debian/ossec-hids/var/ossec/active-response/bin/npf.sh

   1 #!/bin/sh
   2 # Author: Gianni D'Aprile
   3
   4 GREP=`which grep`
   5
   6 ACTION=$1
   7 USER=$2
   8 IP=$3
   9
  10 # Finding path
  11 LOCAL=`dirname $0`;
  12 cd $LOCAL
  13 cd ../
  14 PWD=`pwd`
  15 echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
  16
  17 NPFCTL=/sbin/npfctl
  18
  19 if [ ! -x ${NPFCTL} ]; then
  20         echo "$0: NPF not present."
  21         echo "$0: NPF not present." >> ${PWD}/ossec-hids-responses.log
  22         exit 0;
  23 fi
  24
  25 NPF_ACTIVE=`${NPFCTL} show | grep "filtering:" | ${GREP} -c active`
  26
  27 if [ "x1" != "x${NPF_ACTIVE}" ]; then
  28         echo "$0: NPF not active."
  29         echo "$0: NPF not active." >> ${PWD}/ossec-hids-responses.log
  30         exit 0;
  31 fi
  32
  33 NPF_OSSEC_READY=`${NPFCTL} show | ${GREP} -c "table <ossec_blacklist>"`
  34
  35 if [ "x1" != "x${NPF_OSSEC_READY}" ]; then
  36         echo "$0: NPF not configured."
  37         echo "$0: NPF not configured." >> ${PWD}/ossec-hids-responses.log
  38         exit 0;
  39 fi
  40
  41 # Checking for an IP
  42 if [ "x${IP}" = "x" ]; then
  43    echo "$0: <action> <username> <ip>"
  44    exit 1;
  45 fi
  46
  47 case "x${ACTION}" in
  48
  49         # Blocking IP
  50         xadd)
  51
  52         ${NPFCTL} table ossec_blacklist add ${IP} >/dev/null 2>&1
  53         exit 0
  54
  55         ;;
  56
  57         # Unblocking IP
  58         xdelete)
  59
  60         ${NPFCTL} table ossec_blacklist del ${IP} >/dev/null 2>&1
  61         exit 0
  62
  63         ;;
  64
  65         # No matching action
  66         *)
  67
  68         echo "$0: invalid action: ${ACTION}"
  69         echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log
  70         exit 1
  71
  72         ;;
  73
  74 esac