#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-snmp' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID1893" $Ipt -A $Me -p udp --dport 161 -m string --string '""' $Tail # '"SNMP missing community string attempt"' cve,CAN-1999-0517 classtype:misc-attack sid:1893 LogAs="SID1892" $Ipt -A $Me -p udp --dport 161 -m string --string '""' $Tail # '"SNMP null community string attempt"' cve,CAN-1999-0517 classtype:misc-attack sid:1892 LogAs="SID1409" $Ipt -A $Me -p udp --dport 161:162 -m string --string '"‚"' $Tail # '"SNMP community string buffer overflow attempt"' url,www.cert.org/advisories/CA-2002-03.html cve,CAN-2002-0012 cve,CAN-2002-0013 classtype:misc-attack sid:1409 LogAs="SID1422" $Ipt -A $Me -p udp --dport 161:162 -m string --string '" ‚"' $Tail # '"SNMP community string buffer overflow attempt (with evasion)"' url,www.cert.org/advisories/CA-2002-03.html cve,CAN-2002-0012 cve,CAN-2002-0013 classtype:misc-attack sid:1422 LogAs="SID1411" $Ipt -A $Me -p udp --dport 161 -m string --string '"public"' $Tail # '"SNMP public access udp"' cve,CAN-1999-0517 cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1411 classtype:attempted-recon LogAs="SID1412" $Ipt -A $Me -p tcp --dport 161 -m string --string '"public"' $Tail # '"SNMP public access tcp"' cve,CAN-1999-0517 cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1412 classtype:attempted-recon LogAs="SID1413" $Ipt -A $Me -p udp --dport 161 -m string --string '"private"' $Tail # '"SNMP private access udp"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1413 classtype:attempted-recon LogAs="SID1414" $Ipt -A $Me -p tcp --dport 161 -m string --string '"private"' $Tail # '"SNMP private access tcp"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1414 classtype:attempted-recon LogAs="SID1415" $Ipt -A $Me -p udp -d 255.255.255.255 --dport 161 $Tail # '"SNMP Broadcast request"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1415 classtype:attempted-recon LogAs="SID1416" $Ipt -A $Me -p udp -d 255.255.255.255 --dport 162 $Tail # '"SNMP broadcast trap"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1416 classtype:attempted-recon LogAs="SID1417" $Ipt -A $Me -p udp --dport 161 $Tail # '"SNMP request udp"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1417 classtype:attempted-recon LogAs="SID1418" $Ipt -A $Me -p tcp --dport 161 $Tail # '"SNMP request tcp"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1418 classtype:attempted-recon LogAs="SID1419" $Ipt -A $Me -p udp --dport 162 $Tail # '"SNMP trap udp"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1419 classtype:attempted-recon LogAs="SID1420" $Ipt -A $Me -p tcp --dport 162 $Tail # '"SNMP trap tcp"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1420 classtype:attempted-recon LogAs="SID1421" $Ipt -A $Me -p tcp --dport 705 $Tail # '"SNMP AgentX/tcp request"' cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1421 classtype:attempted-recon LogAs="SID1426" $Ipt -A $Me -p udp --dport 161 -m string --string '"0&public 00 +"' $Tail # '"SNMP PROTOS test-suite-req-app attempt"' url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html classtype:misc-attack sid:1426 LogAs="SID1427" $Ipt -A $Me -p udp --dport 162 -m string --string '"08public¤+"' $Tail # '"SNMP PROTOS test-suite-trap-app attempt"' url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html classtype:misc-attack sid:1427 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done