Appendix B: A Complete fwsnort Script

The fwsnort project creates a shell script that automates the execution of the iptables commands necessary to create an iptables policy that is capable of detecting application layer attacks. Appendix B contains a complete example of an fwsnort.sh script generated by fwsnort. You can download this script here, and it is reproduced below for reference as well:
#!/bin/sh
#
############################################################################
#
# File:  /etc/fwsnort/fwsnort.sh
#
# Purpose:  This script was auto-generated by fwsnort, and implements
#           an iptables ruleset based upon Snort rules.  For more
#           information see the fwsnort man page or the documentation
#           available at http://www.cipherdyne.org/fwsnort/
#
# Generated with:     fwsnort --snort-sid 1332,1336,1338,1339,1341,1342,1360
# Generated on host:  isengard
# Time stamp:         Tue Sep 18 19:46:56 2007
#
# Author:  Michael Rash <mbr@cipherdyne.org>
#
# Version: 1.0.2 (file revision: 400)
#
############################################################################
#

#==================== config ====================
ECHO=/bin/echo
IPTABLES=/sbin/iptables
#================== end config ==================


###
############ Create fwsnort iptables chains. ############
###
$IPTABLES -N FWSNORT_FORWARD 2> /dev/null
$IPTABLES -F FWSNORT_FORWARD

$IPTABLES -N FWSNORT_FORWARD_ESTAB 2> /dev/null
$IPTABLES -F FWSNORT_FORWARD_ESTAB

$IPTABLES -N FWSNORT_INPUT 2> /dev/null
$IPTABLES -F FWSNORT_INPUT

$IPTABLES -N FWSNORT_INPUT_ESTAB 2> /dev/null
$IPTABLES -F FWSNORT_INPUT_ESTAB

$IPTABLES -N FWSNORT_OUTPUT 2> /dev/null
$IPTABLES -F FWSNORT_OUTPUT

$IPTABLES -N FWSNORT_OUTPUT_ESTAB 2> /dev/null
$IPTABLES -F FWSNORT_OUTPUT_ESTAB


###
############ Inspect ESTABLISHED tcp connections. ############
###
$IPTABLES -A FWSNORT_FORWARD -p tcp -m state --state ESTABLISHED -j FWSNORT_FORWARD_ESTAB
$IPTABLES -A FWSNORT_INPUT -p tcp -m state --state ESTABLISHED -j FWSNORT_INPUT_ESTAB
$IPTABLES -A FWSNORT_OUTPUT -p tcp -m state --state ESTABLISHED -j FWSNORT_OUTPUT_ESTAB

###
############ web-attacks.rules ############
###
$ECHO "[+] Adding web-attacks rules."

### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id \
command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; \
classtype:web-application-attack; sid:1332; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/id" \
--algo bm -m comment --comment "sid:1332; msg:WEB-ATTACKS /usr/bin/id command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[1] SID1332 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/id" \
--algo bm -m comment --comment "sid:1332; msg:WEB-ATTACKS /usr/bin/id command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[1] SID1332 ESTAB "

### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod \
command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; \
classtype:web-application-attack; sid:1336; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --dport 80 -m string --string "/bin/chmod" \
--algo bm -m comment --comment "sid:1336; msg:WEB-ATTACKS chmod command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[2] SID1336 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/bin/chmod" \
--algo bm -m comment --comment "sid:1336; msg:WEB-ATTACKS chmod command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[2] SID1336 ESTAB "

### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown \
command attempt"; flow:to_server,established; content:"/chown"; nocase; \
classtype:web-application-attack; sid:1338; rev:6;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --dport 80 -m string --string "/chown" \
--algo bm -m comment --comment "sid:1338; msg:WEB-ATTACKS chown command attempt; \
classtype:web-application-attack; rev:6; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[3] SID1338 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/chown" \
--algo bm -m comment --comment "sid:1338; msg:WEB-ATTACKS chown command attempt; \
classtype:web-application-attack; rev:6; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[3] SID1338 ESTAB "

### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command \
attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; \
classtype:web-application-attack; sid:1339; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/chsh" \
--algo bm -m comment --comment "sid:1339; msg:WEB-ATTACKS chsh command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[4] SID1339 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/chsh" \
--algo bm -m comment --comment "sid:1339; msg:WEB-ATTACKS chsh command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[4] SID1339 ESTAB "

### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS \
/usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; \
nocase; classtype:web-application-attack; sid:1341; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/gcc" \
--algo bm -m comment --comment "sid:1341; msg:WEB-ATTACKS /usr/bin/gcc command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[5] SID1341 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "/usr/bin/gcc" \
--algo bm -m comment --comment "sid:1341; msg:WEB-ATTACKS /usr/bin/gcc command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[5] SID1341 ESTAB "

### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc \
command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; \
classtype:web-application-attack; sid:1342; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --dport 80 -m string --string "gcc%20-o" \
--algo bm -m comment --comment "sid:1342; msg:WEB-ATTACKS gcc command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[6] SID1342 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "gcc%20-o" \
--algo bm -m comment --comment "sid:1342; msg:WEB-ATTACKS gcc command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[6] SID1342 ESTAB "

### alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat \
command attempt"; flow:to_server,established; content:"nc%20"; nocase; \
classtype:web-application-attack; sid:1360; rev:5;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --dport 80 -m string --string "nc%20" \
--algo bm -m comment --comment "sid:1360; msg:WEB-ATTACKS netcat command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[7] SID1360 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "nc%20" \
--algo bm -m comment --comment "sid:1360; msg:WEB-ATTACKS netcat command attempt; \
classtype:web-application-attack; rev:5; FWS:1.0.2;" -j LOG --log-ip-options \
--log-tcp-options --log-prefix "[7] SID1360 ESTAB "
$ECHO "    Rules added: 14"

###
############ Jump traffic to the fwsnort chains. ############
###
$IPTABLES -D FORWARD -i ! lo -j FWSNORT_FORWARD 2> /dev/null
$IPTABLES -I FORWARD 1 -i ! lo -j FWSNORT_FORWARD
$IPTABLES -D INPUT -i ! lo -j FWSNORT_INPUT 2> /dev/null
$IPTABLES -I INPUT 1 -i ! lo -j FWSNORT_INPUT
$IPTABLES -D OUTPUT -o ! lo -j FWSNORT_OUTPUT 2> /dev/null
$IPTABLES -I OUTPUT 1 -o ! lo -j FWSNORT_OUTPUT

$ECHO "[+] Finished."
### EOF ###
cipherdyne.org

Appendix B: A Complete fwsnort Script

Software

Linux Firewalls Book

Recent Blog Posts

Categories
