#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-tftp'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1941"		$Ipt -A $Me -p udp --dport 69 -m string --string '""' --string !'""'	$Tail	# '"TFTP filename overflow attempt"' cve,CAN-2002-0813 bugtraq,5328 classtype:bad-unknown sid:1941
		LogAs="SID1289"		$Ipt -A $Me -p udp --dport 69 -m string --string '""' --string '"admin.dll"'	$Tail	# '"TFTP GET Admin.dll"' nocase-ignored classtype:successful-admin url,www.cert.org/advisories/CA-2001-26.html sid:1289
		LogAs="SID1441"		$Ipt -A $Me -p udp --dport 69 -m string --string '""' --string '"nc.exe"'	$Tail	# '"TFTP GET nc.exe"' nocase-ignored classtype:successful-admin sid:1441
		LogAs="SID1442"		$Ipt -A $Me -p udp --dport 69 -m string --string '""' --string '"shadow"'	$Tail	# '"TFTP GET shadow"' nocase-ignored classtype:successful-admin sid:1442
		LogAs="SID1443"		$Ipt -A $Me -p udp --dport 69 -m string --string '""' --string '"passwd"'	$Tail	# '"TFTP GET passwd"' nocase-ignored classtype:successful-admin sid:1443
		LogAs="SID519"		$Ipt -A $Me -p udp --dport 69 -m string --string '".."'	$Tail	# '"TFTP parent directory"' cve,CAN-2002-1209 arachnids,137 cve,CVE-1999-0183 classtype:bad-unknown sid:519
		LogAs="SID520"		$Ipt -A $Me -p udp --dport 69 -m string --string '"/"'	$Tail	# '"TFTP root directory"' arachnids,138 cve,CVE-1999-0183 classtype:bad-unknown sid:520
		LogAs="SID518"		$Ipt -A $Me -p udp --dport 69 -m string --string '""'	$Tail	# '"TFTP Put"' cve,CVE-1999-0183 arachnids,148 classtype:bad-unknown sid:518
		LogAs="SID1444"		$Ipt -A $Me -p udp --dport 69 -m string --string '""'	$Tail	# '"TFTP Get"' classtype:bad-unknown sid:1444


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done