#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-attack-responses'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1292"		$Ipt -A $Me -p tcp -m string --string '"Volume Serial Number"'	$Tail	# '"ATTACK-RESPONSES directory listing"' classtype:bad-unknown sid:1292
		LogAs="SID494"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"Command completed"'	$Tail	# '"ATTACK-RESPONSES command completed"' nocase-ignored classtype:bad-unknown sid:494
		LogAs="SID495"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"Bad command or filename"'	$Tail	# '"ATTACK-RESPONSES command error"' nocase-ignored classtype:bad-unknown sid:495
		LogAs="SID497"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"1 file(s) copied"'	$Tail	# '"ATTACK-RESPONSES file copied ok"' nocase-ignored classtype:bad-unknown sid:497
		LogAs="SID1200"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"Invalid URL"'	$Tail	# '"ATTACK-RESPONSES Invalid URL"' nocase-ignored url,www.microsoft.com/technet/security/bulletin/MS00-063.asp classtype:attempted-recon sid:1200
		LogAs="SID1666"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"Index of /cgi-bin/"'	$Tail	# '"ATTACK-RESPONSES index of /cgi-bin/ response"' nocase-ignored nessus,10039 classtype:bad-unknown sid:1666
		LogAs="SID1201"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"HTTP/1.1 403"'	$Tail	# '"ATTACK-RESPONSES 403 Forbidden"' classtype:attempted-recon sid:1201
		LogAs="SID1464"		$Ipt -A $Me -p tcp --sport 8002 -m string --string '"Oracle Applications One-Hour Install"'	$Tail	# '"ATTACK-RESPONSES oracle one hour install"' classtype:bad-unknown sid:1464
		LogAs="SID1900"		$Ipt -A $Me -p tcp --sport 749 -m string --string '"*GOBBLE*"'	$Tail	# '"ATTACK-RESPONSES successful kadmind buffer overflow attempt"' cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:successful-admin sid:1900
		LogAs="SID1901"		$Ipt -A $Me -p tcp --sport 751 -m string --string '"*GOBBLE*"'	$Tail	# '"ATTACK-RESPONSES successful kadmind buffer overflow attempt"' cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:successful-admin sid:1901
		LogAs="SID1810"		$Ipt -A $Me -p tcp --sport 22 -m string --string '"*GOBBLE*"'	$Tail	# '"ATTACK-RESPONSES successful gobbles ssh exploit (GOBBLE)"' bugtraq,5093 classtype:successful-admin sid:1810
		LogAs="SID1811"		$Ipt -A $Me -p tcp --sport 22 -m string --string '"uname"'	$Tail	# '"ATTACK-RESPONSES successful gobbles ssh exploit (uname)"' bugtraq,5093 classtype:misc-attack sid:1811
		LogAs="SID2104"		$Ipt -A $Me -p tcp --sport 512 -m string --string '"username too long"'	$Tail	# '"ATTACK-RESPONSES rexec username too long response"' classtype:unsuccessful-user sid:2104
		LogAs="SID2123"		$Ipt -A $Me -p tcp --sport ! 21:23 -m string --string '"Microsoft Windows"' --string '"(C) Copyright 1985-"' --string '"Microsoft Corp."'	$Tail	# '"ATTACK-RESPONSES Microsoft cmd.exe banner"' nessus,11633 classtype:successful-admin sid:2123


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done