#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-web-attacks'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1328"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/bin/ps"'	$Tail	# '"WEB-ATTACKS ps command attempt"' nocase-ignored sid:1328 classtype:web-application-attack
		LogAs="SID1329"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"ps%20"'	$Tail	# '"WEB-ATTACKS /bin/ps command attempt"' nocase-ignored sid:1329 classtype:web-application-attack
		LogAs="SID1330"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"wget%20"'	$Tail	# '"WEB-ATTACKS wget command attempt"' nocase-ignored sid:1330 classtype:web-application-attack
		LogAs="SID1331"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"uname%20-a"'	$Tail	# '"WEB-ATTACKS uname -a command attempt"' nocase-ignored sid:1331 classtype:web-application-attack
		LogAs="SID1332"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/usr/bin/id"'	$Tail	# '"WEB-ATTACKS /usr/bin/id command attempt"' nocase-ignored sid:1332 classtype:web-application-attack
		LogAs="SID1334"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/bin/echo"'	$Tail	# '"WEB-ATTACKS echo command attempt"' nocase-ignored sid:1334 classtype:web-application-attack
		LogAs="SID1335"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/bin/kill"'	$Tail	# '"WEB-ATTACKS kill command attempt"' nocase-ignored sid:1335 classtype:web-application-attack
		LogAs="SID1336"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/bin/chmod"'	$Tail	# '"WEB-ATTACKS chmod command attempt"' nocase-ignored sid:1336 classtype:web-application-attack
		LogAs="SID1337"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/chgrp"'	$Tail	# '"WEB-ATTACKS chgrp command attempt"' nocase-ignored sid:1337 classtype:web-application-attack
		LogAs="SID1338"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/chown"'	$Tail	# '"WEB-ATTACKS chown command attempt"' nocase-ignored sid:1338 classtype:web-application-attack
		LogAs="SID1339"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/usr/bin/chsh"'	$Tail	# '"WEB-ATTACKS chsh command attempt"' nocase-ignored sid:1339 classtype:web-application-attack
		LogAs="SID1340"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"tftp%20"'	$Tail	# '"WEB-ATTACKS tftp command attempt"' nocase-ignored sid:1340 classtype:web-application-attack
		LogAs="SID1341"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/usr/bin/gcc"'	$Tail	# '"WEB-ATTACKS /usr/bin/gcc command attempt"' nocase-ignored sid:1341 classtype:web-application-attack
		LogAs="SID1342"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"gcc%20-o"'	$Tail	# '"WEB-ATTACKS gcc command attempt"' nocase-ignored sid:1342 classtype:web-application-attack
		LogAs="SID1343"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/usr/bin/cc"'	$Tail	# '"WEB-ATTACKS /usr/bin/cc command attempt"' nocase-ignored sid:1343 classtype:web-application-attack
		LogAs="SID1344"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"cc%20"'	$Tail	# '"WEB-ATTACKS cc command attempt"' nocase-ignored sid:1344 classtype:web-application-attack
		LogAs="SID1345"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/usr/bin/cpp"'	$Tail	# '"WEB-ATTACKS /usr/bin/cpp command attempt"' nocase-ignored sid:1345 classtype:web-application-attack
		LogAs="SID1346"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"cpp%20"'	$Tail	# '"WEB-ATTACKS cpp command attempt"' nocase-ignored sid:1346 classtype:web-application-attack
		LogAs="SID1347"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/usr/bin/g++"'	$Tail	# '"WEB-ATTACKS /usr/bin/g++ command attempt"' nocase-ignored sid:1347 classtype:web-application-attack
		LogAs="SID1348"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"g++%20"'	$Tail	# '"WEB-ATTACKS g++ command attempt"' nocase-ignored sid:1348 classtype:web-application-attack
		LogAs="SID1349"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"bin/python"'	$Tail	# '"WEB-ATTACKS bin/python access attempt"' nocase-ignored sid:1349 classtype:web-application-attack
		LogAs="SID1350"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"python%20"'	$Tail	# '"WEB-ATTACKS python access attempt"' nocase-ignored sid:1350 classtype:web-application-attack
		LogAs="SID1351"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"bin/tclsh"'	$Tail	# '"WEB-ATTACKS bin/tclsh execution attempt"' nocase-ignored sid:1351 classtype:web-application-attack
		LogAs="SID1352"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"tclsh8%20"'	$Tail	# '"WEB-ATTACKS tclsh execution attempt"' nocase-ignored sid:1352 classtype:web-application-attack
		LogAs="SID1353"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"bin/nasm"'	$Tail	# '"WEB-ATTACKS bin/nasm command attempt"' nocase-ignored sid:1353 classtype:web-application-attack
		LogAs="SID1354"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"nasm%20"'	$Tail	# '"WEB-ATTACKS nasm command attempt"' nocase-ignored sid:1354 classtype:web-application-attack
		LogAs="SID1355"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/usr/bin/perl"'	$Tail	# '"WEB-ATTACKS /usr/bin/perl execution attempt"' nocase-ignored sid:1355 classtype:web-application-attack
		LogAs="SID1356"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"perl%20"'	$Tail	# '"WEB-ATTACKS perl execution attempt"' nocase-ignored sid:1356 classtype:web-application-attack
		LogAs="SID1357"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"net localgroup administrators /add"'	$Tail	# '"WEB-ATTACKS nt admin addition attempt"' nocase-ignored sid:1357 classtype:web-application-attack
		LogAs="SID1358"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"traceroute%20"'	$Tail	# '"WEB-ATTACKS traceroute command attempt"' nocase-ignored sid:1358 classtype:web-application-attack
		LogAs="SID1359"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/bin/ping"'	$Tail	# '"WEB-ATTACKS ping command attempt"' nocase-ignored sid:1359 classtype:web-application-attack
		LogAs="SID1360"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"nc%20"'	$Tail	# '"WEB-ATTACKS netcat command attempt"' nocase-ignored sid:1360 classtype:web-application-attack
		LogAs="SID1361"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"nmap%20"'	$Tail	# '"WEB-ATTACKS nmap command attempt"' nocase-ignored sid:1361 classtype:web-application-attack
		LogAs="SID1362"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/usr/X11R6/bin/xterm"'	$Tail	# '"WEB-ATTACKS xterm command attempt"' nocase-ignored sid:1362 classtype:web-application-attack
		LogAs="SID1363"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"%20-display%20"'	$Tail	# '"WEB-ATTACKS X application to remote host attempt"' nocase-ignored sid:1363 classtype:web-application-attack
		LogAs="SID1364"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"lsof%20"'	$Tail	# '"WEB-ATTACKS lsof command attempt"' nocase-ignored sid:1364 classtype:web-application-attack
		LogAs="SID1365"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"rm%20"'	$Tail	# '"WEB-ATTACKS rm command attempt"' nocase-ignored sid:1365 classtype:web-application-attack
		LogAs="SID1366"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/bin/mail"'	$Tail	# '"WEB-ATTACKS mail command attempt"' nocase-ignored sid:1366 classtype:web-application-attack
		LogAs="SID1367"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"mail%20"'	$Tail	# '"WEB-ATTACKS mail command attempt"' nocase-ignored sid:1367 classtype:web-application-attack
		LogAs="SID1369"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/bin/ls"'	$Tail	# '"WEB-ATTACKS /bin/ls command attempt"' nocase-ignored sid:1369 classtype:web-application-attack
		LogAs="SID1370"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/etc/inetd.conf"'	$Tail	# '"WEB-ATTACKS /etc/inetd.conf access"' nocase-ignored sid:1370 classtype:web-application-activity
		LogAs="SID1371"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/etc/motd"'	$Tail	# '"WEB-ATTACKS /etc/motd access"' nocase-ignored sid:1371 classtype:web-application-activity
		LogAs="SID1372"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/etc/shadow"'	$Tail	# '"WEB-ATTACKS /etc/shadow access"' nocase-ignored sid:1372 classtype:web-application-activity
		LogAs="SID1373"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"conf/httpd.conf"'	$Tail	# '"WEB-ATTACKS conf/httpd.conf attempt"' nocase-ignored classtype:web-application-activity sid:1373
		LogAs="SID1374"		$Ipt -A $Me -p tcp --dport 80 -m string --string '".htgroup"'	$Tail	# '"WEB-ATTACKS .htgroup access"' nocase-ignored sid:1374 classtype:web-application-activity


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done