debian/ossec-hids/var/ossec/active-response/bin/pf.sh

   1 #!/bin/sh
   2 # Author: Rafael M. Capovilla
   3 # Last modified: Daniel B. Cid
   4
   5 UNAME=`uname`
   6 GREP="/usr/bin/grep"
   7 PFCTL="/sbin/pfctl"
   8 PFCTL_RULES="/etc/pf.conf"
   9 PFCTL_TABLE="ossec_fwtable"
  10 ARG1=""
  11 ARG2=""
  12 CHECKTABLE=""
  13 ACTION=$1
  14 USER=$2
  15 IP=$3
  16
  17 # Getting pf rules file.
  18 if [ ! -f $PFCTL_RULES ]; then
  19         echo "The pf rules file $PFCTL_RULES does not exist"
  20         exit 1
  21 fi
  22
  23 # Checking if ossec table is configured
  24 CHECKTABLE=`cat ${PFCTL_RULES} | $GREP $PFCTL_TABLE`
  25 if [ -z "$CHECKTABLE" ]; then
  26         echo "Table $PFCTL_TABLE does not exist"
  27         exit 1
  28 fi
  29
  30 # Finding path
  31 LOCAL=`dirname $0`;
  32 cd $LOCAL
  33 cd ../
  34 PWD=`pwd`
  35 echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
  36
  37 # Checking for an IP
  38 if [ "x${IP}" = "x" ]; then
  39    echo "$0: <action> <username> <ip>"
  40    exit 1;
  41 fi
  42
  43 # Blocking IP
  44 if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
  45    echo "$0: invalid action: ${ACTION}"
  46    echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log
  47    exit 1;
  48 fi
  49
  50 # OpenBSD and FreeBSD pf
  51 if [ "X${UNAME}" = "XOpenBSD" -o "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XDarwin" ]; then
  52
  53   # Checking if pfctl is present
  54   ls ${PFCTL} > /dev/null 2>&1
  55   if [ ! $? = 0 ]; then
  56       echo "$0: PF not configured."
  57       echo "$0: PF not configured." >> ${PWD}/ossec-hids-responses.log
  58           exit 0;
  59   fi
  60
  61   # Checking if we have pf config file
  62   if [ -e ${PFCTL_RULES} ]; then
  63
  64         #Checking if we got the table to add the bad guys
  65         if [ "x${PFCTL_TABLE}" = "x" ]; then
  66         echo "$0: PF not configured."
  67         echo "$0: PF not configured." >> ${PWD}/ossec-hids-responses.log
  68                 exit 0;
  69         else
  70                 if [ "x${ACTION}" = "xadd" ]; then
  71                         ARG1="-t $PFCTL_TABLE -T add ${IP}"
  72                         ARG2="-k ${IP}"
  73                 else
  74                         ARG1="-t $PFCTL_TABLE -T delete ${IP}"
  75                 fi
  76         fi
  77   else
  78         exit 0;
  79   fi
  80
  81   #Executing it
  82   ${PFCTL} ${ARG1} > /dev/null 2>&1
  83   ${PFCTL} ${ARG2} > /dev/null 2>&1
  84   exit 0;
  85
  86 else
  87     exit 0;
  88 fi