#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-netbios'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1293"		$Ipt -A $Me -p tcp --dport 139 -m string --string '".EML"'	$Tail	# '"NETBIOS nimda .eml"' classtype:bad-unknown url,www.f-secure.com/v-descs/nimda.shtml sid:1293
		LogAs="SID1294"		$Ipt -A $Me -p tcp --dport 139 -m string --string '".NWS"'	$Tail	# '"NETBIOS nimda .nws"' classtype:bad-unknown url,www.f-secure.com/v-descs/nimda.shtml sid:1294
		LogAs="SID1295"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"RICHED20"'	$Tail	# '"NETBIOS nimda RICHED20.DLL"' classtype:bad-unknown url,www.f-secure.com/v-descs/nimda.shtml sid:1295
		LogAs="SID529"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"\\\\*SMBSERVER˙˙˙˙"'	$Tail	# '"NETBIOS DOS RFPoison"' arachnids,454 classtype:attempted-dos sid:529
		LogAs="SID530"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"Windows NT 1381"'	$Tail	# '"NETBIOS NT NULL session"' bugtraq,1163 cve,CVE-2000-0347 arachnids,204 classtype:attempted-recon sid:530
		LogAs="SID1239"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"BEAVIS"' --string '"yep yep"'	$Tail	# '"NETBIOS RFParalyze Attempt"' classtype:attempted-recon sid:1239
		LogAs="SID532"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"\ADMIN$A:"'	$Tail	# '"NETBIOS SMB ADMIN$access"' arachnids,340 classtype:attempted-admin sid:532
		LogAs="SID533"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"\\C$A:"'	$Tail	# '"NETBIOS SMB C$ access"' arachnids,339 classtype:attempted-recon sid:533
		LogAs="SID534"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"\../"'	$Tail	# '"NETBIOS SMB CD.."' arachnids,338 classtype:attempted-recon sid:534
		LogAs="SID535"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"\..."'	$Tail	# '"NETBIOS SMB CD..."' arachnids,337 classtype:attempted-recon sid:535
		LogAs="SID536"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"\D$A:"'	$Tail	# '"NETBIOS SMB D$access"' arachnids,336 classtype:attempted-recon sid:536
		LogAs="SID537"		$Ipt -A $Me -p tcp --dport 139 -m string --string '""' --string '"˙SMBu"' --string '"\IPC$"'	$Tail	# '"NETBIOS SMB IPC$ share access"' nocase-ignored classtype:attempted-recon sid:537
		LogAs="SID538"		$Ipt -A $Me -p tcp --dport 139 -m string --string '""' --string '"˙SMBu"' --string '"\\IPC$"'	$Tail	# '"NETBIOS SMB IPC$ share access (unicode)"' nocase-ignored arachnids,334 classtype:attempted-recon sid:538
		LogAs="SID2101"		$Ipt -A $Me -p tcp --dport 139 -m string --string '""' --string '"˙SMB%"' --string '""'	$Tail	# '"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"' cve,CAN-2002-0724 url,www.microsoft.com/technet/security/bulletin/MS02-045.asp url,www.corest.com/common/showdoc.php?idx=262 classtype:denial-of-service sid:2101
		LogAs="SID2174"		$Ipt -A $Me -p tcp --dport 139 -m string --string '""' --string '"˙SMB˘"' --string '"\winreg"'	$Tail	# '"NETBIOS SMB winreg access"' nocase-ignored classtype:attempted-recon sid:2174
		LogAs="SID2176"		$Ipt -A $Me -p tcp --dport 139 -m string --string '""' --string '"˙SMB2"' --string '"Documents and Settings\All Users\Start Menu\Programs\Startup"'	$Tail	# '"NETBIOS SMB Startup Folder access attempt"' classtype:attempted-recon sid:2176


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done