Imported Upstream version 2.5.1

[ossec-hids.git] / active-response / win / netsh.cmd

:: Simple script to block an ip using netsh. Commands from http://windowsnerd.com/\r
@ECHO OFF\r
ECHO.\r
\r
\r
:: Logging it all\r
FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DATE=%%B\r
FOR /F "TOKENS=1* DELIMS= " %%A IN ('TIME/T') DO SET TIME=%%A\r
ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >> active-response/active-responses.log\r
\r
\r
IF "%1"=="add" GOTO ADD\r
IF "%1"=="delete" GOTO DEL\r
:ERROR\r
\r
ECHO "Invalid argument. %1"\r
GOTO Exit;\r
\r
\r
:: Adding to the blocked.\r
\r
:ADD\r
:: Extracts last ip address from ipconfig.\r
netsh ipsec static add policy description="ossec block list"\r
netsh ipsec static add filter filterlist="ossecfilter" srcaddr=%3 dstaddr=me protocol=tcp mirrored=yes\r
netsh ipsec static add rule policy="ossec" filterlist="ossecfilter" filteraction="block" desc="list of blocked ips"\r
netsh ipsec static set policy assign=y\r
GOTO Exit;\r
\r
:DEL\r
netsh ipsec static delete filter filterlist="ossecfilter" srcaddr=%3 dstaddr=me protocol=tcp mirrored=yes\r
\r
:Exit\r