#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-ftp'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1971"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"SITE"' --string '"EXEC"' --string '"%"' --string '"%"'	$Tail	# '"FTP SITE EXEC format string attempt"' nocase-ignored nocase-ignored classtype:bad-unknown sid:1971
		LogAs="SID2125"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"CWD"' --string '"C:\"'	$Tail	# '"FTP CWD Root directory transversal attempt"' nocase-ignored nessus,11677 bugtraq,7674 classtype:protocol-command-decode sid:2125
		LogAs="SID1777"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"STAT"' --string '"*"'	$Tail	# '"FTP EXPLOIT STAT attack-responses.rules backdoor.rules bad-traffic.rules chat.rules ddos.rules deleted.rules dns.rules dos.rules experimental.rules exploit.rules finger.rules ftp.rules icmp-info.rules icmp.rules imap.rules info.rules iptables.cvs.20031124.v0.2.1 iptables.cvs.20031124.v0.2.2 local.rules misc.rules multimedia.rules mysql.rules netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules packit.cvs.20031124.v0.2.2 policy.rules pop2.rules pop3.rules porn.rules rpc.rules rservices.rules scan.rules shellcode.rules smtp.rules snmp.rules snort-attack-responses snort-backdoor snort-bad-traffic snort-chat snort-ddos snort-deleted snort-dns snort-dos snort-exploit snort-finger snort-ftp snort.conf snort.conf.pristine sql.rules telnet.rules tftp.rules virus.rules web-attacks.rules web-cgi.rules web-client.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-php.rules x11.rules dos attempt"' nocase-ignored bugtraq,4482 classtype:attempted-dos sid:1777
		LogAs="SID1778"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"STAT"' --string '"?"'	$Tail	# '"FTP EXPLOIT STAT ? dos attempt"' nocase-ignored bugtraq,4482 classtype:attempted-dos sid:1778
		LogAs="SID362"		$Ipt -A $Me -p tcp --dport 21 -m string --string '" --use-compress-program"'	$Tail	# '"FTP tar parameters"' nocase-ignored bugtraq,2240 arachnids,134 cve,CVE-1999-0202 classtype:bad-unknown sid:362
		LogAs="SID1229"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"CWD"' --string '"..."'	$Tail	# '"FTP CWD ..."' nocase-ignored classtype:bad-unknown sid:1229
		LogAs="SID360"		$Ipt -A $Me -p tcp --dport 21 -m string --string '".%20."'	$Tail	# '"FTP serv-u directory transversal"' nocase-ignored bugtraq,2052 cve,CVE-2001-0054 classtype:bad-unknown sid:360
		LogAs="SID1377"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"~"' --string '"["'	$Tail	# '"FTP wu-ftp bad file completion attempt ["' cve,CVE-2001-0550 cve,CAN-2001-0886 bugtraq,3581 classtype:misc-attack sid:1377
		LogAs="SID1378"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"~"' --string '"{"'	$Tail	# '"FTP wu-ftp bad file completion attempt {"' cve,CVE-2001-0550 cve,CAN-2001-0886 bugtraq,3581 classtype:misc-attack sid:1378
		LogAs="SID1530"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"%p"'	$Tail	# '"FTP format string attempt"' nocase-ignored classtype:attempted-admin sid:1530
		LogAs="SID1622"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"RNFR "' --string '" ././"'	$Tail	# '"FTP RNFR ././ attempt"' nocase-ignored nocase-ignored classtype:misc-attack sid:1622
		LogAs="SID1992"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"LIST"' --string '".."' --string '".."'	$Tail	# '"FTP LIST directory traversal attempt"' cve,CVE-2001-0680 bugtraq,2618 nessus,11112 classtype:protocol-command-decode sid:1992
		LogAs="SID334"		$Ipt -A $Me -p tcp --dport 21 -m string --string '".forward"'	$Tail	# '"FTP .forward"' arachnids,319 classtype:suspicious-filename-detect sid:334
		LogAs="SID335"		$Ipt -A $Me -p tcp --dport 21 -m string --string '".rhosts"'	$Tail	# '"FTP .rhosts"' arachnids,328 classtype:suspicious-filename-detect sid:335
		LogAs="SID1927"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"authorized_keys"'	$Tail	# '"FTP authorized_keys"' classtype:suspicious-filename-detect sid:1927
		LogAs="SID356"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"RETR"' --string '"passwd"'	$Tail	# '"FTP passwd retrieval attempt"' nocase-ignored arachnids,213 classtype:suspicious-filename-detect sid:356
		LogAs="SID1928"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"RETR"' --string '"shadow"'	$Tail	# '"FTP shadow retrieval attempt"' nocase-ignored classtype:suspicious-filename-detect sid:1928
		LogAs="SID353"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"PASS ddd@"'	$Tail	# '"FTP adm scan"' arachnids,332 classtype:suspicious-login sid:353
		LogAs="SID354"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"pass -iss@iss"'	$Tail	# '"FTP iss scan"' arachnids,331 classtype:suspicious-login sid:354
		LogAs="SID355"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"pass wh00t"'	$Tail	# '"FTP pass wh00t"' nocase-ignored arachnids,324 classtype:suspicious-login sid:355
		LogAs="SID357"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"pass -cklaus"'	$Tail	# '"FTP piss scan"' classtype:suspicious-login sid:357
		LogAs="SID358"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"pass -saint"'	$Tail	# '"FTP saint scan"' arachnids,330 classtype:suspicious-login sid:358
		LogAs="SID359"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"pass -satan"'	$Tail	# '"FTP satan scan"' arachnids,329 classtype:suspicious-login sid:359
		LogAs="SID2178"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"USER"' --string '"%"' --string '"%"'	$Tail	# '"FTP USER format string attempt"' nocase-ignored bugtraq,7474 classtype:misc-attack sid:2178
		LogAs="SID2179"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"PASS"' --string '"%"' --string '"%"'	$Tail	# '"FTP PASS format string attempt"' nocase-ignored bugtraq,7474 classtype:misc-attack sid:2179


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done