--- /dev/null
+#!/bin/sh
+# Author: Gianni D'Aprile
+
+GREP=`which grep`
+
+ACTION=$1
+USER=$2
+IP=$3
+
+# Finding path
+LOCAL=`dirname $0`;
+cd $LOCAL
+cd ../
+PWD=`pwd`
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+
+NPFCTL=/sbin/npfctl
+
+if [ ! -x ${NPFCTL} ]; then
+ echo "$0: NPF not present."
+ echo "$0: NPF not present." >> ${PWD}/ossec-hids-responses.log
+ exit 0;
+fi
+
+NPF_ACTIVE=`${NPFCTL} show | grep "filtering:" | ${GREP} -c active`
+
+if [ "x1" != "x${NPF_ACTIVE}" ]; then
+ echo "$0: NPF not active."
+ echo "$0: NPF not active." >> ${PWD}/ossec-hids-responses.log
+ exit 0;
+fi
+
+NPF_OSSEC_READY=`${NPFCTL} show | ${GREP} -c "table <ossec_blacklist>"`
+
+if [ "x1" != "x${NPF_OSSEC_READY}" ]; then
+ echo "$0: NPF not configured."
+ echo "$0: NPF not configured." >> ${PWD}/ossec-hids-responses.log
+ exit 0;
+fi
+
+# Checking for an IP
+if [ "x${IP}" = "x" ]; then
+ echo "$0: <action> <username> <ip>"
+ exit 1;
+fi
+
+case "x${ACTION}" in
+
+ # Blocking IP
+ xadd)
+
+ ${NPFCTL} table ossec_blacklist add ${IP} >/dev/null 2>&1
+ exit 0
+
+ ;;
+
+ # Unblocking IP
+ xdelete)
+
+ ${NPFCTL} table ossec_blacklist del ${IP} >/dev/null 2>&1
+ exit 0
+
+ ;;
+
+ # No matching action
+ *)
+
+ echo "$0: invalid action: ${ACTION}"
+ echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log
+ exit 1
+
+ ;;
+
+esac
projects / ossec-hids.git / blobdiff