#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-web-coldfusion' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID903" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfcache.map"' $Tail # '"WEB-COLDFUSION cfcache.map access"' nocase-ignored bugtraq,917 cve,CVE-2000-0057 classtype:attempted-recon sid:903 LogAs="SID904" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/email/application.cfm"' $Tail # '"WEB-COLDFUSION exampleapp application.cfm"' nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904 LogAs="SID905" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/publish/admin/application.cfm"' $Tail # '"WEB-COLDFUSION application.cfm access"' nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905 LogAs="SID906" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/email/getfile.cfm"' $Tail # '"WEB-COLDFUSION getfile.cfm access"' nocase-ignored bugtraq,229 classtype:attempted-recon sid:906 LogAs="SID907" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/publish/admin/addcontent.cfm"' $Tail # '"WEB-COLDFUSION addcontent.cfm access"' nocase-ignored classtype:attempted-recon sid:907 LogAs="SID908" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfide/administrator/index.cfm"' $Tail # '"WEB-COLDFUSION administrator access"' nocase-ignored cve,CVE-2000-0538 classtype:attempted-recon sid:908 LogAs="SID909" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_SETDATASOURCEUSERNAME()"' $Tail # '"WEB-COLDFUSION datasource username attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:909 LogAs="SID910" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/fileexists.cfm"' $Tail # '"WEB-COLDFUSION fileexists.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:910 LogAs="SID911" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/exprcalc.cfm"' $Tail # '"WEB-COLDFUSION exprcalc access"' nocase-ignored cve,CVE-1999-0455 bugtraq,550 classtype:attempted-recon sid:911 LogAs="SID912" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/parks/detail.cfm"' $Tail # '"WEB-COLDFUSION parks access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:912 LogAs="SID913" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfappman/index.cfm"' $Tail # '"WEB-COLDFUSION cfappman access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:913 LogAs="SID914" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/cvbeans/beaninfo.cfm"' $Tail # '"WEB-COLDFUSION beaninfo access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:914 LogAs="SID915" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/evaluate.cfm"' $Tail # '"WEB-COLDFUSION evaluate.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:915 LogAs="SID916" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_GETODBCDSN()"' $Tail # '"WEB-COLDFUSION getodbcdsn access"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:916 LogAs="SID917" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_DBCONNECTIONS_FLUSH()"' $Tail # '"WEB-COLDFUSION db connections flush attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:917 LogAs="SID918" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/"' $Tail # '"WEB-COLDFUSION expeval access"' nocase-ignored bugtraq,550 cve,CAN-1999-0477 classtype:attempted-user sid:918 LogAs="SID919" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_SETDATASOURCEPASSWORD()"' $Tail # '"WEB-COLDFUSION datasource passwordattempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:919 LogAs="SID920" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_ISCOLDFUSIONDATASOURCE()"' $Tail # '"WEB-COLDFUSION datasource attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:920 LogAs="SID921" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_ENCRYPT()"' $Tail # '"WEB-COLDFUSION admin encrypt attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:921 LogAs="SID922" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/displayopenedfile.cfm"' $Tail # '"WEB-COLDFUSION displayfile access"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:922 LogAs="SID923" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_GETODBCINI()"' $Tail # '"WEB-COLDFUSION getodbcin attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:923 LogAs="SID924" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_DECRYPT()"' $Tail # '"WEB-COLDFUSION admin decrypt attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:924 LogAs="SID925" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/mainframeset.cfm"' $Tail # '"WEB-COLDFUSION mainframeset access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:925 LogAs="SID926" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_SETODBCINI()"' $Tail # '"WEB-COLDFUSION set odbc ini attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:926 LogAs="SID927" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_SETTINGS_REFRESH()"' $Tail # '"WEB-COLDFUSION settings refresh attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:927 LogAs="SID928" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/"' $Tail # '"WEB-COLDFUSION exampleapp access"' nocase-ignored classtype:attempted-recon sid:928 LogAs="SID929" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_VERIFYMAIL()"' $Tail # '"WEB-COLDFUSION CFUSION_VERIFYMAIL access"' nocase-ignored bugtraq,550 classtype:attempted-user sid:929 LogAs="SID930" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/"' $Tail # '"WEB-COLDFUSION snippets attempt"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:930 LogAs="SID931" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/cfmlsyntaxcheck.cfm"' $Tail # '"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:931 LogAs="SID932" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/application.cfm"' $Tail # '"WEB-COLDFUSION application.cfm access"' nocase-ignored bugtraq,550 arachnids,268 cve,CAN-2000-0189 classtype:attempted-recon sid:932 LogAs="SID933" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/onrequestend.cfm"' $Tail # '"WEB-COLDFUSION onrequestend.cfm access"' nocase-ignored bugtraq,550 arachnids,269 cve,CAN-2000-0189 classtype:attempted-recon sid:933 LogAs="SID935" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfide/administrator/startstop.html"' $Tail # '"WEB-COLDFUSION startstop DOS access"' nocase-ignored bugtraq,247 classtype:web-application-attack sid:935 LogAs="SID936" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/gettempdirectory.cfm"' $Tail # '"WEB-COLDFUSION gettempdirectory.cfm access "' nocase-ignored bugtraq,550 classtype:attempted-recon sid:936 LogAs="SID1659" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/sendmail.cfm"' $Tail # '"WEB-COLDFUSION sendmail.cfm access"' nocase-ignored classtype:attempted-recon sid:1659 LogAs="SID1540" $Ipt -A $Me -p tcp --dport 80 -m string --string '"Mode=debug"' $Tail # '"WEB-COLDFUSION ?Mode=debug attempt"' nocase-ignored classtype:web-application-activity sid:1540 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done