|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
PHP код:
#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.
#ZZZZ Check Me and MyVersion
Me='snort-web-coldfusion'
MyVersion='20031125'
#DefaultActions=''
[ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2
exit 1
fi
for OneTask in $Tasks ; do
case "$OneTask" in
link)
$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
$IptablesBin $AppIn INPUT -i \! lo -j $Me
$IptablesBin $AppIn FORWARD -j $Me
$IptablesBin $AppIn OUTPUT -j $Me
;;
unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
$IptablesBin -D INPUT -i \! lo -j $Me
$IptablesBin -D FORWARD -j $Me
$IptablesBin -D OUTPUT -j $Me
$IptablesBin -X $Me >/dev/null 2>&1
;;
create)
echo "Starting $Me" >&2
FlushOrNewChain $Me
LogAs="SID903" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfcache.map"' $Tail # '"WEB-COLDFUSION cfcache.map access"' nocase-ignored bugtraq,917 cve,CVE-2000-0057 classtype:attempted-recon sid:903
LogAs="SID904" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/email/application.cfm"' $Tail # '"WEB-COLDFUSION exampleapp application.cfm"' nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904
LogAs="SID905" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/publish/admin/application.cfm"' $Tail # '"WEB-COLDFUSION application.cfm access"' nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905
LogAs="SID906" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/email/getfile.cfm"' $Tail # '"WEB-COLDFUSION getfile.cfm access"' nocase-ignored bugtraq,229 classtype:attempted-recon sid:906
LogAs="SID907" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/publish/admin/addcontent.cfm"' $Tail # '"WEB-COLDFUSION addcontent.cfm access"' nocase-ignored classtype:attempted-recon sid:907
LogAs="SID908" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfide/administrator/index.cfm"' $Tail # '"WEB-COLDFUSION administrator access"' nocase-ignored cve,CVE-2000-0538 classtype:attempted-recon sid:908
LogAs="SID909" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_SETDATASOURCEUSERNAME()"' $Tail # '"WEB-COLDFUSION datasource username attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:909
LogAs="SID910" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/fileexists.cfm"' $Tail # '"WEB-COLDFUSION fileexists.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:910
LogAs="SID911" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/exprcalc.cfm"' $Tail # '"WEB-COLDFUSION exprcalc access"' nocase-ignored cve,CVE-1999-0455 bugtraq,550 classtype:attempted-recon sid:911
LogAs="SID912" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/parks/detail.cfm"' $Tail # '"WEB-COLDFUSION parks access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:912
LogAs="SID913" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfappman/index.cfm"' $Tail # '"WEB-COLDFUSION cfappman access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:913
LogAs="SID914" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/cvbeans/beaninfo.cfm"' $Tail # '"WEB-COLDFUSION beaninfo access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:914
LogAs="SID915" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/evaluate.cfm"' $Tail # '"WEB-COLDFUSION evaluate.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:915
LogAs="SID916" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_GETODBCDSN()"' $Tail # '"WEB-COLDFUSION getodbcdsn access"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:916
LogAs="SID917" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_DBCONNECTIONS_FLUSH()"' $Tail # '"WEB-COLDFUSION db connections flush attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:917
LogAs="SID918" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/"' $Tail # '"WEB-COLDFUSION expeval access"' nocase-ignored bugtraq,550 cve,CAN-1999-0477 classtype:attempted-user sid:918
LogAs="SID919" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_SETDATASOURCEPASSWORD()"' $Tail # '"WEB-COLDFUSION datasource passwordattempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:919
LogAs="SID920" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_ISCOLDFUSIONDATASOURCE()"' $Tail # '"WEB-COLDFUSION datasource attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:920
LogAs="SID921" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_ENCRYPT()"' $Tail # '"WEB-COLDFUSION admin encrypt attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:921
LogAs="SID922" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/displayopenedfile.cfm"' $Tail # '"WEB-COLDFUSION displayfile access"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:922
LogAs="SID923" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_GETODBCINI()"' $Tail # '"WEB-COLDFUSION getodbcin attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:923
LogAs="SID924" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_DECRYPT()"' $Tail # '"WEB-COLDFUSION admin decrypt attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:924
LogAs="SID925" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/mainframeset.cfm"' $Tail # '"WEB-COLDFUSION mainframeset access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:925
LogAs="SID926" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_SETODBCINI()"' $Tail # '"WEB-COLDFUSION set odbc ini attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:926
LogAs="SID927" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_SETTINGS_REFRESH()"' $Tail # '"WEB-COLDFUSION settings refresh attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:927
LogAs="SID928" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/"' $Tail # '"WEB-COLDFUSION exampleapp access"' nocase-ignored classtype:attempted-recon sid:928
LogAs="SID929" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_VERIFYMAIL()"' $Tail # '"WEB-COLDFUSION CFUSION_VERIFYMAIL access"' nocase-ignored bugtraq,550 classtype:attempted-user sid:929
LogAs="SID930" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/"' $Tail # '"WEB-COLDFUSION snippets attempt"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:930
LogAs="SID931" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/cfmlsyntaxcheck.cfm"' $Tail # '"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:931
LogAs="SID932" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/application.cfm"' $Tail # '"WEB-COLDFUSION application.cfm access"' nocase-ignored bugtraq,550 arachnids,268 cve,CAN-2000-0189 classtype:attempted-recon sid:932
LogAs="SID933" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/onrequestend.cfm"' $Tail # '"WEB-COLDFUSION onrequestend.cfm access"' nocase-ignored bugtraq,550 arachnids,269 cve,CAN-2000-0189 classtype:attempted-recon sid:933
LogAs="SID935" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfide/administrator/startstop.html"' $Tail # '"WEB-COLDFUSION startstop DOS access"' nocase-ignored bugtraq,247 classtype:web-application-attack sid:935
LogAs="SID936" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/gettempdirectory.cfm"' $Tail # '"WEB-COLDFUSION gettempdirectory.cfm access "' nocase-ignored bugtraq,550 classtype:attempted-recon sid:936
LogAs="SID1659" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/sendmail.cfm"' $Tail # '"WEB-COLDFUSION sendmail.cfm access"' nocase-ignored classtype:attempted-recon sid:1659
LogAs="SID1540" $Ipt -A $Me -p tcp --dport 80 -m string --string '"Mode=debug"' $Tail # '"WEB-COLDFUSION ?Mode=debug attempt"' nocase-ignored classtype:web-application-activity sid:1540
;;
destroy)
echo "Stopping $Me" >&2
DestroyChain $Me
;;
renamechain)
TempChain="$Me-$RANDOM"
echo "Replacing existing rules in $Me with new rules" >&2
$IptablesBin -E $Me $TempChain
;;
replacelinks)
if [ -z "$TempChain" ]; then
echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
echo "No $Me chain in $Me, replace operation incomplete." >&2
elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
echo "No $TempChain chain in $Me, replace operation incomplete." >&2
elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me
$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me
$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me
DestroyChain $TempChain
unset TempChain
fi
;;
status)
if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
echo "$Me created" >&2
else
echo "$Me destroyed" >&2
fi
;;
version)
echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
;;
help)
DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module. You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used. Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
cat <<EOTEXT >&2
The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies. At best,
these are uncommon and are used in network mapping. These rules should
be safe to use on any network.
EOTEXT
;;
*)
echo "Unknown action $Action in $Me, no action taken." >&2
;;
esac
done
|