#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-virus' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID732" $Ipt -A $Me -p tcp --dport 139 --tcp-flags ALL ACK -m string --string '"qazwsx.hsq"' $Tail # '"Virus - Possible QAZ Worm Infection"' MCAFEE,98775 sid:732 classtype:misc-activity LogAs="SID721" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".pif\""' $Tail # '"VIRUS OUTBOUND .pif file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:721 LogAs="SID730" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".shs\""' $Tail # '"VIRUS OUTBOUND .shs file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:730 LogAs="SID2160" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".exe\""' $Tail # '"VIRUS OUTBOUND .exe file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2160 LogAs="SID2161" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".doc\""' $Tail # '"VIRUS OUTBOUND .doc file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2161 LogAs="SID793" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".vbs\""' $Tail # '"VIRUS OUTBOUND .vbs file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:793 LogAs="SID2162" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".hta\""' $Tail # '"VIRUS OUTBOUND .hta file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2162 LogAs="SID2163" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".chm\""' $Tail # '"VIRUS OUTBOUND .chm file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2163 LogAs="SID2164" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".reg\""' $Tail # '"VIRUS OUTBOUND .reg file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2164 LogAs="SID2165" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".ini\""' $Tail # '"VIRUS OUTBOUND .ini file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2165 LogAs="SID2166" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".bat\""' $Tail # '"VIRUS OUTBOUND .bat file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2166 LogAs="SID2167" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".diz\""' $Tail # '"VIRUS OUTBOUND .diz file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2167 LogAs="SID2168" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".cpp\""' $Tail # '"VIRUS OUTBOUND .cpp file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2168 LogAs="SID2169" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".dll\""' $Tail # '"VIRUS OUTBOUND .dll file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2169 LogAs="SID2170" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".vxd\""' $Tail # '"VIRUS OUTBOUND .vxd file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2170 LogAs="SID2171" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".sys\""' $Tail # '"VIRUS OUTBOUND .sys file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2171 LogAs="SID2172" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".com\""' $Tail # '"VIRUS OUTBOUND .com file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2172 LogAs="SID729" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".scr\""' $Tail # '"VIRUS OUTBOUND .scr file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:729 LogAs="SID2173" $Ipt -A $Me -p tcp --dport 25 -m string --string '"Content-Disposition:"' --string '"filename=\""' --string '".hsq\""' $Tail # '"VIRUS OUTBOUND .hsq file attachment"' nocase-ignored classtype:suspicious-filename-detect sid:2173 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done