#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-oracle'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1673"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"EXECUTE_SYSTEM"'	$Tail	# '"ORACLE EXECUTE_SYSTEM attempt"' nocase-ignored classtype:system-call-detect sid:1673
		LogAs="SID1674"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"connect_data(command=version)"'	$Tail	# '"ORACLE connect_data remote version detection attempt"' nocase-ignored classtype:protocol-command-decode sid:1674
		LogAs="SID1675"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"description=("' --string !'"connect_data=(sid="' --string !'"address=(protocol=tcp"'	$Tail	# '"ORACLE misparsed login response"' nocase-ignored nocase-ignored nocase-ignored classtype:suspicious-login sid:1675
		LogAs="SID1676"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"select "' --string '" union "'	$Tail	# '"ORACLE select union attempt"' nocase-ignored nocase-ignored classtype:protocol-command-decode sid:1676
		LogAs="SID1677"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '" where "' --string '" like '%'"'	$Tail	# '"ORACLE select like '%' attempt"' nocase-ignored nocase-ignored classtype:protocol-command-decode sid:1677
		LogAs="SID1678"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '" where "' --string '" like "'%""	$Tail	# '"ORACLE select like '%' attempt backslash escaped"' nocase-ignored nocase-ignored classtype:protocol-command-decode sid:1678
		LogAs="SID1679"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"describe "'	$Tail	# '"ORACLE describe attempt"' nocase-ignored classtype:protocol-command-decode sid:1679
		LogAs="SID1680"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"all_constraints"'	$Tail	# '"ORACLE all_constraints access"' nocase-ignored classtype:protocol-command-decode sid:1680
		LogAs="SID1681"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"all_views"'	$Tail	# '"ORACLE all_views access"' nocase-ignored classtype:protocol-command-decode sid:1681
		LogAs="SID1682"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"all_source"'	$Tail	# '"ORACLE all_source access"' nocase-ignored classtype:protocol-command-decode sid:1682
		LogAs="SID1683"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"all_tables"'	$Tail	# '"ORACLE all_tables access"' nocase-ignored classtype:protocol-command-decode sid:1683
		LogAs="SID1684"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"all_tab_columns"'	$Tail	# '"ORACLE all_tab_columns access"' nocase-ignored classtype:protocol-command-decode sid:1684
		LogAs="SID1685"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"all_tab_columns"'	$Tail	# '"ORACLE all_tab_privs access"' nocase-ignored classtype:protocol-command-decode sid:1685
		LogAs="SID1686"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"dba_tablespace"'	$Tail	# '"ORACLE dba_tablespace access"' nocase-ignored classtype:protocol-command-decode sid:1686
		LogAs="SID1687"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"dba_tables"'	$Tail	# '"ORACLE dba_tables access"' nocase-ignored classtype:protocol-command-decode sid:1687
		LogAs="SID1688"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"user_tablespace"'	$Tail	# '"ORACLE user_tablespace access"' nocase-ignored classtype:protocol-command-decode sid:1688
		LogAs="SID1689"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"sys.all_users"'	$Tail	# '"ORACLE sys.all_users access"' nocase-ignored classtype:protocol-command-decode sid:1689
		LogAs="SID1690"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"grant "' --string '" to "'	$Tail	# '"ORACLE grant attempt"' nocase-ignored nocase-ignored classtype:protocol-command-decode sid:1690
		LogAs="SID1691"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"alter user"' --string '" identified by "'	$Tail	# '"ORACLE ALTER USER attempt"' nocase-ignored nocase-ignored classtype:protocol-command-decode sid:1691
		LogAs="SID1692"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"drop table"'	$Tail	# '"ORACLE drop table attempt"' nocase-ignored classtype:protocol-command-decode sid:1692
		LogAs="SID1693"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"create table"'	$Tail	# '"ORACLE create table attempt"' nocase-ignored classtype:protocol-command-decode sid:1693
		LogAs="SID1694"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"alter table"'	$Tail	# '"ORACLE alter table attempt"' nocase-ignored classtype:protocol-command-decode sid:1694
		LogAs="SID1695"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"truncate table"'	$Tail	# '"ORACLE truncate table attempt"' nocase-ignored classtype:protocol-command-decode sid:1695
		LogAs="SID1696"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"create database"'	$Tail	# '"ORACLE create database attempt"' nocase-ignored classtype:protocol-command-decode sid:1696
		LogAs="SID1697"		$Ipt -A $Me -p tcp --dport $ORACLE_PORTS -m string --string '"alter database"'	$Tail	# '"ORACLE alter database attempt"' nocase-ignored classtype:protocol-command-decode sid:1697


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done