From f672ccfc60bdd5c4124adc8aeb40c6f440113110 Mon Sep 17 00:00:00 2001
From: Pawel Krawczyk <p.krawczyk@kainos.com>
Date: Wed, 7 Jan 2015 10:29:52 +0000
Subject: [PATCH] add OSSEC active response script

---
 ipset-drop.sh | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100755 ipset-drop.sh

diff --git a/ipset-drop.sh b/ipset-drop.sh
new file mode 100755
index 0000000..43acbc1
--- /dev/null
+++ b/ipset-drop.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Block an IP using Linux ipset - utility script for OSSEC active response
+# Expect: srcip
+# Author: Pawel Krawczyk
+# Last modified: 31 Dec 2014
+
+ACTION=$1
+USER=$2
+IP=$3
+
+LOCAL=$(dirname $0);
+cd $LOCAL
+cd ../
+PWD=$(pwd)
+IPSET=$(which ipset)
+BLACKLIST=manual-blacklist
+
+# Logging the call
+echo "`date` $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
+
+
+# IP Address must be provided
+if [ "x${IP}" = "x" ]; then
+   echo "$0: Missing argument <action> <user> (ip)"
+   exit 1;
+fi
+
+# Use ipset to handle the IP 
+if [ "x${ACTION}" = "xadd" ]; then
+    ${IPSET} -! add ${BLACKLIST} ${IP}
+elif [ "x${ACTION}" = "xdelete" ]; then
+    ${IPSET} -! del ${BLACKLIST} ${IP}
+
+# Invalid action
+else
+   echo "$0: invalid action: ${ACTION}"
+fi
+
+exit 1;