#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-sql' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID676" $Ipt -A $Me -p tcp --dport 139 -m string --string '"sp_start_job"' $Tail # '"MS-SQL/SMB sp_start_job - program execution"' nocase-ignored classtype:attempted-user sid:676 LogAs="SID677" $Ipt -A $Me -p tcp --dport 139 -m string --string '"sp_password"' $Tail # '"MS-SQL/SMB sp_password password change"' nocase-ignored classtype:attempted-user sid:677 LogAs="SID678" $Ipt -A $Me -p tcp --dport 139 -m string --string '"sp_delete_ale"' $Tail # '"MS-SQL/SMB sp_delete_alert log file deletion"' nocase-ignored classtype:attempted-user sid:678 LogAs="SID679" $Ipt -A $Me -p tcp --dport 139 -m string --string '"sp_adduser"' $Tail # '"MS-SQL/SMB sp_adduser database user creation"' nocase-ignored classtype:attempted-user sid:679 LogAs="SID708" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_enumresultset"' $Tail # '"MS-SQL/SMB xp_enumresultset possible buffer overflow"' nocase-ignored bugtraq,2031 cve,CAN-2000-1082 classtype:attempted-user sid:708 LogAs="SID1386" $Ipt -A $Me -p tcp --dport 139 -m string --string '"raiserror"' $Tail # '"MS-SQL/SMB raiserror possible buffer overflow"' nocase-ignored bugtraq,3733 classtype:attempted-user sid:1386 LogAs="SID702" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_displayparamstmt"' $Tail # '"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"' nocase-ignored bugtraq,2030 cve,CAN-2000-1081 classtype:attempted-user sid:702 LogAs="SID703" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_setsqlsecurity"' $Tail # '"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"' nocase-ignored classtype:attempted-user bugtraq,2043 sid:703 LogAs="SID681" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_cmdshell"' $Tail # '"MS-SQL/SMB xp_cmdshell program execution"' nocase-ignored classtype:attempted-user sid:681 LogAs="SID689" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_reg"' $Tail # '"MS-SQL/SMB xp_reg* registry access"' nocase-ignored classtype:attempted-user sid:689 LogAs="SID690" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_printstatements"' $Tail # '"MS-SQL/SMB xp_printstatements possible buffer overflow"' nocase-ignored bugtraq,2041 cve,CAN-2000-1086 classtype:attempted-user sid:690 LogAs="SID692" $Ipt -A $Me -p tcp --dport 139 -m string --string '"9 ВRU9 "' $Tail # '"MS-SQL/SMB shellcode attempt"' classtype:shellcode-detect sid:692 LogAs="SID694" $Ipt -A $Me -p tcp --dport 139 -m string --string '"H%xw3Ph."' $Tail # '"MS-SQL/SMB shellcode attempt"' classtype:attempted-user sid:694 LogAs="SID695" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_sprintf"' $Tail # '"MS-SQL/SMB xp_sprintf possible buffer overflow"' nocase-ignored bugtraq,1204 classtype:attempted-user sid:695 LogAs="SID696" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_showcolv"' $Tail # '"MS-SQL/SMB xp_showcolv possible buffer overflow"' nocase-ignored bugtraq,2038 classtype:attempted-user sid:696 LogAs="SID697" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_peekqueue"' $Tail # '"MS-SQL/SMB xp_peekqueue possible buffer overflow"' nocase-ignored bugtraq,2040 cve,CAN-2000-1085 classtype:attempted-user sid:697 LogAs="SID698" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_proxiedmetadata"' $Tail # '"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"' nocase-ignored bugtraq,2042 cve,CAN-2000-1087 classtype:attempted-user sid:698 LogAs="SID700" $Ipt -A $Me -p tcp --dport 139 -m string --string '"xp_updatecolvbm"' $Tail # '"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"' nocase-ignored bugtraq,2039 cve,CAN-2000-1084 classtype:attempted-user sid:700 LogAs="SID673" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"sp_start_job"' $Tail # '"MS-SQL sp_start_job - program execution"' nocase-ignored classtype:attempted-user sid:673 LogAs="SID674" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_displayparamstmt"' $Tail # '"MS-SQL xp_displayparamstmt possible buffer overflow"' nocase-ignored bugtraq,2030 cve,CAN-2000-1081 classtype:attempted-user sid:674 LogAs="SID675" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_setsqlsecurity"' $Tail # '"MS-SQL xp_setsqlsecurity possible buffer overflow"' nocase-ignored bugtraq,2043 classtype:attempted-user sid:675 LogAs="SID682" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_enumresultset"' $Tail # '"MS-SQL xp_enumresultset possible buffer overflow"' nocase-ignored classtype:attempted-user sid:682 LogAs="SID683" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"sp_password"' $Tail # '"MS-SQL sp_password - password change"' nocase-ignored classtype:attempted-user sid:683 LogAs="SID684" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"sp_delete_alert"' $Tail # '"MS-SQL sp_delete_alert log file deletion"' nocase-ignored classtype:attempted-user sid:684 LogAs="SID685" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"sp_adduser"' $Tail # '"MS-SQL sp_adduser - database user creation"' nocase-ignored classtype:attempted-user sid:685 LogAs="SID686" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_reg"' $Tail # '"MS-SQL xp_reg* - registry access"' nocase-ignored classtype:attempted-user sid:686 LogAs="SID687" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_cmdshell"' $Tail # '"MS-SQL xp_cmdshell - program execution"' nocase-ignored classtype:attempted-user sid:687 LogAs="SID691" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"9 ВRU9 "' $Tail # '"MS-SQL shellcode attempt"' classtype:shellcode-detect sid:691 LogAs="SID693" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"H%xw3Ph."' $Tail # '"MS-SQL shellcode attempt"' classtype:shellcode-detect sid:693 LogAs="SID699" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_printstatements"' $Tail # '"MS-SQL xp_printstatements possible buffer overflow"' nocase-ignored bugtraq,2041 cve,CAN-2000-1086 classtype:attempted-user sid:699 LogAs="SID701" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_updatecolvbm"' $Tail # '"MS-SQL xp_updatecolvbm possible buffer overflow"' nocase-ignored bugtraq,2039 cve,CAN-2000-1084 classtype:attempted-user sid:701 LogAs="SID704" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_sprintf"' $Tail # '"MS-SQL xp_sprintf possible buffer overflow"' nocase-ignored bugtraq,1204 classtype:attempted-user sid:704 LogAs="SID705" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_showcolv"' $Tail # '"MS-SQL xp_showcolv possible buffer overflow"' nocase-ignored bugtraq,2038 cve,CAN-2000-1083 classtype:attempted-user sid:705 LogAs="SID706" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_peekqueue"' $Tail # '"MS-SQL xp_peekqueue possible buffer overflow"' nocase-ignored bugtraq,2040 cve,CAN-2000-1085 classtype:attempted-user sid:706 LogAs="SID707" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"xp_proxiedmetadata"' $Tail # '"MS-SQL xp_proxiedmetadata possible buffer overflow"' nocase-ignored bugtraq,2024 cve,CAN-2000-1087 classtype:attempted-user sid:707 LogAs="SID1387" $Ipt -A $Me -p tcp --dport 1433 -m string --string '"raiserror"' $Tail # '"MS-SQL raiserror possible buffer overflow"' nocase-ignored bugtraq,3733 classtype:attempted-user sid:1387 LogAs="SID1759" $Ipt -A $Me -p tcp --dport 445 -m string --string '"xp_cmdshell"' $Tail # '"MS-SQL xp_cmdshell program execution (445)"' nocase-ignored classtype:attempted-user sid:1759 LogAs="SID680" $Ipt -A $Me -p tcp --sport 139 -m string --string '"Login failed for user 'sa'"' $Tail # '"MS-SQL/SMB sa login failed"' classtype:attempted-user sid:680 LogAs="SID2003" $Ipt -A $Me -p udp --dport 1434 -m string --string '""' --string '""' --string '"sock"' --string '"send"' $Tail # '"MS-SQL Worm propagation attempt"' bugtraq,5310 classtype:misc-attack bugtraq,5311 url,vil.nai.com/vil/content/v_99992.htm sid:2003 LogAs="SID2004" $Ipt -A $Me -p udp --dport 1434 -m string --string '""' --string '""' --string '"sock"' --string '"send"' $Tail # '"MS-SQL Worm propagation attempt OUTBOUND"' bugtraq,5310 classtype:misc-attack bugtraq,5311 url,vil.nai.com/vil/content/v_99992.htm sid:2004 LogAs="SID2049" $Ipt -A $Me -p udp --dport 1434 -m string --string '""' $Tail # '"MS-SQL ping attempt"' nessus,10674 classtype:misc-activity sid:2049 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done