add OSSEC active response script

2015-01-07 10:29:52 +00:00 · 2015-01-07 10:29:52 +00:00 · f672ccfc60
commit f672ccfc60
parent 1d865b2111
1 changed files with 40 additions and 0 deletions
--- a/ipset-drop.sh
+++ b/ipset-drop.sh
@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Block an IP using Linux ipset - utility script for OSSEC active response
+# Expect: srcip
+# Author: Pawel Krawczyk
+# Last modified: 31 Dec 2014
+
+ACTION=$1
+USER=$2
+IP=$3
+
+LOCAL=$(dirname $0);
+cd $LOCAL
+cd ../
+PWD=$(pwd)
+IPSET=$(which ipset)
+BLACKLIST=manual-blacklist
+
+# Logging the call
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+
+
+# IP Address must be provided
+if [ "x${IP}" = "x" ]; then
+   echo "$0: Missing argument <action> <user> (ip)"
+   exit 1;
+fi
+
+# Use ipset to handle the IP 
+if [ "x${ACTION}" = "xadd" ]; then
+    ${IPSET} -! add ${BLACKLIST} ${IP}
+elif [ "x${ACTION}" = "xdelete" ]; then
+    ${IPSET} -! del ${BLACKLIST} ${IP}
+
+# Invalid action
+else
+   echo "$0: invalid action: ${ACTION}"
+fi
+
+exit 1;