2 # Author: Rafael M. Capovilla
3 # Last modified: Daniel B. Cid
8 PFCTL_RULES="/etc/pf.conf"
9 PFCTL_TABLE="ossec_fwtable"
17 # Getting pf rules file.
18 if [ ! -f $PFCTL_RULES ]; then
19 echo "The pf rules file $PFCTL_RULES does not exist"
23 # Checking if ossec table is configured
24 CHECKTABLE=`cat ${PFCTL_RULES} | $GREP $PFCTL_TABLE`
25 if [ -z "$CHECKTABLE" ]; then
26 echo "Table $PFCTL_TABLE does not exist"
35 echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
38 if [ "x${IP}" = "x" ]; then
39 echo "$0: <action> <username> <ip>"
44 if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
45 echo "$0: invalid action: ${ACTION}"
46 echo "$0: invalid action: ${ACTION}" >> ${PWD}/ossec-hids-responses.log
50 # OpenBSD and FreeBSD pf
51 if [ "X${UNAME}" = "XOpenBSD" -o "X${UNAME}" = "XFreeBSD" -o "X${UNAME}" = "XDarwin" ]; then
53 # Checking if pfctl is present
54 ls ${PFCTL} > /dev/null 2>&1
56 echo "$0: PF not configured."
57 echo "$0: PF not configured." >> ${PWD}/ossec-hids-responses.log
61 # Checking if we have pf config file
62 if [ -e ${PFCTL_RULES} ]; then
64 #Checking if we got the table to add the bad guys
65 if [ "x${PFCTL_TABLE}" = "x" ]; then
66 echo "$0: PF not configured."
67 echo "$0: PF not configured." >> ${PWD}/ossec-hids-responses.log
70 if [ "x${ACTION}" = "xadd" ]; then
71 ARG1="-t $PFCTL_TABLE -T add ${IP}"
74 ARG1="-t $PFCTL_TABLE -T delete ${IP}"
82 ${PFCTL} ${ARG1} > /dev/null 2>&1
83 ${PFCTL} ${ARG2} > /dev/null 2>&1