#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-rpc'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1922"		$Ipt -A $Me -p tcp --dport 111 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap proxy attempt TCP"' classtype:rpc-portmap-decode sid:1922
		LogAs="SID1923"		$Ipt -A $Me -p udp --dport 111 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap proxy attempt UDP"' classtype:rpc-portmap-decode sid:1923
		LogAs="SID1280"		$Ipt -A $Me -p udp --dport 111 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap listing UDP 111"' arachnids,428 classtype:rpc-portmap-decode sid:1280
		LogAs="SID598"		$Ipt -A $Me -p tcp --dport 111 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap listing TCP 111"' arachnids,428 classtype:rpc-portmap-decode sid:598
		LogAs="SID1949"		$Ipt -A $Me -p tcp --dport 111 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap SET attempt TCP 111"' classtype:rpc-portmap-decode sid:1949
		LogAs="SID1950"		$Ipt -A $Me -p udp --dport 111 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap SET attempt UDP 111"' classtype:rpc-portmap-decode sid:1950
		LogAs="SID2014"		$Ipt -A $Me -p tcp --dport 111 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap UNSET attempt TCP 111"' bugtraq,1892 classtype:rpc-portmap-decode sid:2014
		LogAs="SID2015"		$Ipt -A $Me -p udp --dport 111 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap UNSET attempt UDP 111"' bugtraq,1892 classtype:rpc-portmap-decode sid:2015
		LogAs="SID599"		$Ipt -A $Me -p tcp --dport 32771 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap listing TCP 32771"' arachnids,429 classtype:rpc-portmap-decode sid:599
		LogAs="SID1281"		$Ipt -A $Me -p udp --dport 32771 -m string --string '"Жа"' --string '""' --string '""'	$Tail	# '"RPC portmap listing UDP 32771"' arachnids,429 classtype:rpc-portmap-decode sid:1281
		LogAs="SID612"		$Ipt -A $Me -p udp -m string --string '"Жв"' --string '""' --string '""'	$Tail	# '"RPC rusers query UDP"' cve,CVE-1999-0626 classtype:attempted-recon sid:612
		LogAs="SID574"		$Ipt -A $Me -p tcp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd TCP export request"' arachnids,26 classtype:attempted-recon sid:574
		LogAs="SID1924"		$Ipt -A $Me -p udp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd UDP export request"' arachnids,26 classtype:attempted-recon sid:1924
		LogAs="SID1925"		$Ipt -A $Me -p tcp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd TCP exportall request"' arachnids,26 classtype:attempted-recon sid:1925
		LogAs="SID1926"		$Ipt -A $Me -p udp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd UDP exportall request"' arachnids,26 classtype:attempted-recon sid:1926
		LogAs="SID1951"		$Ipt -A $Me -p tcp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd TCP mount request"' classtype:attempted-recon sid:1951
		LogAs="SID1952"		$Ipt -A $Me -p udp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd UDP mount request"' classtype:attempted-recon sid:1952
		LogAs="SID2018"		$Ipt -A $Me -p tcp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd TCP dump request"' classtype:attempted-recon sid:2018
		LogAs="SID2019"		$Ipt -A $Me -p udp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd UDP dump request"' classtype:attempted-recon sid:2019
		LogAs="SID2020"		$Ipt -A $Me -p tcp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd TCP unmount request"' classtype:attempted-recon sid:2020
		LogAs="SID2021"		$Ipt -A $Me -p udp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd UDP unmount request"' classtype:attempted-recon sid:2021
		LogAs="SID2022"		$Ipt -A $Me -p tcp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd TCP unmountall request"' classtype:attempted-recon sid:2022
		LogAs="SID2023"		$Ipt -A $Me -p udp -m string --string '"Же"' --string '""' --string '""'	$Tail	# '"RPC mountd UDP unmountall request"' classtype:attempted-recon sid:2023
		LogAs="SID1953"		$Ipt -A $Me -p tcp --dport 500: -m string --string '"Ує"' --string '"	"' --string '""'	$Tail	# '"RPC AMD TCP pid request"' classtype:rpc-portmap-decode sid:1953
		LogAs="SID1954"		$Ipt -A $Me -p udp --dport 500: -m string --string '"Ує"' --string '"	"' --string '""'	$Tail	# '"RPC AMD UDP pid request"' classtype:rpc-portmap-decode sid:1954
		LogAs="SID1955"		$Ipt -A $Me -p tcp --dport 500: -m string --string '"Ує"' --string '""' --string '""'	$Tail	# '"RPC AMD TCP version request"' classtype:rpc-portmap-decode sid:1955
		LogAs="SID1956"		$Ipt -A $Me -p udp --dport 500: -m string --string '"Ує"' --string '""' --string '""'	$Tail	# '"RPC AMD UDP version request"' classtype:rpc-portmap-decode sid:1956
		LogAs="SID1957"		$Ipt -A $Me -p udp -m string --string '"ЗИ"' --string '""' --string '""'	$Tail	# '"RPC sadmind UDP PING"' bugtraq,866 classtype:attempted-admin sid:1957
		LogAs="SID1958"		$Ipt -A $Me -p tcp -m string --string '"ЗИ"' --string '""' --string '""'	$Tail	# '"RPC sadmind TCP PING"' bugtraq,866 classtype:attempted-admin sid:1958
		LogAs="SID2031"		$Ipt -A $Me -p udp -m string --string '"Жй"' --string '""' --string '""'	$Tail	# '"RPC yppasswd user update UDP"' classtype:rpc-portmap-decode sid:2031
		LogAs="SID2032"		$Ipt -A $Me -p tcp -m string --string '"Жй"' --string '""' --string '""'	$Tail	# '"RPC yppasswd user update TCP"' classtype:rpc-portmap-decode sid:2032
		LogAs="SID2033"		$Ipt -A $Me -p udp -m string --string '"Жд"' --string '""' --string '""'	$Tail	# '"RPC ypserv maplist request UDP"' bugtraq,6016 bugtraq,5914 cve,CAN-2002-1232 classtype:rpc-portmap-decode sid:2033
		LogAs="SID2034"		$Ipt -A $Me -p tcp -m string --string '"Жд"' --string '""' --string '""'	$Tail	# '"RPC ypserv maplist request TCP"' bugtraq,6016 bugtraq,5914 Cve,CAN-2002-1232 classtype:rpc-portmap-decode sid:2034
		LogAs="SID2037"		$Ipt -A $Me -p udp -m string --string '"p"' --string '""' --string '""'	$Tail	# '"RPC network-status-monitor mon-callback request UDP"' classtype:rpc-portmap-decode sid:2037
		LogAs="SID2038"		$Ipt -A $Me -p tcp -m string --string '"p"' --string '""' --string '""'	$Tail	# '"RPC network-status-monitor mon-callback request TCP"' classtype:rpc-portmap-decode sid:2038
		LogAs="SID2083"		$Ipt -A $Me -p udp -m string --string '"ўh"' --string '""' --string '""'	$Tail	# '"RPC rpc.xfsmd xfs_export attempt UDP"' cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2083
		LogAs="SID2084"		$Ipt -A $Me -p tcp -m string --string '"ўh"' --string '""' --string '""'	$Tail	# '"RPC rpc.xfsmd xfs_export attempt TCP"' cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2084


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done