#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-exploit'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1324"		$Ipt -A $Me -p tcp --dport 22 -m string --string '"/bin/sh"'	$Tail	# '"EXPLOIT ssh CRC32 overflow /bin/sh"' bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1324
		LogAs="SID1326"		$Ipt -A $Me -p tcp --dport 22 -m string --string '""'	$Tail	# '"EXPLOIT ssh CRC32 overflow NOOP"' bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1326
		LogAs="SID1327"		$Ipt -A $Me -p tcp --dport 22 -m string --string '"W"' --string '"ÿÿÿÿ"'	$Tail	# '"EXPLOIT ssh CRC32 overflow"' bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1327
		LogAs="SID283"		$Ipt -A $Me -p tcp --sport 80 -m string --string '"3É±?éQ<úG3ÀP÷ÐP"'	$Tail	# '"EXPLOIT Netscape 4.7 client overflow"' cve,CVE-2000-1187 bugtraq,822 arachnids,215 classtype:attempted-user sid:283
		LogAs="SID300"		$Ipt -A $Me -p tcp --dport 2766 -m string --string '"ë#^3ÀˆFú‰Fõ‰6"'	$Tail	# '"EXPLOIT nlps x86 Solaris overflow"' classtype:attempted-admin sid:300 bugtraq,2319
		LogAs="SID301"		$Ipt -A $Me -p tcp --dport 515 -m string --string '"C‰[K‰C°Í€1ÀþÀÍ€è”ÿÿÿ/bin/sh"'	$Tail	# '"EXPLOIT LPRng overflow"' cve,CVE-2000-0917 bugtraq,1712 classtype:attempted-admin sid:301
		LogAs="SID302"		$Ipt -A $Me -p tcp --dport 515 -m string --string '"XXXX%.172u%300\$n"'	$Tail	# '"EXPLOIT Redhat 7.0 lprd overflow"' classtype:attempted-admin sid:302
		LogAs="SID304"		$Ipt -A $Me -p tcp --dport 6373 -m string --string '"ë]UþM˜þM›"'	$Tail	# '"EXPLOIT SCO calserver overflow"' cve,CVE-2000-0306 bugtraq,2353 classtype:attempted-admin sid:304
		LogAs="SID306"		$Ipt -A $Me -p tcp --dport 9090 -m string --string '"GET / HTTP/1.1"'	$Tail	# '"EXPLOIT VQServer admin"' nocase-ignored bugtraq,1610 url,www.vqsoft.com/vq/server/docs/other/control.html cve,CAN-2000-0766 classtype:attempted-admin sid:306
		LogAs="SID308"		$Ipt -A $Me -p tcp --sport 21 -m string --string '"´ ´‹Ìƒé‹3Éf¹"'	$Tail	# '"EXPLOIT NextFTP client overflow"' bugtraq,572 cve,CVE-1999-0671 classtype:attempted-user sid:308
		LogAs="SID310"		$Ipt -A $Me -p tcp --dport 25 -m string --string '"ëEë [ü3É±‚‹ó€+"'	$Tail	# '"EXPLOIT x86 windows MailMax overflow"' bugtraq,2312 cve,CVE-1999-0404 classtype:attempted-admin sid:310
		LogAs="SID311"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"3É±?éQ<úG3ÀP÷ÐP"'	$Tail	# '"EXPLOIT Netscape 4.7 unsucessful overflow"' cve,CVE-2000-1187 bugtraq,822 arachnids,214 classtype:unsuccessful-user sid:311
		LogAs="SID313"		$Ipt -A $Me -p udp --dport 518 -m string --string '"è"'	$Tail	# '"EXPLOIT ntalkd x86 Linux overflow"' bugtraq,210 classtype:attempted-admin sid:313
		LogAs="SID315"		$Ipt -A $Me -p udp --dport 635 -m string --string '"^°‰þÈ‰F°‰F"'	$Tail	# '"EXPLOIT x86 Linux mountd overflow"' cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:315
		LogAs="SID316"		$Ipt -A $Me -p udp --dport 635 -m string --string '"ëV^VVV1ÒˆVˆV"'	$Tail	# '"EXPLOIT x86 Linux mountd overflow"' cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:316
		LogAs="SID317"		$Ipt -A $Me -p udp --dport 635 -m string --string '"ë@^1À@‰F‰Ã@‰"'	$Tail	# '"EXPLOIT x86 Linux mountd overflow"' cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:317
		LogAs="SID1240"		$Ipt -A $Me -p tcp --dport 2224 -m string --string '"1ÛÍ€è[ÿÿÿ"'	$Tail	# '"EXPLOIT MDBMS overflow"' bugtraq,1252 cve,CVE-2000-0446 classtype:attempted-admin sid:1240
		LogAs="SID1323"		$Ipt -A $Me -p tcp --dport 4321 -m string --string '"-soa %p"'	$Tail	# '"EXPLOIT rwhoisd format string attempt"' cve,CAN-2001-0838 bugtraq,3474 classtype:misc-attack sid:1323
		LogAs="SID1398"		$Ipt -A $Me -p tcp --dport 6112 -m string --string '"1"' --string !'"000"'	$Tail	# '"EXPLOIT CDE dtspcd exploit attempt"' cve,CAN-2001-0803 url,www.cert.org/advisories/CA-2002-01.html classtype:misc-attack sid:1398
		LogAs="SID1894"		$Ipt -A $Me -p tcp --dport 749 -m string --string '"ÀÀÀÀ"'	$Tail	# '"EXPLOIT kadmind buffer overflow attempt"' cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1894
		LogAs="SID1895"		$Ipt -A $Me -p tcp --dport 751 -m string --string '"ÀÀÀÀ"'	$Tail	# '"EXPLOIT kadmind buffer overflow attempt"' cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1895
		LogAs="SID1896"		$Ipt -A $Me -p tcp --dport 749 -m string --string '"ÿÿKADM0.0Aû"'	$Tail	# '"EXPLOIT kadmind buffer overflow attempt"' cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1896
		LogAs="SID1897"		$Ipt -A $Me -p tcp --dport 751 -m string --string '"ÿÿKADM0.0Aû"'	$Tail	# '"EXPLOIT kadmind buffer overflow attempt"' cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1897
		LogAs="SID1898"		$Ipt -A $Me -p tcp --dport 749 -m string --string '"/shh//bi"'	$Tail	# '"EXPLOIT kadmind buffer overflow attempt"' cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1898
		LogAs="SID1899"		$Ipt -A $Me -p tcp --dport 751 -m string --string '"/shh//bi"'	$Tail	# '"EXPLOIT kadmind buffer overflow attempt"' cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1899
		LogAs="SID1812"		$Ipt -A $Me -p tcp --dport 22 -m string --string '"GOBBLES"'	$Tail	# '"EXPLOIT gobbles SSH exploit attempt"' bugtraq,5093 classtype:misc-attack sid:1812
		LogAs="SID1821"		$Ipt -A $Me -p tcp --dport 515 -m string --string '"psfile=\"\`"'	$Tail	# '"EXPLOIT LPD dvips remote command execution attempt"' cve,CVE-2001-1002 nessus,11023 classtype:system-call-detect sid:1821
		LogAs="SID307"		$Ipt -A $Me -p tcp --dport 6666:7000 -m string --string '"ëK[S2äƒÃKˆ#¸Pw"'	$Tail	# '"EXPLOIT CHAT IRC topic overflow"' cve,CVE-1999-0672 bugtraq,573 classtype:attempted-user sid:307
		LogAs="SID292"		$Ipt -A $Me -p tcp --dport 139 -m string --string '"ë/_ëJ^‰û‰>‰ò"'	$Tail	# '"EXPLOIT x86 Linux samba overflow"' bugtraq,1816 cve,CVE-1999-0811 cve,CVE-1999-0182 classtype:attempted-admin sid:292


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done