#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-telnet' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID1430" $Ipt -A $Me -p tcp --dport 23 -m string --string '"###֐%"' $Tail # '"TELNET Solaris memory mismanagement exploit attempt"' classtype:shellcode-detect sid:1430 LogAs="SID711" $Ipt -A $Me -p tcp --dport 23 -m string --string '"_RLD"' --string '"bin/sh"' $Tail # '"TELNET SGI telnetd format bug"' arachnids,304 classtype:attempted-admin sid:711 LogAs="SID712" $Ipt -A $Me -p tcp --dport 23 -m string --string '"ld_library_path"' $Tail # '"TELNET ld_library_path"' cve,CVE-1999-0073 arachnids,367 classtype:attempted-admin sid:712 LogAs="SID713" $Ipt -A $Me -p tcp --dport 23 -m string --string '""' $Tail # '"TELNET livingston DOS"' arachnids,370 classtype:attempted-dos sid:713 LogAs="SID714" $Ipt -A $Me -p tcp --dport 23 -m string --string '"resolv_host_conf"' $Tail # '"TELNET resolv_host_conf"' arachnids,369 classtype:attempted-admin sid:714 LogAs="SID715" $Ipt -A $Me -p tcp --sport 23 -m string --string '"to su root"' $Tail # '"TELNET Attempted SU from wrong group"' nocase-ignored classtype:attempted-admin sid:715 LogAs="SID717" $Ipt -A $Me -p tcp --sport 23 -m string --string '"not on system console"' $Tail # '"TELNET not on console"' nocase-ignored arachnids,365 classtype:bad-unknown sid:717 LogAs="SID718" $Ipt -A $Me -p tcp --sport 23 -m string --string '"Login incorrect"' $Tail # '"TELNET login incorrect"' arachnids,127 classtype:bad-unknown sid:718 LogAs="SID719" $Ipt -A $Me -p tcp --sport 23 -m string --string '"login: root"' $Tail # '"TELNET root login"' classtype:suspicious-login sid:719 LogAs="SID1252" $Ipt -A $Me -p tcp --sport 23 -m string --string '" [Yes] &"' $Tail # '"TELNET bsd telnet exploit response"' classtype: attempted-admin bugtraq,3064 cve,CAN-2001-0554 sid:1252 LogAs="SID709" $Ipt -A $Me -p tcp --dport 23 -m string --string '"4Dgifts"' $Tail # '"TELNET 4Dgifts SGI account attempt"' cve,CAN-1999-0501 classtype:suspicious-login sid:709 LogAs="SID710" $Ipt -A $Me -p tcp --dport 23 -m string --string '"OutOfBox"' $Tail # '"TELNET EZsetup account attempt"' cve,CAN-1999-0501 classtype:suspicious-login sid:710 LogAs="SID716" $Ipt -A $Me -p tcp --sport 23 -m string --string '"#'\$"' $Tail # '"TELNET access"' arachnids,08 cve,CAN-1999-0619 classtype:not-suspicious sid:716 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done