#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-web-php'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID1774"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/bb_smilies.php"'	$Tail	# '"WEB-PHP bb_smilies.php access"' nocase-ignored url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html classtype:web-application-activity sid:1774
		LogAs="SID1736"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/squirrelspell/modules/check_me.mod.php"' --string '"SQSPELL_APP["'	$Tail	# '"WEB-PHP squirrel mail spell-check arbitrary command attempt"' nocase-ignored nocase-ignored bugtraq,3952 classtype:web-application-attack sid:1736
		LogAs="SID1737"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/left_main.php"' --string '"cmdd="'	$Tail	# '"WEB-PHP squirrel mail theme arbitrary command attempt"' nocase-ignored bugtraq,4385 classtype:web-application-attack sid:1737
		LogAs="SID1739"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/dnstools.php"' --string '"user_logged_in=true"' --string '"user_dnstools_administrator=true"'	$Tail	# '"WEB-PHP DNSTools administrator authentication bypass attempt"' nocase-ignored nocase-ignored nocase-ignored bugtraq,4617 classtype:web-application-attack sid:1739
		LogAs="SID1740"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/dnstools.php"' --string '"user_logged_in=true"'	$Tail	# '"WEB-PHP DNSTools authentication bypass attempt"' nocase-ignored bugtraq,4617 classtype:web-application-attack sid:1740
		LogAs="SID1741"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/dnstools.php"'	$Tail	# '"WEB-PHP DNSTools access"' nocase-ignored bugtraq,4617 classtype:web-application-activity sid:1741
		LogAs="SID1742"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/dostuff.php?action=modify_user"'	$Tail	# '"WEB-PHP Blahz-DNS dostuff.php modify user attempt"' nocase-ignored bugtraq,4618 classtype:web-application-attack sid:1742
		LogAs="SID1743"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/dostuff.php"'	$Tail	# '"WEB-PHP Blahz-DNS dostuff.php access"' nocase-ignored bugtraq,4618 classtype:web-application-activity sid:1743
		LogAs="SID1745"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/supp_membre.php"'	$Tail	# '"WEB-PHP Messagerie supp_membre.php access"' nocase-ignored bugtraq,4635 classtype:web-application-activity sid:1745
		LogAs="SID1773"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/php.exe"'	$Tail	# '"WEB-PHP php.exe access"' nocase-ignored url,www.securitytracker.com/alerts/2002/Jan/1003104.html classtype:web-application-activity sid:1773
		LogAs="SID1816"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/directory.php"'	$Tail	# '"WEB-PHP directory.php access"' bugtraq,4278 cve,CAN-2002-0434 classtype:misc-attack sid:1816
		LogAs="SID1834"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/modules.php?"' --string '"name=Wiki"' --string '"<script"'	$Tail	# '"WEB-PHP PHP-Wiki cross site scripting attempt"' nocase-ignored nocase-ignored bugtraq,5254 classtype:web-application-attack sid:1834
		LogAs="SID1967"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/quick-reply.php"' --string '"phpbb_root_path="'	$Tail	# '"WEB-PHP phpbb quick-reply.php arbitrary command attempt"' bugtraq,6173 classtype:web-application-attack sid:1967
		LogAs="SID1968"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/quick-reply.php"'	$Tail	# '"WEB-PHP phpbb quick-reply.php access"' bugtraq,6173 classtype:web-application-activity sid:1968
		LogAs="SID1997"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/read_body.php"'	$Tail	# '"WEB-PHP read_body.php access attempt"' bugtraq,6302 classtype:web-application-activity sid:1997
		LogAs="SID1998"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/calendar.php"'	$Tail	# '"WEB-PHP calendar.php access"' nessus,11179 bugtraq,5820 classtype:web-application-activity sid:1998
		LogAs="SID1999"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/edit_image.php"'	$Tail	# '"WEB-PHP edit_image.php access"' nessus,11104 cve,CVE-2001-1020 classtype:web-application-activity sid:1999
		LogAs="SID2000"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/readmsg.php"'	$Tail	# '"WEB-PHP readmsg.php access"' nessus,11073 classtype:web-application-activity sid:2000
		LogAs="SID2002"		$Ipt -A $Me -p tcp --dport 80 -m string --string '".php"' --string '"path=http://"'	$Tail	# '"WEB-PHP external include path"' classtype:web-application-attack sid:2002
		LogAs="SID1134"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/admin.php3"'	$Tail	# '"WEB-PHP Phorum admin access"' nocase-ignored bugtraq,2271 arachnids,205 classtype:attempted-recon sid:1134
		LogAs="SID1161"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/passwd.php3"'	$Tail	# '"WEB-PHP piranha passwd.php3 access"' bugtraq,1149 cve,CVE-2000-0322 arachnids,272 classtype:attempted-recon sid:1161
		LogAs="SID1178"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/read.php3"'	$Tail	# '"WEB-PHP Phorum read access"' nocase-ignored arachnids,208 classtype:attempted-recon sid:1178
		LogAs="SID1179"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/violation.php3"'	$Tail	# '"WEB-PHP Phorum violation access"' nocase-ignored bugtraq,2272 arachnids,209 classtype:attempted-recon sid:1179
		LogAs="SID1197"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/code.php3"'	$Tail	# '"WEB-PHP Phorum code access"' nocase-ignored arachnids,207 classtype:attempted-recon sid:1197
		LogAs="SID1300"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/admin.php"' --string '"file_name="'	$Tail	# '"WEB-PHP admin.php file upload attempt"' nocase-ignored bugtraq,3361 classtype:attempted-admin sid:1300
		LogAs="SID1301"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/admin.php"'	$Tail	# '"WEB-PHP admin.php access"' nocase-ignored bugtraq,7532 bugtraq,3361 classtype:attempted-recon sid:1301
		LogAs="SID1407"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/smssend.php"'	$Tail	# '"WEB-PHP smssend.php access"' classtype:web-application-activity bugtraq,3982 sid:1407
		LogAs="SID1399"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"index.php"' --string '"file=http://"'	$Tail	# '"WEB-PHP PHP-Nuke remote file include attempt"' nocase-ignored nocase-ignored bugtraq,3889 classtype:web-application-attack sid:1399
		LogAs="SID1490"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/support/common.php"' --string '"ForumLang=../"'	$Tail	# '"WEB-PHP Phorum /support/common.php attempt"' classtype:web-application-attack sid:1490
		LogAs="SID1491"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/support/common.php"'	$Tail	# '"WEB-PHP Phorum /support/common.php access"' classtype:web-application-attack sid:1491
		LogAs="SID1137"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"PHP_AUTH_USER=boogieman"'	$Tail	# '"WEB-PHP Phorum authentication access"' nocase-ignored bugtraq,2274 arachnids,206 classtype:attempted-recon sid:1137
		LogAs="SID1085"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"ºIþÿÿ÷Ò¹¿ÿÿÿ÷Ñ"'	$Tail	# '"WEB-PHP strings overflow"' bugtraq,802 arachnids,431 classtype:web-application-attack sid:1085
		LogAs="SID1086"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"?STRENGUR"'	$Tail	# '"WEB-PHP strings overflow"' arachnids,430 bugtraq,1786 classtype:web-application-attack sid:1086
		LogAs="SID1254"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"_PHPLIB[libdir]"'	$Tail	# '"WEB-PHP PHPLIB remote command attempt"' bugtraq,3079 classtype:attempted-user sid:1254
		LogAs="SID1255"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/db_mysql.inc"'	$Tail	# '"WEB-PHP PHPLIB remote command attempt"' bugtraq,3079 classtype:attempted-user sid:1255
		LogAs="SID2074"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/uploadimage.php"' --string '"userfile_name="' --string '".php"'	$Tail	# '"WEB-PHP Mambo uploadimage.php upload php file attempt"' bugtraq,6572 classtype:web-application-attack sid:2074
		LogAs="SID2075"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/upload.php"' --string '"userfile_name="' --string '".php"'	$Tail	# '"WEB-PHP Mambo upload.php upload php file attempt"' bugtraq,6572 classtype:web-application-attack sid:2075
		LogAs="SID2076"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/uploadimage.php"'	$Tail	# '"WEB-PHP Mambo uploadimage.php access"' bugtraq,6572 classtype:web-application-activity sid:2076
		LogAs="SID2077"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/upload.php"'	$Tail	# '"WEB-PHP Mambo upload.php access"' bugtraq,6572 classtype:web-application-activity sid:2077
		LogAs="SID2078"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/privmsg.php"'	$Tail	# '"WEB-PHP phpBB privmsg.php access"' bugtraq,6634 classtype:web-application-activity sid:2078
		LogAs="SID2140"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/p-news.php"'	$Tail	# '"WEB-PHP p-news.php access"' nessus,11669 classtype:web-application-activity sid:2140
		LogAs="SID2141"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/shoutbox.php"' --string '"conf="' --string '"../"'	$Tail	# '"WEB-PHP shoutbox.php directory traversal attempt"' nessus,11668 classtype:web-application-attack sid:2141
		LogAs="SID2142"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/shoutbox.php"'	$Tail	# '"WEB-PHP shoutbox.php access"' nessus,11668 classtype:web-application-activity sid:2142
		LogAs="SID2143"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/gm-2-b2.php"' --string '"b2inc=http"'	$Tail	# '"WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt"' nessus,11667 classtype:web-application-attack sid:2143
		LogAs="SID2144"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/gm-2-b2.php"'	$Tail	# '"WEB-PHP b2 cafelog gm-2-b2.php access"' nessus,11667 classtype:web-application-activity sid:2144
		LogAs="SID2145"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/admin.php"' --string '"op=admin_enter"' --string '"password=admin"'	$Tail	# '"WEB-PHP TextPortal admin.php default password (admin) attempt"' nessus,11660 bugtraq,7673 classtype:web-application-activity sid:2145
		LogAs="SID2146"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/admin.php"' --string '"op=admin_enter"' --string '"password=12345"'	$Tail	# '"WEB-PHP TextPortal admin.php default password (12345) attempt"' nessus,11660 bugtraq,7673 classtype:web-application-activity sid:2146
		LogAs="SID2147"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/objects.inc.php4"' --string '"Server[path]=http"'	$Tail	# '"WEB-PHP BLNews objects.inc.php4 remote command execution attempt"' nessus,11647 bugtraq,7677 classtype:web-application-attack sid:2147
		LogAs="SID2148"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/objects.inc.php4"'	$Tail	# '"WEB-PHP BLNews objects.inc.php4 access"' nessus,11647 bugtraq,7677 classtype:web-application-activity sid:2148
		LogAs="SID2149"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/turba/status.php"'	$Tail	# '"WEB-PHP Turba status.php access"' nessus,11646 classtype:web-application-activity sid:2149
		LogAs="SID2150"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/admin/templates/header.php"' --string '"admin_root=http"'	$Tail	# '"WEB-PHP ttCMS header.php remote command execution attempt"' nessus,11636 bugtraq,7542 bugtraq,7543 classtype:web-application-attack sid:2150
		LogAs="SID2151"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/admin/templates/header.php"'	$Tail	# '"WEB-PHP ttCMS header.php access"' nessus,11636 bugtraq,7542 bugtraq,7543 classtype:web-application-activity sid:2151
		LogAs="SID2152"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/test.php"'	$Tail	# '"WEB-PHP test.php access"' nessus,11617 classtype:web-application-activity sid:2152
		LogAs="SID2153"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/autohtml.php"' --string '"name="' --string '"../../"'	$Tail	# '"WEB-PHP autohtml.php directory traversal attempt"' nessus,11630 classtype:web-application-attack sid:2153
		LogAs="SID2154"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"/autohtml.php"'	$Tail	# '"WEB-PHP autohtml.php access"' nessus,11630 classtype:web-application-activity sid:2154
		LogAs="SID2155"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"forum/index.php"' --string '"template=http"'	$Tail	# '"WEB-PHP ttforum remote command execution attempt"' nessus,11615 bugtraq,7543 bugtraq,7542 classtype:web-application-attack sid:2155
		LogAs="SID2226"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"lib.inc.php"' --string '"pm_path=http"'	$Tail	# '"WEB-PHP pmachine remote command execution attempt"' nessus,11739 bugtraq,7919 classtype:web-application-attack sid:2226
		LogAs="SID2227"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"forum_details.php"'	$Tail	# '"WEB-PHP forum_details.php access"' nessus,11760 bugtraq,7933 classtype:web-application-attack sid:2227
		LogAs="SID2228"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"db_details_importdocsql.php"'	$Tail	# '"WEB-PHP phpMyAdmin db_details_importdocsql.php access"' nessus,11761 bugtraq,7965 classtype:web-application-attack sid:2228
		LogAs="SID2229"		$Ipt -A $Me -p tcp --dport 80 -m string --string '"viewtopic.php"'	$Tail	# '"WEB-PHP viewtopic.php access"' nessus,11767 bugtraq,7979 classtype:web-application-attack sid:2229


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done