#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-p2p' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID549" $Ipt -A $Me -p tcp --dport 8888 -m string --string '""' $Tail # '"P2P napster login"' classtype:policy-violation sid:549 LogAs="SID550" $Ipt -A $Me -p tcp --dport 8888 -m string --string '""' $Tail # '"P2P napster new user login"' classtype:policy-violation sid:550 LogAs="SID551" $Ipt -A $Me -p tcp --dport 8888 -m string --string '"Ë"' $Tail # '"P2P napster download attempt"' classtype:policy-violation sid:551 LogAs="SID561" $Ipt -A $Me -p tcp --dport 6699 -m state --state ESTABLISHED -m string --string '".mp3"' $Tail # '"P2P Napster Client Data"' nocase-ignored classtype:policy-violation sid:561 LogAs="SID561" $Ipt -A $Me -p tcp --sport 6699 -m state --state ESTABLISHED -m string --string '".mp3"' $Tail # '"P2P Napster Client Data"' nocase-ignored classtype:policy-violation sid:561 LogAs="SID563" $Ipt -A $Me -p tcp --dport 6666 -m state --state ESTABLISHED -m string --string '".mp3"' $Tail # '"P2P Napster Client Data"' nocase-ignored classtype:policy-violation sid:563 LogAs="SID563" $Ipt -A $Me -p tcp --sport 6666 -m state --state ESTABLISHED -m string --string '".mp3"' $Tail # '"P2P Napster Client Data"' nocase-ignored classtype:policy-violation sid:563 LogAs="SID564" $Ipt -A $Me -p tcp --dport 5555 -m state --state ESTABLISHED -m string --string '".mp3"' $Tail # '"P2P Napster Client Data"' nocase-ignored classtype:policy-violation sid:564 LogAs="SID564" $Ipt -A $Me -p tcp --sport 5555 -m state --state ESTABLISHED -m string --string '".mp3"' $Tail # '"P2P Napster Client Data"' nocase-ignored classtype:policy-violation sid:564 LogAs="SID565" $Ipt -A $Me -p tcp --dport 8875 -m state --state ESTABLISHED -m string --string '"anon@napster.com"' $Tail # '"P2P Napster Server Login"' classtype:policy-violation sid:565 LogAs="SID565" $Ipt -A $Me -p tcp --sport 8875 -m state --state ESTABLISHED -m string --string '"anon@napster.com"' $Tail # '"P2P Napster Server Login"' classtype:policy-violation sid:565 LogAs="SID1383" $Ipt -A $Me -p tcp --dport 1214 -m string --string '"GET "' $Tail # '"P2P Fastrack (kazaa/morpheus) GET request"' url,www.musiccity.com/technology.htm url,www.kazaa.com classtype:policy-violation sid:1383 LogAs="SID1699" $Ipt -A $Me -p tcp -m string --string '"GET"' --string '"UserAgent: KazaaClient"' $Tail # '"P2P Fastrack (kazaa/morpheus) traffic"' url,www.kazaa.com classtype:policy-violation sid:1699 LogAs="SID2180" $Ipt -A $Me -p tcp -m string --string '"GET"' --string '"/announce"' --string '"info_hash="' --string '"event=started"' $Tail # '"P2P BitTorrent announce request"' classtype:policy-violation sid:2180 LogAs="SID2181" $Ipt -A $Me -p tcp --dport 6881:6889 -m string --string '"BitTorrent protocol"' $Tail # '"P2P BitTorrent transfer"' classtype:policy-violation sid:2181 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done