X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Factive-response%2Fbin%2Fipfw_mac.sh;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Factive-response%2Fbin%2Fipfw_mac.sh;h=8ef06821ac47dd1bb132da84cfc92f2fc295cd14;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/var/ossec/active-response/bin/ipfw_mac.sh b/debian/ossec-hids/var/ossec/active-response/bin/ipfw_mac.sh
new file mode 100755
index 0000000..8ef0682
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/active-response/bin/ipfw_mac.sh
@@ -0,0 +1,78 @@
+#!/bin/sh
+# Adds an IP to the IPFW drop list.
+# Only works with IPFW.
+# Expect: srcip
+# Author: Rafael Capovilla - under @ ( at ) underlinux.com.br
+# Author: Daniel B. Cid - dcid @ ( at ) ossec.net
+# Author: Charles W. Kefauver ckefauver @ ( at ) ibacom.es
+#         changed for Mac OS X compatibility
+# Last modified: August 14, 2006
+
+UNAME=`uname`
+IPFW="/sbin/ipfw"
+ARG1=""
+ARG2=""
+ACTION=$1
+USER=$2
+IP=$3
+
+# warning do NOT add leading 0 in SET_ID
+SET_ID=2
+
+LOCAL=`dirname $0`;
+cd $LOCAL
+cd ../
+PWD=`pwd`
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+
+
+# Checking for an IP
+if [ "x${IP}" = "x" ]; then
+   echo "$0: <action> <username> <ip>" 
+   exit 1;
+fi
+
+# Blocking IP
+if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
+   echo "$0: Invalid action: ${ACTION}"
+   exit 1;
+fi
+
+
+# We should run on Darwin
+if [ "X${UNAME}" = "XDarwin" ]; then
+   ls ${IPFW} >> /dev/null 2>&1
+   if [ $? != 0 ]; then
+       exit 0;
+   fi
+
+   
+   # Executing and exiting
+	if [ "x${ACTION}" = "xadd" ]; then
+	   #${IPFW} set disable ${SET_ID}
+	   ${IPFW} -q add set ${SET_ID} deny ip from ${IP} to any
+	   ${IPFW} -q add set ${SET_ID} deny ip from any to ${IP}
+	   ${IPFW} -q set enable ${SET_ID}
+	   exit 0;
+	fi
+
+	if [ "x${ACTION}" = "xdelete" ]; then
+		#${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}"  >/dev/null 2>&1
+		#get list of ipfw rules ID to delete
+		RULES_TO_DELETE=`${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}" | awk '{print $1}'`
+		
+		for RULE_ID in ${RULES_TO_DELETE}
+		do
+			${IPFW} -q delete ${RULE_ID}
+		done
+		
+		exit 0;
+	fi
+
+   exit 0;
+fi
+
+
+# Not Darwin
+exit 1;
+