -m string --string '".htw?CiWebHitsFile"' $Tail # '"WEB-IIS ASP contents view"' bugtraq,1861 classtype:web-application-attack sid:979 LogAs="SID980" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/CGImail.exe"' $Tail # '"WEB-IIS CGImail.exe access"' nocase-ignored cve,CAN-2000-0726 bugtraq,1623 classtype:web-application-activity sid:980 LogAs="SID981" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/..%c0%af../"' $Tail # '"WEB-IIS unicode directory traversal attempt"' nocase-ignored classtype:web-application-attack cve,CVE-2000-0884 sid:981 LogAs="SID982" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/..%c1%1c../"' $Tail # '"WEB-IIS unicode directory traversal attempt"' nocase-ignored classtype:web-application-attack cve,CVE-2000-0884 sid:982 LogAs="SID983" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/..%c1%9c../"' $Tail # '"WEB-IIS unicode directory traversal attempt"' nocase-ignored classtype:web-application-attack cve,CVE-2000-0884 sid:983 LogAs="SID1945" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/..%255c.."' $Tail # '"WEB-IIS unicode directory traversal attempt"' nocase-ignored classtype:web-application-attack cve,CVE-2000-0884 sid:1945 LogAs="SID986" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/proxy/w3proxy.dll"' $Tail # '"WEB-IIS MSProxy access"' nocase-ignored classtype:web-application-activity sid:986 LogAs="SID1725" $Ipt -A $Me -p tcp --dport 80 -m string --string '"+.htr"' $Tail # '"WEB-IIS +.htr code fragment attempt"' nocase-ignored cve,CVE-2000-0630 classtype:web-application-attack sid:1725 LogAs="SID987" $Ipt -A $Me -p tcp --dport 80 -m string --string '".htr"' $Tail # '"WEB-IIS .htr access"' nocase-ignored cve,CVE-2000-0630 classtype:web-application-activity sid:987 LogAs="SID988" $Ipt -A $Me -p tcp --dport 80 -m string --string '"sam._"' $Tail # '"WEB-IIS SAM Attempt"' nocase-ignored url,www.ciac.org/ciac/bulletins/h-45.shtml classtype:web-application-attack sid:988 LogAs="SID989" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/sensepost.exe"' $Tail # '"WEB-IIS Unicode2.pl script (File permission canonicalization)"' nocase-ignored classtype:web-application-activity sid:989 LogAs="SID990" $Ipt -A $Me -p tcp --dport 80 -m string --string '"_vti_inf.html"' $Tail # '"WEB-IIS _vti_inf access"' nocase-ignored classtype:web-application-activity sid:990 LogAs="SID991" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iisadmpwd/achg.htr"' $Tail # '"WEB-IIS achg.htr access"' nocase-ignored cve,CVE-1999-0407 bugtraq,2110 classtype:web-application-activity sid:991 LogAs="SID994" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/iisadmin/default.htm"' $Tail # '"WEB-IIS /scripts/iisadmin/default.htm access"' nocase-ignored classtype:web-application-attack sid:994 LogAs="SID995" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/iisadmin/ism.dll?http/dir"' $Tail # '"WEB-IIS ism.dll access"' nocase-ignored cve,CVE-2000-0630 bugtraq,189 classtype:web-application-attack sid:995 LogAs="SID996" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iisadmpwd/anot"' $Tail # '"WEB-IIS anot.htr access"' nocase-ignored bugtraq,2110 cve,CVE-1999-0407 classtype:web-application-activity sid:996 LogAs="SID997" $Ipt -A $Me -p tcp --dport 80 -m string --string '".asp."' $Tail # '"WEB-IIS asp-dot attempt"' nocase-ignored classtype:web-application-attack sid:997 LogAs="SID998" $Ipt -A $Me -p tcp --dport 80 -m string --string '"#filename=*.asp"' $Tail # '"WEB-IIS asp-srch attempt"' nocase-ignored classtype:web-application-attack sid:998 LogAs="SID1000" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/bdir.htr"' $Tail # '"WEB-IIS bdir.htr access"' nocase-ignored classtype:web-application-activity sid:1000 LogAs="SID1661" $Ipt -A $Me -p tcp --dport 80 -m string --string '"cmd32.exe"' $Tail # '"WEB-IIS cmd32.exe access"' nocase-ignored classtype:web-application-attack sid:1661 LogAs="SID1002" $Ipt -A $Me -p tcp --dport 80 -m string --string '"cmd.exe"' $Tail # '"WEB-IIS cmd.exe access"' nocase-ignored classtype:web-application-attack sid:1002 LogAs="SID1003" $Ipt -A $Me -p tcp --dport 80 -m string --string '".cmd?&"' $Tail # '"WEB-IIS cmd? access"' nocase-ignored classtype:web-application-attack sid:1003 LogAs="SID1007" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/Form_JScript.asp"' $Tail # '"WEB-IIS cross-site scripting attempt"' nocase-ignored classtype:web-application-attack sid:1007 LogAs="SID1380" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/Form_VBScript.asp"' $Tail # '"WEB-IIS cross-site scripting attempt"' nocase-ignored classtype:web-application-attack sid:1380 LogAs="SID1008" $Ipt -A $Me -p tcp --dport 80 -m string --string '"&del+/s+c:\*.*"' $Tail # '"WEB-IIS del attempt"' nocase-ignored classtype:web-application-attack sid:1008 LogAs="SID1009" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/ServerVariables_Jscript.asp"' $Tail # '"WEB-IIS directory listing"' nocase-ignored classtype:web-application-attack sid:1009 LogAs="SID1010" $Ipt -A $Me -p tcp --dport 80 -m string --string '"%1u"' $Tail # '"WEB-IIS encoding access"' arachnids,200 classtype:web-application-activity sid:1010 LogAs="SID1011" $Ipt -A $Me -p tcp --dport 80 -m string --string '"#filename=*.exe"' $Tail # '"WEB-IIS exec-src access"' nocase-ignored classtype:web-application-activity sid:1011 LogAs="SID1012" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/fpcount.exe"' --string '"Digits="' $Tail # '"WEB-IIS fpcount attempt"' nocase-ignored bugtraq,2252 classtype:web-application-attack sid:1012 LogAs="SID1013" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/fpcount.exe"' $Tail # '"WEB-IIS fpcount access"' nocase-ignored bugtraq,2252 classtype:web-application-activity sid:1013 LogAs="SID1015" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/tools/getdrvs.exe"' $Tail # '"WEB-IIS getdrvs.exe access"' nocase-ignored classtype:web-application-activity sid:1015 LogAs="SID1016" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/global.asa"' $Tail # '"WEB-IIS global.asa access"' nocase-ignored nessus,10491 cve,CVE-2000-0778 classtype:web-application-activity sid:1016 LogAs="SID1017" $Ipt -A $Me -p tcp --dport 80 -m string --string '"#filename=*.idc"' $Tail # '"WEB-IIS idc-srch attempt"' nocase-ignored cve,CVE-1999-0874 classtype:web-application-attack sid:1017 LogAs="SID1018" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iisadmpwd/aexp"' $Tail # '"WEB-IIS iisadmpwd attempt"' nocase-ignored bugtraq,2110 cve,CVE-2000-0304 classtype:web-application-attack sid:1018 LogAs="SID1019" $Ipt -A $Me -p tcp --dport 80 -m string --string '"?CiWebHitsFile=/"' --string '"&CiRestriction=none&CiHiliteType=Full"' $Tail # '"WEB-IIS index server file source code attempt"' classtype:web-application-attack sid:1019 LogAs="SID1020" $Ipt -A $Me -p tcp --dport 80 -m string --string '".idc|3a3a|$data"' $Tail # '"WEB-IIS isc$data attempt"' nocase-ignored bugtraq,307 cve,CVE-1999-0874 classtype:web-application-attack sid:1020 LogAs="SID1021" $Ipt -A $Me -p tcp --dport 80 -m string --string '"%20%20%20%20%20.htr"' $Tail # '"WEB-IIS ism.dll attempt"' nocase-ignored cve,CAN-2000-0457 bugtraq,1193 classtype:web-application-attack sid:1021 LogAs="SID1022" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/advworks/equipment/catalog_type.asp"' $Tail # '"WEB-IIS jet vba access"' nocase-ignored bugtraq,286 cve,CVE-1999-0874 classtype:web-application-activity sid:1022 LogAs="SID1023" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/msadcs.dll"' $Tail # '"WEB-IIS msadcs.dll access"' nocase-ignored cve,CVE-1999-1011 bugtraq,529 classtype:web-application-activity sid:1023 LogAs="SID1024" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/tools/newdsn.exe"' $Tail # '"WEB-IIS newdsn.exe access"' nocase-ignored bugtraq,1818 cve,CVE-1999-0191 classtype:web-application-activity sid:1024 LogAs="SID1025" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/perl"' $Tail # '"WEB-IIS perl access"' nocase-ignored classtype:web-application-activity sid:1025 LogAs="SID1026" $Ipt -A $Me -p tcp --dport 80 -m string --string '"%0a.pl"' $Tail # '"WEB-IIS perl-browse0a attempt"' nocase-ignored classtype:web-application-attack sid:1026 LogAs="SID1027" $Ipt -A $Me -p tcp --dport 80 -m string --string '"%20.pl"' $Tail # '"WEB-IIS perl-browse20 attempt"' nocase-ignored classtype:web-application-attack sid:1027 LogAs="SID1029" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/|20|"' $Tail # '"WEB-IIS scripts-browse access"' nocase-ignored classtype:web-application-attack sid:1029 LogAs="SID1030" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/search97.vts"' $Tail # '"WEB-IIS search97.vts access"' bugtraq,162 classtype:web-application-activity sid:1030 LogAs="SID1037" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/showcode.asp"' $Tail # '"WEB-IIS showcode.asp access"' nocase-ignored cve,CAN-1999-0736 bugtraq,167 nessus,10007 classtype:web-application-activity sid:1037 LogAs="SID1038" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/adsamples/config/site.csc"' $Tail # '"WEB-IIS site server config access"' nocase-ignored bugtraq,256 classtype:web-application-activity sid:1038 LogAs="SID1039" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/samples/isapi/srch.htm"' $Tail # '"WEB-IIS srch.htm access"' nocase-ignored classtype:web-application-activity sid:1039 LogAs="SID1040" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/srchadm"' $Tail # '"WEB-IIS srchadm access"' nocase-ignored classtype:web-application-activity sid:1040 LogAs="SID1041" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/uploadn.asp"' $Tail # '"WEB-IIS uploadn.asp access"' nocase-ignored classtype:web-application-activity sid:1041 LogAs="SID1042" $Ipt -A $Me -p tcp --dport 80 -m string --string '"Translate: F"' $Tail # '"WEB-IIS view source via translate header"' nocase-ignored arachnids,305 bugtraq,1578 classtype:web-application-activity sid:1042 LogAs="SID1043" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/viewcode.asp"' $Tail # '"WEB-IIS viewcode.asp access"' nocase-ignored nessus,10576 classtype:web-application-activity sid:1043 LogAs="SID1044" $Ipt -A $Me -p tcp --dport 80 -m string --string '".htw"' $Tail # '"WEB-IIS webhits access"' arachnids,237 classtype:web-application-activity sid:1044 LogAs="SID1726" $Ipt -A $Me -p tcp --dport 80 -m string --string '"doctodep.btr"' $Tail # '"WEB-IIS doctodep.btr access"' classtype:web-application-activity sid:1726 LogAs="SID1046" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/site/iisamples"' $Tail # '"WEB-IIS site/iisamples access"' nocase-ignored classtype:web-application-activity sid:1046 LogAs="SID1256" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/root.exe"' $Tail # '"WEB-IIS CodeRed v2 root.exe access"' nocase-ignored classtype:web-application-attack url,www.cert.org/advisories/CA-2001-19.html sid:1256 LogAs="SID1283" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/exchange/LogonFrm.asp?"' --string '"mailbox="' --string '"%%%"' $Tail # '"WEB-IIS outlook web dos"' nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,3223 sid:1283 LogAs="SID1400" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/samples/"' $Tail # '"WEB-IIS /scripts/samples/ access"' nocase-ignored classtype:web-application-attack sid:1400 LogAs="SID1401" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/msadc/samples/"' $Tail # '"WEB-IIS /msadc/samples/ access"' nocase-ignored classtype:web-application-attack sid:1401 LogAs="SID1402" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iissamples/"' $Tail # '"WEB-IIS iissamples access"' nocase-ignored classtype:web-application-attack sid:1402 LogAs="SID970" $Ipt -A $Me -p tcp --dport 80 -m string --string '"%5c"' --string '".."' $Tail # '"WEB-IIS multiple decode attempt"' cve,CAN-2001-0333 classtype:web-application-attack sid:970 LogAs="SID993" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iisadmin"' $Tail # '"WEB-IIS iisadmin access"' nocase-ignored classtype:web-application-attack sid:993 LogAs="SID1285" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/msdac/"' $Tail # '"WEB-IIS msdac access"' nocase-ignored classtype:web-application-activity sid:1285 LogAs="SID1286" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/_mem_bin/"' $Tail # '"WEB-IIS _mem_bin access"' nocase-ignored classtype:web-application-activity sid:1286 LogAs="SID1595" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/htimage.exe"' $Tail # '"WEB-IIS htimage.exe access"' nocase-ignored classtype:web-application-activity nessus,10376 cve,CAN-2000-0256 cve,CAN-2000-0122 sid:1595 LogAs="SID1817" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/SiteServer/Admin/knowledge/persmbr/"' --string '"Authorization: Basic TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE="' $Tail # '"WEB-IIS MS Site Server default login attempt"' nocase-ignored classtype:web-application-attack nessus,11018 sid:1817 LogAs="SID1818" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/Site Server/Admin/knowledge/persmbr/"' $Tail # '"WEB-IIS MS Site Server admin attempt"' nocase-ignored nessus,11018 classtype:web-application-attack sid:1818 LogAs="SID1075" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/scripts/postinfo.asp"' $Tail # '"WEB-IIS postinfo.asp access"' nocase-ignored classtype:web-application-activity sid:1075 LogAs="SID1567" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/exchange/root.asp?acs=anon"' $Tail # '"WEB-IIS /exchange/root.asp attempt"' nocase-ignored classtype:web-application-attack sid:1567 LogAs="SID1568" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/exchange/root.asp"' $Tail # '"WEB-IIS /exchange/root.asp access"' nocase-ignored classtype:web-application-activity sid:1568 LogAs="SID2090" $Ipt -A $Me -p tcp --dport 80 -m string --string '"HTTP/1.1Content-type: text/xmlHOST:"' --string '"Accept: */*Translate: fContent-length:5276"' $Tail # '"WEB-IIS WEBDAV exploit attempt"' cve,CAN-2003-0109 bugtraq,7716 classtype:attempted-admin sid:2090 LogAs="SID2091" $Ipt -A $Me -p tcp --dport 80 -m string --string '"SEARCH / HTTP/1.1 Host:"' --string '" "' $Tail # '"WEB-IIS WEBDAV nessus safe scan attempt"' cve,CAN-2003-0109 bugtraq,7116 nessus,11412 classtype:attempted-admin sid:2091 LogAs="SID2117" $Ipt -A $Me -p tcp --dport 80 -m string --string '"myaccount/login.asp"' $Tail # '"WEB-IIS Battleaxe Forum login.asp access"' nocase-ignored cve,CAN-2003-0215 bugtraq,7416 classtype:web-application-activity sid:2117 LogAs="SID2129" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/nsiislog.dll"' $Tail # '"WEB-IIS nsiislog.dll access"' nocase-ignored nessus,11664 url,www.microsoft.com/technet/security/bulletin/ms03-018.asp classtype:web-application-activity sid:2129 LogAs="SID2130" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iisprotect/admin/SiteAdmin.asp"' $Tail # '"WEB-IIS IISProtect siteadmin.asp access"' nocase-ignored nessus,11662 bugtraq,7675 classtype:web-application-activity sid:2130 LogAs="SID2157" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iisprotect/admin/GlobalAdmin.asp"' $Tail # '"WEB-IIS IISProtect globaladmin.asp access"' nocase-ignored nessus,11661 classtype:web-application-activity sid:2157 LogAs="SID2131" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/iisprotect/admin/"' $Tail # '"WEB-IIS IISProtect access"' nocase-ignored nessus,11661 classtype:web-application-activity sid:2131 LogAs="SID2132" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/en/admin/aggregate.asp"' $Tail # '"WEB-IIS Synchrologic Email Accelerator userid list access attempt"' nocase-ignored nessus,11657 classtype:web-application-activity sid:2132 LogAs="SID2133" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/biztalkhttpreceive.dll"' $Tail # '"WEB-IIS MS BizTalk server access"' nessus,11638 bugtraq,7469 bugtraq,7470 cve,CAN-2003-0117 cve,CAN-2003-0118 classtype:web-application-activity sid:2133 LogAs="SID2134" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/register.asp"' $Tail # '"WEB-IIS register.asp access"' nessus,11621 classtype:web-application-activity sid:2134 LogAs="SID2247" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/UploadScript11.asp"' $Tail # '"WEB-IIS UploadScript11.asp access"' cve,CAN-2001-0938 classtype:web-application-activity sid:2247 LogAs="SID2248" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/DirectoryListing.asp"' $Tail # '"WEB-IIS DirectoryListing.asp access"' cve,CAN-2001-0938 classtype:web-application-activity sid:2248 LogAs="SID2249" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/pcadmin/login.asp"' $Tail # '"WEB-IIS /pcadmin/login.asp access"' nessus,11785 bugtraq,8103 classtype:web-application-activity sid:2249 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done