#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-backdoor'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID103"		$Ipt -A $Me -p tcp --sport 27374 -m string --string '"[RPL]002"'	$Tail	# '"BACKDOOR subseven 22"' arachnids,485 url,www.hackfix.org/subseven/ classtype:misc-activity sid:103
		LogAs="SID107"		$Ipt -A $Me -p tcp --sport 16959 -m string --string '"PWD"'	$Tail	# '"BACKDOOR subseven DEFCON8 2.1 access"' classtype:trojan-activity sid:107
		LogAs="SID109"		$Ipt -A $Me -p tcp --sport 12345:12346 -m string --string '"NetBus"'	$Tail	# '"BACKDOOR netbus active"' arachnids,401 classtype:misc-activity sid:109
		LogAs="SID110"		$Ipt -A $Me -p tcp --dport 12345:12346 -m string --string '"GetInfo"'	$Tail	# '"BACKDOOR netbus getinfo"' arachnids,403 classtype:misc-activity sid:110
		LogAs="SID115"		$Ipt -A $Me -p tcp --sport 20034 -m string --string '"NetBus"'	$Tail	# '"BACKDOOR netbus active"' arachnids,401 classtype:misc-activity sid:115
		LogAs="SID1980"		$Ipt -A $Me -p udp --dport 2140 -m string --string '"00"'	$Tail	# '"BACKDOOR DeepThroat 3.1 Connection attempt"' classtype:misc-activity sid:1980
		LogAs="SID195"		$Ipt -A $Me -p udp --sport 2140 -m string --string '"Ahhhh My Mouth Is Open"'	$Tail	# '"BACKDOOR DeepThroat 3.1 Server Response"' arachnids,106 sid:195 classtype:misc-activity
		LogAs="SID1981"		$Ipt -A $Me -p udp --dport 3150 -m string --string '"00"'	$Tail	# '"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"' classtype:misc-activity sid:1981
		LogAs="SID1982"		$Ipt -A $Me -p udp --sport 3150 -m string --string '"Ahhhh My Mouth Is Open"'	$Tail	# '"BACKDOOR DeepThroat 3.1 Server Response [3150]"' arachnids,106 classtype:misc-activity sid:1982
		LogAs="SID1983"		$Ipt -A $Me -p udp --dport 4120 -m string --string '"00"'	$Tail	# '"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"' classtype:misc-activity sid:1983
		LogAs="SID1984"		$Ipt -A $Me -p udp --sport 4120 -m string --string '"Ahhhh My Mouth Is Open"'	$Tail	# '"BACKDOOR DeepThroat 3.1 Server Response [4120]"' arachnids,106 classtype:misc-activity sid:1984
		LogAs="SID119"		$Ipt -A $Me -p tcp --sport 6789 -m string --string '"Wtzup Use"'	$Tail	# '"BACKDOOR Doly 2.0 access"' arachnids,312 sid:119 classtype:misc-activity
		LogAs="SID1985"		$Ipt -A $Me -p tcp --dport 1094 -m string --string '"Connected."'	$Tail	# '"BACKDOOR Doly 1.5 server response"' classtype:trojan-activity sid:1985
		LogAs="SID104"		$Ipt -A $Me -p tcp --sport 1024: --dport 2589 -m string --string '"Connect"'	$Tail	# '"BACKDOOR - Dagger_1.4.0_client_connect"' url,www.tlsecurity.net/backdoor/Dagger.1.4.html arachnids,483 sid:104 classtype:misc-activity
		LogAs="SID105"		$Ipt -A $Me -p tcp --sport 2589 --dport 1024: -m string --string '"2Drives\$"'	$Tail	# '"BACKDOOR - Dagger_1.4.0"' arachnids,484 url,www.tlsecurity.net/backdoor/Dagger.1.4.html sid:105 classtype:misc-activity
		LogAs="SID106"		$Ipt -A $Me -p tcp --sport 80 --dport 1054 -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@4=101058054"' -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@8=101058054"' --tcp-flags ALL ACK -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"'	$Tail	# '"BACKDOOR ACKcmdC trojan scan"' arachnids,445 sid:106 classtype:misc-activity
		LogAs="SID108"		$Ipt -A $Me -p tcp --dport 7597 -m string --string '"qazwsx.hsq"'	$Tail	# '"BACKDOOR QAZ Worm Client Login access"' MCAFEE,98775 sid:108 classtype:misc-activity
		LogAs="SID117"		$Ipt -A $Me -p tcp --sport 146 --dport 1024: -m string --string '"WHATISIT"'	$Tail	# '"BACKDOOR Infector.1.x"' arachnids,315 sid:117 classtype:misc-activity
		LogAs="SID118"		$Ipt -A $Me -p tcp --sport 666 --dport 1024: -m string --string '"Remote: You are connected to me."'	$Tail	# '"BACKDOOR SatansBackdoor.2.0.Beta"' arachnids,316 sid:118 classtype:misc-activity
		LogAs="SID120"		$Ipt -A $Me -p tcp --sport 146 --dport 1000:1300 -m string --string '"WHATISIT"'	$Tail	# '"BACKDOOR Infector 1.6 Server to Client"' sid:120 classtype:misc-activity
		LogAs="SID121"		$Ipt -A $Me -p tcp --sport 1000:1300 --dport 146 -m string --string '"FC "'	$Tail	# '"BACKDOOR Infector 1.6 Client to Server Connection Request"' sid:121 classtype:misc-activity
		LogAs="SID141"		$Ipt -A $Me -p tcp --sport 31785 -m string --string '"host"'	$Tail	# '"BACKDOOR HackAttack 1.20 Connect"' sid:141 classtype:misc-activity
		LogAs="SID145"		$Ipt -A $Me -p tcp --sport ! 80 --dport 21554 -m string --string '"Girl"'	$Tail	# '"BACKDOOR GirlFriendaccess"' arachnids,98 sid:145 classtype:misc-activity
		LogAs="SID146"		$Ipt -A $Me -p tcp --sport 30100 -m string --string '"NetSphere"'	$Tail	# '"BACKDOOR NetSphere access"' arachnids,76 sid:146 classtype:misc-activity
		LogAs="SID147"		$Ipt -A $Me -p tcp --sport 6969 -m string --string '"GateCrasher"'	$Tail	# '"BACKDOOR GateCrasher"' arachnids,99 sid:147 classtype:misc-activity
		LogAs="SID153"		$Ipt -A $Me -p tcp --sport 23476 -m string --string '"pINg"'	$Tail	# '"BACKDOOR DonaldDick 1.53 Traffic"' sid:153 classtype:misc-activity
		LogAs="SID155"		$Ipt -A $Me -p tcp --sport 30100:30102 -m string --string '"NetSphere"'	$Tail	# '"BACKDOOR NetSphere 1.31.337 access"' arachnids,76 sid:155 classtype:misc-activity
		LogAs="SID157"		$Ipt -A $Me -p tcp --dport 666 -m string --string '"FTPON"'	$Tail	# '"BACKDOOR BackConstruction 2.1 Client FTP Open Request"' sid:157 classtype:misc-activity
		LogAs="SID158"		$Ipt -A $Me -p tcp --sport 666 -m string --string '"FTP Port open"'	$Tail	# '"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"' sid:158 classtype:misc-activity
		LogAs="SID159"		$Ipt -A $Me -p tcp --dport 5032 -m string --string '"--"'	$Tail	# '"BACKDOOR NetMetro File List"' arachnids,79 sid:159 classtype:misc-activity
		LogAs="SID161"		$Ipt -A $Me -p udp --sport 3344 --dport 3345 -m string --string '"activate"'	$Tail	# '"BACKDOOR Matrix 2.0 Client connect"' arachnids,83 sid:161 classtype:misc-activity
		LogAs="SID162"		$Ipt -A $Me -p udp --sport 3345 --dport 3344 -m string --string '"logged in"'	$Tail	# '"BACKDOOR Matrix 2.0 Server access"' arachnids,83 sid:162 classtype:misc-activity
		LogAs="SID163"		$Ipt -A $Me -p tcp --sport 5714 --tcp-flags ALL ACK,SYN -m u32 --u32 '"4&0x1FFF=0 && 0>>22&0x3C@10&0xC0=0xC0"' -m string --string '"ДД"'	$Tail	# '"BACKDOOR WinCrash 1.0 Server Active"' arachnids,36 sid:163 classtype:misc-activity
		LogAs="SID185"		$Ipt -A $Me -p tcp --dport 79 -m string --string '"ypi0ca"'	$Tail	# '"BACKDOOR CDK"' nocase-ignored arachnids,263 classtype:misc-activity sid:185
		LogAs="SID208"		$Ipt -A $Me -p tcp --sport 555 -m string --string '"phAse"'	$Tail	# '"BACKDOOR PhaseZero Server Active on Network"' sid:208 classtype:misc-activity
		LogAs="SID209"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"w00w00"'	$Tail	# '"BACKDOOR w00w00 attempt"' arachnids,510 classtype:attempted-admin sid:209
		LogAs="SID210"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"backdoor"'	$Tail	# '"BACKDOOR attempt"' nocase-ignored classtype:attempted-admin sid:210
		LogAs="SID211"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"r00t"'	$Tail	# '"BACKDOOR MISC r00t attempt"' classtype:attempted-admin sid:211
		LogAs="SID212"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"rewt"'	$Tail	# '"BACKDOOR MISC rewt attempt"' classtype:attempted-admin sid:212
		LogAs="SID213"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"wh00t!"'	$Tail	# '"BACKDOOR MISC Linux rootkit attempt"' classtype:attempted-admin sid:213
		LogAs="SID214"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"lrkr0x"'	$Tail	# '"BACKDOOR MISC Linux rootkit attempt lrkr0x"' classtype:attempted-admin sid:214
		LogAs="SID215"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"d13hh["'	$Tail	# '"BACKDOOR MISC Linux rootkit attempt"' nocase-ignored classtype:attempted-admin sid:215
		LogAs="SID216"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"satori"'	$Tail	# '"BACKDOOR MISC Linux rootkit satori attempt"' arachnids,516 classtype:attempted-admin sid:216
		LogAs="SID217"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"hax0r"'	$Tail	# '"BACKDOOR MISC sm4ck attempt"' classtype:attempted-admin sid:217
		LogAs="SID218"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"friday"'	$Tail	# '"BACKDOOR MISC Solaris 2.5 attempt"' classtype:attempted-user sid:218
		LogAs="SID219"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"StoogR"'	$Tail	# '"BACKDOOR HidePak backdoor attempt"' sid:219 classtype:misc-activity
		LogAs="SID220"		$Ipt -A $Me -p tcp --dport 23 -m string --string '"wank"'	$Tail	# '"BACKDOOR HideSource backdoor attempt"' sid:220 classtype:misc-activity
		LogAs="SID614"		$Ipt -A $Me -p tcp --sport 31790 --dport 31789 -m string --string '"A"' --tcp-flags ACK ACK	$Tail	# '"BACKDOOR hack-a-tack attempt"' arachnids,314 classtype:attempted-recon sid:614
		LogAs="SID1791"		$Ipt -A $Me -d 216.80.99.202	$Tail	# '"BACKDOOR fragroute trojan connection attempt"' bugtraq,4898 classtype:trojan-activity sid:1791
		LogAs="SID1853"		$Ipt -A $Me -p udp --dport 35555 -m string --string '"png []..Ks l44"'	$Tail	# '"BACKDOOR win-trin00 connection attempt"' cve,CAN-2000-0138 nessus,10307 classtype:attempted-admin sid:1853
		LogAs="SID1843"		$Ipt -A $Me -p tcp --dport 33270 -m string --string '"@#"'	$Tail	# '"BACKDOOR trinity connection attempt"' nessus,10501 cve,CAN-2000-0138 classtype:attempted-admin sid:1843
		LogAs="SID1929"		$Ipt -A $Me -p tcp -d 212.146.0.34 --dport 1963	$Tail	# '"BACKDOOR TCPDUMP/PCAP trojan traffic"' url,hlug.fscker.com classtype:trojan-activity sid:1929
		LogAs="SID2100"		$Ipt -A $Me -p tcp -m string --string '"connected. time/date: "' --string '"version: GOLD 2.1"'	$Tail	# '"BACKDOOR SubSeven 2.1 Gold server connection response"' classtype:misc-activity sid:2100
		LogAs="SID2124"		$Ipt -A $Me -p tcp --dport 34012 -m string --string '"("'	$Tail	# '"BACKDOOR Remote PC Access connection attempt"' nessus,11673 classtype:trojan-activity sid:2124


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done