#!/sbin/sh
#
# /etc/init.d/tocsin - Start/Stop the tocsin daemon
#
# Aug 20 2000 Doug Hughes,  Auburn University Engineering
# Copyright 2000
 
#
# this script should probably be run at run level 2
#
PATH=/usr/bin:/bin:/usr/sbin
LOGFILE=/var/tmp/tocsin.snoop
PROG=BASEDIR/sbin/tocsin

# Here are the ports that are monitored for now.
# Add or remove from this list as you wish.
#
# 3133[78] - back orifice
# 12345/12346 - netbus
# 143/943 - IMAP
# 1524 - ingreslock - also used by some trojans
# 109 - pop2
# 137/139 - samba/nbt stuff
# 3306 - mysql
# 98 - linuxconf
# 6667/7000 - ircd
# 24 - unregistered
# 2001 - trojan cow
# 2023 - ripper
# 1243 - Sub7 trojan

# Some other suggestions
#
# 67/68 - bootp/dhcp probes
# 161/162 (snmp) - could be triggered by automatic network discovery tools
# 177 - xdmcp - could be triggered by XDM broadcasts (for anybody using this)
# 194/994 - irc
# 389 - ldap (more and more legitimate stuff)
# 80/443 - web server 
# 110 - pop3
# 512 biff/comsat 
# 514 - rsh 
# 515 - lpd/lpr 
# 2049 - NFS
# 6000-6010 - X windows
# 25 - VERY risky - do not enable if you want to send or receive email

 
case $1 in 
'start')
        if [ -f $PROG ]; then
			# Simple example:
			# $PROG rje courier link tcpmux

			# Monitor lots of ports, but only TCP, and only this network
			# as a destination for scans
			# $PROG -T -D tcpmux telnet login exec 31337 31338 12345 12346 24 143 943 1524 109 137 139 3306 98 6667 7000 2001 2023 1243

			# Monitor lots of ports and log in snoop format for later analysis
			# $PROG -o $LOGFILE -D tcpmux telnet login exec 31337 31338 12345 12346 24 143 943 1524 109 137 139 3306 98 6667 7000 2001 2023 1243

			# Include directives to choose UDP or TCP in order to eliminate
			# possible false positives
			# $PROG -o $LOGFILE -D tcpmux telnet login exec 31337:t 31338:t 12345:t 12346:t 24 67:u 143:t 943:t 1524:t 109:t 515:t 3306:t 98:t 6667:t 7000:t 2001:t 2023:t 2049:u

			# DMZ example - monitor fewer ports above 1024, particularly
			# where NAT may be in use -- to avoid false positives.
			# To see all traffic passing through, eliminated -D flag
			$PROG -o $LOGFILE tcpmux telnet login exec 31337:t 31338:t 12345:t 12346:t 24 143 943:t 109 67:u 68:u 515:t 98:t 6667:t 7000:t 

        fi
        ;;
'stop')
        pid=`/usr/bin/ps -e | grep tocsin | /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
        if test "$pid"
        then
                kill $pid
        fi
        ;;
*)
        echo "usage: $0 { start | stop }"
        ;;
esac
