#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-finger' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID320" $Ipt -A $Me -p tcp --dport 79 -m string --string '"cmd_rootsh"' $Tail # '"FINGER cmd_rootsh backdoor attempt"' classtype:attempted-admin nessus,10070 cve,CAN-1999-0660 url,www.sans.org/y2k/TFN_toolkit.htm url,www.sans.org/y2k/fingerd.htm sid:320 LogAs="SID321" $Ipt -A $Me -p tcp --dport 79 -m string --string '"a b c d e f"' $Tail # '"FINGER account enumeration attempt"' nocase-ignored nessus,10788 classtype:attempted-recon sid:321 LogAs="SID322" $Ipt -A $Me -p tcp --dport 79 -m string --string '"search"' $Tail # '"FINGER search query"' cve,CVE-1999-0259 arachnids,375 classtype:attempted-recon sid:322 LogAs="SID323" $Ipt -A $Me -p tcp --dport 79 -m string --string '"root"' $Tail # '"FINGER root query"' arachnids,376 classtype:attempted-recon sid:323 LogAs="SID324" $Ipt -A $Me -p tcp --dport 79 -m string --string '""' $Tail # '"FINGER null request"' arachnids,377 classtype:attempted-recon sid:324 LogAs="SID327" $Ipt -A $Me -p tcp --dport 79 -m string --string '"|"' $Tail # '"FINGER remote command pipe execution attempt"' cve,CVE-1999-0152 bugtraq,2220 arachnids,380 classtype:attempted-user sid:327 LogAs="SID328" $Ipt -A $Me -p tcp --dport 79 -m string --string '"@@"' $Tail # '"FINGER bomb attempt"' arachnids,381 cve,CAN-1999-0106 classtype:attempted-dos sid:328 LogAs="SID330" $Ipt -A $Me -p tcp --dport 79 -m string --string '"@"' $Tail # '"FINGER redirection attempt"' nessus,10073 arachnids,251 cve,CAN-1999-0105 classtype:attempted-recon sid:330 LogAs="SID331" $Ipt -A $Me -p tcp --dport 79 -m string --string '" "' $Tail # '"FINGER cybercop query"' arachnids,132 cve,CVE-1999-0612 classtype:attempted-recon sid:331 LogAs="SID332" $Ipt -A $Me -p tcp --dport 79 -m string --string '"0"' $Tail # '"FINGER 0 query"' nessus,10069 arachnids,378 arachnids,131 cve,CAN-1999-0197 classtype:attempted-recon sid:332 LogAs="SID333" $Ipt -A $Me -p tcp --dport 79 -m string --string '"."' $Tail # '"FINGER . query"' nessus,10072 arachnids,130 cve,CAN-1999-0198 classtype:attempted-recon sid:333 LogAs="SID1541" $Ipt -A $Me -p tcp --dport 79 -m string --string '"version"' $Tail # '"FINGER version query"' classtype:attempted-recon sid:1541 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done