X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Factive-response%2Fbin%2Fnpf.sh;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Factive-response%2Fbin%2Fnpf.sh;h=4eabb2221f56348408911639640e9217f586f76c;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/debian/ossec-hids/var/ossec/active-response/bin/npf.sh b/debian/ossec-hids/var/ossec/active-response/bin/npf.sh new file mode 100755 index 0000000..4eabb22 --- /dev/null +++ b/debian/ossec-hids/var/ossec/active-response/bin/npf.sh @@ -0,0 +1,74 @@ +#!/bin/sh +# Author: Gianni D'Aprile + +GREP=`which grep` + +ACTION=$1 +USER=$2 +IP=$3 + +# Finding path +LOCAL=`dirname $0`; +cd $LOCAL +cd ../ +PWD=`pwd` +echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log + +NPFCTL=/sbin/npfctl + +if [ ! -x ${NPFCTL} ]; then + echo "$0: NPF not present." + echo "$0: NPF not present." >> ${PWD}/ossec-hids-responses.log + exit 0; +fi + +NPF_ACTIVE=`${NPFCTL} show | grep "filtering:" | ${GREP} -c active` + +if [ "x1" != "x${NPF_ACTIVE}" ]; then + echo "$0: NPF not active." + echo "$0: NPF not active." >> ${PWD}/ossec-hids-responses.log + exit 0; +fi + +NPF_OSSEC_READY=`${NPFCTL} show | ${GREP} -c "table "` + +if [ "x1" != "x${NPF_OSSEC_READY}" ]; then + echo "$0: NPF not configured." + echo "$0: NPF not configured." >> ${PWD}/ossec-hids-responses.log + exit 0; +fi + +# Checking for an IP +if [ "x${IP}" = "x" ]; then + echo "$0: " + exit 1; +fi + +case "x${ACTION}" in + + # Blocking IP + xadd) + + ${NPFCTL} table ossec_blacklist add ${IP} >/dev/null 2>&1 + exit 0 + + ;; + + # Unblocking IP + xdelete) + + ${NPFCTL} table ossec_blacklist del ${IP} >/dev/null 2>&1 + exit 0 + + ;; + + # No matching action + *) + + echo "$0: invalid action: ${ACTION}" + echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log + exit 1 + + ;; + +esac