new upstream release (3.3.0); modify package compatibility for Stretch

[ossec-hids.git] / active-response / win / firewall-drop.cmd

diff --git a/active-response/win/firewall-drop.cmd b/active-response/win/firewall-drop.cmd
new file mode 100644 (file)
index 0000000..dbde4e3
--- /dev/null
+++ b/active-response/win/firewall-drop.cmd
@@ -0,0 +1,42 @@
+@ECHO OFF
+ECHO.
+
+:: Set some variables
+FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DAT=%%A %%B
+FOR /F "TOKENS=1-3 DELIMS=:" %%A IN ("%TIME%") DO SET TIM=%%A:%%B:%%C
+
+:: Block IP Address
+SET ACTION=%~1
+SET SRCIP=%~3
+
+:: Check for required arguments
+IF /I "%ACTION%"=="" GOTO ERROR
+IF /I "%2"=="" GOTO ERROR
+IF /I "%SRCIP%"=="" GOTO ERROR
+
+
+IF /I "%ACTION%"=="add" GOTO ADD
+IF /I "%ACTION%"=="delete" GOTO DEL
+
+:ERROR
+ECHO Invalid argument(s).
+ECHO Usage: firewall-drop.cmd ^(add^|delete^) user IP_Address
+ECHO Example: firewall-drop.cmd ADD - 1.2.3.4
+ECHO %DAT%%TIM% "%~f0" %1 %2 %3 (error) >> "%OSSECPATH%active-response\active-responses.log"
+EXIT /B 1
+
+:: Adding IP to be blocked
+
+:ADD
+ECHO Adding
+netsh advfirewall firewall add rule name="OSSEC-%SRCIP%" dir=in interface=any action=block remoteip=%SRCIP%  
+ECHO %DAT%%TIM% "%~f0" %1 %2 %3 >> "%OSSECPATH%active-response\active-responses.log"
+GOTO EXIT
+
+:DEL
+ECHO Removing
+netsh advfirewall firewall delete rule name="OSSEC-%SRCIP%" dir=in
+ECHO %DAT%%TIM% "%~f0" %1 %2 %3 >> "%OSSECPATH%active-response\active-responses.log"
+
+
+:EXIT /B 0:
\ No newline at end of file