X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Fcontrib%2Factive-list.pl;fp=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Fcontrib%2Factive-list.pl;h=01f2c657e59a8d5020cf87cd7c1d19c385015fb0;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/active-list.pl b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/active-list.pl new file mode 100644 index 0000000..01f2c65 --- /dev/null +++ b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/active-list.pl @@ -0,0 +1,103 @@ +#!/usr/bin/perl +# +# OSSEC active-response script to store a suspicious IP address in a MySQL table. +# +# Available actions are: +# 'add' - Create a new record in the MySQL DB +# 'delete' - Remove a existing record +# +# History +# ------- +# 2010/10/24 xavir@rootshell.be Created +# + +use strict; +use warnings; +use DBI; +use Regexp::IPv6 qw($IPv6_re); + +# ----------------------- +# DB access configuration +# ----------------------- +my $db_name = 'ossec_active_lists'; +my $db_user = 'suspicious'; +my $db_pass = 'xxxxxxxxxx'; + +my ($second, $minute, $hour, $dayOfMonth, $month, $yearOffset, $dayOfWeek, $dayOfYear, $daylightSavings) = localtime(); +my $theTime = sprintf("%d-%02d-%02d %02d:%02d:%02d", + $yearOffset+1900, $month+1, $dayOfMonth, $hour, $minute, $second); + +my $nArgs = $#ARGV + 1; +if ($nArgs != 5) { + print STDERR "Usage: active-list.pl \n"; + exit 1; +} + +my $action = $ARGV[0]; +my $ipAddr = $ARGV[2]; +my $alertId = $ARGV[3]; +my $ruleId = $ARGV[4]; + +if ($action ne "add" && $action ne "delete") { + WriteLog("Invalid action: $action\n"); + exit 1; +} + +if ($ipAddr =~ m/^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)/) { + if ($1 > 255 || $2 > 255 || $3 > 255 || $4 > 255) { + WriteLog("Invalid IP address: $ipAddr\n"); + exit 1; + } +} +else if ($ipAddr =~ m/^$IPv6_re/) { +} +else { + WriteLog("Invalid IP address: $ipAddr\n"); +} + +WriteLog("active-list.pl $action $ipAddr $alertId $ruleId\n"); + +my $dbh = DBI->connect('DBI:mysql:' . $db_name, $db_user, $db_pass) || \ + die "Could not connect to database: $DBI::errstr"; + +if ( $action eq "add" ) { + my $sth = $dbh->prepare('SELECT ip FROM ip_addresses WHERE ip = "' . $ipAddr . '"'); + $sth->execute(); + my $result = $sth->fetchrow_hashref(); + if (!$result->{ip}) { + $sth = $dbh->prepare('INSERT INTO ip_addresses VALUES ("' . $ipAddr . '","'. $theTime . '",' . $alertId . ',' . $ruleId . ',"Added by suspicious-ip Perl Script")'); + if (!$sth->execute) { + WriteLog("Cannot insert new IP address: $DBI::errstr\n"); + } + } + else { + $sth = $dbh->prepare('UPDATE ip_addresses SET timestamp = "' . $theTime . '", alertid = ' . $alertId . ', ruleid = ' . $ruleId . ' WHERE ip = "' . $ipAddr . '"'); + if (!$sth->execute) { + WriteLog("Cannot update IP address: $DBI::errstr\n"); + } + } +} +else { + my $sth = $dbh->prepare('DELETE FROM ip_addresses WHERE ip = "' . $ipAddr . '"'); + if (!$sth->execute) { + WriteLog("Cannot remove IP address: $DBI::errstr\n"); + } +} + +$dbh->disconnect; +exit 0; + +sub WriteLog +{ + if ( $_[0] eq "" ) { return; } + + my $pwd = `pwd`; + chomp($pwd); + my $date = `date`; + chomp($date); + + open(LOGH, ">>" . $pwd . "/../active-responses.log") || die "Cannot open log file."; + print LOGH $date . " " . $_[0]; + close(LOGH); + return; +}