#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-chat'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1832"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"Content-Type: application/x-icq"' --string '"[ICQ User]"'	$Tail	# '"CHAT ICQ forced user addition"' bugtraq,3226 cve,CAN-2001-1305 classtype:misc-activity sid:1832
		LogAs="SID540"		$Ipt -A $Me -p tcp --dport 1863 -m state --state ESTABLISHED -m string --string '"MSG "' --string '"Content-Type:"' --string '"text/plain"'	$Tail	# '"CHAT MSN message"' classtype:misc-activity sid:540
		LogAs="SID540"		$Ipt -A $Me -p tcp --sport 1863 -m state --state ESTABLISHED -m string --string '"MSG "' --string '"Content-Type:"' --string '"text/plain"'	$Tail	# '"CHAT MSN message"' classtype:misc-activity sid:540
		LogAs="SID1986"		$Ipt -A $Me -p tcp --dport 1863 -m state --state ESTABLISHED -m string --string '"MSG "' --string '"Content-Type:"' --string '"text/x-msmsgsinvite"' --string '"Application-Name:"' --string '"File Transfer"'	$Tail	# '"CHAT MSN file transfer request"' nocase-ignored nocase-ignored nocase-ignored classtype:policy-violation sid:1986
		LogAs="SID1986"		$Ipt -A $Me -p tcp --sport 1863 -m state --state ESTABLISHED -m string --string '"MSG "' --string '"Content-Type:"' --string '"text/x-msmsgsinvite"' --string '"Application-Name:"' --string '"File Transfer"'	$Tail	# '"CHAT MSN file transfer request"' nocase-ignored nocase-ignored nocase-ignored classtype:policy-violation sid:1986
		LogAs="SID1988"		$Ipt -A $Me -p tcp --dport 1863 -m state --state ESTABLISHED -m string --string '"MSG "' --string '"Content-Type:"' --string '"text/x-msmsgsinvite"' --string '"Invitation-Command:"' --string '"ACCEPT"'	$Tail	# '"CHAT MSN file transfer accept"' classtype:policy-violation sid:1988
		LogAs="SID1988"		$Ipt -A $Me -p tcp --sport 1863 -m state --state ESTABLISHED -m string --string '"MSG "' --string '"Content-Type:"' --string '"text/x-msmsgsinvite"' --string '"Invitation-Command:"' --string '"ACCEPT"'	$Tail	# '"CHAT MSN file transfer accept"' classtype:policy-violation sid:1988
		LogAs="SID1989"		$Ipt -A $Me -p tcp --dport 1863 -m state --state ESTABLISHED -m string --string '"MSG "' --string '"Content-Type:"' --string '"text/x-msmsgsinvite"' --string '"Invitation-Command:"' --string '"CANCEL"' --string '"Cancel-Code:"' --string '"REJECT"'	$Tail	# '"CHAT MSN file transfer reject"' nocase-ignored nocase-ignored classtype:policy-violation sid:1989
		LogAs="SID1989"		$Ipt -A $Me -p tcp --sport 1863 -m state --state ESTABLISHED -m string --string '"MSG "' --string '"Content-Type:"' --string '"text/x-msmsgsinvite"' --string '"Invitation-Command:"' --string '"CANCEL"' --string '"Cancel-Code:"' --string '"REJECT"'	$Tail	# '"CHAT MSN file transfer reject"' nocase-ignored nocase-ignored classtype:policy-violation sid:1989
		LogAs="SID1990"		$Ipt -A $Me -p tcp --dport 1863 -m string --string '"CAL "'	$Tail	# '"CHAT MSN user search"' nocase-ignored classtype:policy-violation sid:1990
		LogAs="SID1991"		$Ipt -A $Me -p tcp --dport 1863 -m string --string '"USR "' --string '" TWN "'	$Tail	# '"CHAT MSN login attempt"' nocase-ignored nocase-ignored classtype:policy-violation sid:1991
		LogAs="SID542"		$Ipt -A $Me -p tcp --dport 6666:7000 -m string --string '"NICK "'	$Tail	# '"CHAT IRC nick change"' classtype:misc-activity sid:542
		LogAs="SID1639"		$Ipt -A $Me -p tcp --dport 6666:7000 -m string --string '"PRIVMSG "' --string '" :.DCC SEND"'	$Tail	# '"CHAT IRC DCC file transfer request"' nocase-ignored nocase-ignored classtype:misc-activity sid:1639
		LogAs="SID1640"		$Ipt -A $Me -p tcp --dport 6666:7000 -m string --string '"PRIVMSG "' --string '" :.DCC CHAT chat"'	$Tail	# '"CHAT IRC DCC chat request"' nocase-ignored nocase-ignored classtype:misc-activity sid:1640
		LogAs="SID1729"		$Ipt -A $Me -p tcp --dport 6666:7000 -m string --string '"JOIN : #"'	$Tail	# '"CHAT IRC channel join"' nocase-ignored classtype:misc-activity sid:1729
		LogAs="SID1463"		$Ipt -A $Me -p tcp --dport 6666:7000 -m state --state ESTABLISHED -m string --string '"PRIVMSG "'	$Tail	# '"CHAT IRC message"' nocase-ignored classtype:misc-activity sid:1463
		LogAs="SID1463"		$Ipt -A $Me -p tcp --sport 6666:7000 -m state --state ESTABLISHED -m string --string '"PRIVMSG "'	$Tail	# '"CHAT IRC message"' nocase-ignored classtype:misc-activity sid:1463
		LogAs="SID1789"		$Ipt -A $Me -p tcp --dport 6666:7000 -m string --string '"USERHOST "'	$Tail	# '"CHAT IRC dns request"' nocase-ignored classtype:misc-activity sid:1789
		LogAs="SID1790"		$Ipt -A $Me -p tcp --sport 6666:7000 -m string --string '":"' --string '" 302 "' --string '"=+"'	$Tail	# '"CHAT IRC dns response"' classtype:misc-activity sid:1790
		LogAs="SID1631"		$Ipt -A $Me -p tcp -d $AIM_SERVERS -m string --string '"*"'	$Tail	# '"CHAT AIM login"' classtype:policy-violation sid:1631
		LogAs="SID1632"		$Ipt -A $Me -p tcp -d $AIM_SERVERS -m string --string '"*"' --string '""'	$Tail	# '"CHAT AIM send message"' classtype:policy-violation sid:1632
		LogAs="SID1633"		$Ipt -A $Me -p tcp -s $AIM_SERVERS -m string --string '"*"' --string '""'	$Tail	# '"CHAT AIM receive message"' classtype:policy-violation sid:1633


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done