#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

#ZZZZ Check Me and MyVersion
Me='snort-policy'
MyVersion='20031125'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
#ZZZZ try to restrict the following three to only send down what the chain needs to inspect.
		$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
#ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D"
		$IptablesBin -D INPUT -i \! lo							-j $Me
		$IptablesBin -D FORWARD								-j $Me
		$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me


		LogAs="SID555"		$Ipt -A $Me -p tcp --sport 23 -m string --string '"WinGate>"'	$Tail	# '"POLICY WinGate telnet server response"' arachnids,366 cve,CAN-1999-0657 classtype:misc-activity sid:555
		LogAs="SID560"		$Ipt -A $Me -p tcp -m state --state ESTABLISHED -m string --string '"RFB 0"' --string '".0"'	$Tail	# '"POLICY VNC server response"' classtype:misc-activity sid:560
		LogAs="SID566"		$Ipt -A $Me -p udp --dport 5632 -m string --string '"ST"'	$Tail	# '"POLICY PCAnywhere server response"' arachnids,239 classtype:misc-activity sid:566
		LogAs="SID567"		$Ipt -A $Me -p tcp --sport 25 -m string --string '"550 5.7.1"'	$Tail	# '"POLICY SMTP relaying denied"' url,mail-abuse.org/tsi/ar-fix.html arachnids,249 classtype:misc-activity sid:567
		LogAs="SID568"		$Ipt -A $Me -p tcp --dport 9100 -m string --string '"@PJL RDYMSG DISPLAY ="'	$Tail	# '"POLICY HP JetDirect LCD modification attempt"' classtype:misc-activity bugtraq,2245 arachnids,302 sid:568
		LogAs="SID510"		$Ipt -A $Me -p tcp --dport 9000:9002 -m string --string '"@PJL RDYMSG DISPLAY ="'	$Tail	# '"POLICY HP JetDirect LCD modification attempt"' classtype:misc-activity bugtraq,2245 arachnids,302 sid:510
		LogAs="SID1429"		$Ipt -A $Me -s 63.251.224.177 -d $HOME_NET	$Tail	# '"POLICY poll.gotomypc.com access"' url,www.gotomypc.com/help2.tmpl classtype:misc-activity sid:1429
		LogAs="SID1846"		$Ipt -A $Me -p tcp --dport 5800:5802 -m string --string '"/vncviewer.jar"'	$Tail	# '"POLICY vncviewer Java applet download attempt"' nessus,10758 classtype:misc-activity sid:1846
		LogAs="SID1445"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"RETR"' --string '"file_id.diz"'	$Tail	# '"POLICY FTP file_id.diz access possible warez site"' nocase-ignored nocase-ignored classtype:suspicious-filename-detect sid:1445
		LogAs="SID543"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"STOR"' --string '"1MB"'	$Tail	# '"POLICY FTP 'STOR 1MB' possible warez site"' nocase-ignored nocase-ignored classtype:misc-activity sid:543
		LogAs="SID544"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"RETR"' --string '"1MB"'	$Tail	# '"POLICY FTP 'RETR 1MB' possible warez site"' nocase-ignored nocase-ignored classtype:misc-activity sid:544
		LogAs="SID546"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"CWD "'	$Tail	# '"POLICY FTP 'CWD ' possible warez site"' nocase-ignored classtype:misc-activity sid:546
		LogAs="SID547"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"MKD "'	$Tail	# '"POLICY FTP 'MKD ' possible warez site"' nocase-ignored classtype:misc-activity sid:547
		LogAs="SID548"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"MKD ."'	$Tail	# '"POLICY FTP 'MKD .' possible warez site"' nocase-ignored classtype:misc-activity sid:548
		LogAs="SID545"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"CWD"' --string '"/ "'	$Tail	# '"POLICY FTP 'CWD / ' possible warez site"' nocase-ignored classtype: misc-activity sid:545
		LogAs="SID554"		$Ipt -A $Me -p tcp --dport 21 -m string --string '"MKD"' --string '"/ "'	$Tail	# '"POLICY FTP 'MKD / ' possible warez site"' nocase-ignored classtype:misc-activity sid:554
		LogAs="SID2040"		$Ipt -A $Me -p udp --dport 49 -m string --string '"�"' --string '""'	$Tail	# '"POLICY xtacacs login attempt"' classtype:misc-activity sid:2040
		LogAs="SID2042"		$Ipt -A $Me -p udp --sport 49 -m string --string '"�"' --string '""'	$Tail	# '"POLICY xtacacs accepted login response"' classtype:misc-activity sid:2042
		LogAs="SID1771"		$Ipt -A $Me -p udp --dport 500 -m string --string '"�
\\P\$�����Q�\$�����Q�"'	$Tail	# '"POLICY IPSec PGPNet connection attempt"' classtype:protocol-command-decode sid:1771


		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
#ZZZZ Place the same criteria you used in link/unlink above in the following three lines.
#ZZZZ Criteria should go just in front of "-j $Me"
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
#ZZZZ Please change the text to appropriate help text for this module.  You should
#ZZZZ cover what the module does, if it's generally safe to use, and under what
#ZZZZ conditions it should not be used.  Please replace the lines between the two
#ZZZZ EOTEXT lines with your own.
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done