active-response/ip-customblock.sh

   1 #!/bin/sh
   2 # Custom OSSEC block / Easily modifiable for custom responses (touch a file, insert to db, etc).
   3 # Expect: srcip
   4 # Author: Daniel B. Cid
   5 # Last modified: Feb 16, 2013
   6
   7 ACTION=$1
   8 USER=$2
   9 IP=$3
  10
  11 LOCAL=`dirname $0`;
  12 cd $LOCAL
  13 cd ../
  14 PWD=`pwd`
  15
  16
  17 # Logging the call
  18 echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
  19
  20
  21 # IP Address must be provided
  22 if [ "x${IP}" = "x" ]; then
  23    echo "$0: Missing argument <action> <user> (ip)"
  24    exit 1;
  25 fi
  26
  27
  28 # Custom block (touching a file inside /ipblock/IP)
  29 if [ "x${ACTION}" = "xadd" ]; then
  30     if [ ! -d /ipblock ]; then
  31        mkdir /ipblock
  32     fi
  33     touch "/ipblock/${IP}"
  34 elif [ "x${ACTION}" = "xdelete" ]; then
  35     rm -f "/ipblock/${IP}"
  36
  37 # Invalid action
  38 else
  39    echo "$0: invalid action: ${ACTION}"
  40 fi
  41
  42 exit 1;