forked from wazuh/wazuh
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathactive-list.pl
100 lines (86 loc) · 2.59 KB
/
active-list.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/perl
#
# OSSEC active-response script to store a suspicious IP address in a MySQL table.
#
# Available actions are:
# 'add' - Create a new record in the MySQL DB
# 'delete' - Remove a existing record
#
# History
# -------
# 2010/10/24 [email protected] Created
#
use strict;
use warnings;
use DBI;
# -----------------------
# DB access configuration
# -----------------------
my $db_name = 'ossec_active_lists';
my $db_user = 'suspicious';
my $db_pass = 'xxxxxxxxxx';
my ($second, $minute, $hour, $dayOfMonth, $month, $yearOffset, $dayOfWeek, $dayOfYear, $daylightSavings) = localtime();
my $theTime = sprintf("%d-%02d-%02d %02d:%02d:%02d",
$yearOffset+1900, $month+1, $dayOfMonth, $hour, $minute, $second);
my $nArgs = $#ARGV + 1;
if ($nArgs != 5) {
print STDERR "Usage: active-list.pl <action> <username> <ip>\n";
exit 1;
}
my $action = $ARGV[0];
my $ipAddr = $ARGV[2];
my $alertId = $ARGV[3];
my $ruleId = $ARGV[4];
if ($action ne "add" && $action ne "delete") {
WriteLog("Invalid action: $action\n");
exit 1;
}
if ($ipAddr =~ m/^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)/) {
if ($1 > 255 || $2 > 255 || $3 > 255 || $4 > 255) {
WriteLog("Invalid IP address: $ipAddr\n");
exit 1;
}
}
else {
WriteLog("Invalid IP address: $ipAddr\n");
}
WriteLog("active-list.pl $action $ipAddr $alertId $ruleId\n");
my $dbh = DBI->connect('DBI:mysql:' . $db_name, $db_user, $db_pass) || \
die "Could not connect to database: $DBI::errstr";
if ( $action eq "add" ) {
my $sth = $dbh->prepare('SELECT ip FROM ip_addresses WHERE ip = "' . $ipAddr . '"');
$sth->execute();
my $result = $sth->fetchrow_hashref();
if (!$result->{ip}) {
$sth = $dbh->prepare('INSERT INTO ip_addresses VALUES ("' . $ipAddr . '","'. $theTime . '",' . $alertId . ',' . $ruleId . ',"Added by suspicious-ip Perl Script")');
if (!$sth->execute) {
WriteLog("Cannot insert new IP address: $DBI::errstr\n");
}
}
else {
$sth = $dbh->prepare('UPDATE ip_addresses SET timestamp = "' . $theTime . '", alertid = ' . $alertId . ', ruleid = ' . $ruleId . ' WHERE ip = "' . $ipAddr . '"');
if (!$sth->execute) {
WriteLog("Cannot update IP address: $DBI::errstr\n");
}
}
}
else {
my $sth = $dbh->prepare('DELETE FROM ip_addresses WHERE ip = "' . $ipAddr . '"');
if (!$sth->execute) {
WriteLog("Cannot remove IP address: $DBI::errstr\n");
}
}
$dbh->disconnect;
exit 0;
sub WriteLog
{
if ( $_[0] eq "" ) { return; }
my $pwd = `pwd`;
chomp($pwd);
my $date = `date`;
chomp($date);
open(LOGH, ">>" . $pwd . "/../active-responses.log") || die "Cannot open log file.";
print LOGH $date . " " . $_[0];
close(LOGH);
return;
}