Hi Josh
Sure - no problem. It goes like this:
ipfw_mac.sh
###########################
#!/bin/sh
# Adds an IP to the IPFW drop list.
# Only works with IPFW.
# Expect: srcip
# Author: Rafael Capovilla - under @ ( at ) underlinux.com.br
# Author: Daniel B. Cid - dcid @ ( at ) ossec.net
# Author: Charles W. Kefauver ckefauver @ ( at ) ibacom.es
# changed for Mac OS X compatability
# Last modified: August 14, 2006
UNAME=`uname`
IPFW="/sbin/ipfw"
ARG1=""
ARG2=""
ACTION=$1
USER=$2
IP=$3
#warning do NOT add leading 0 in SET_ID
SET_ID=2
LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
echo "`date` $0 $1 $2 $3" >> ${PWD}/ossec-hids-responses.log
# Checking for an IP
if [ "x${IP}" = "x" ]; then
echo "$0: <action> <username> <ip>"
exit 1;
fi
# Blocking IP
if [ "x${ACTION}" != "xadd" -a "x${ACTION}" != "xdelete" ]; then
echo "$0: invalid action: ${ACTION}"
exit 1;
fi
# We should run on Darwin
if [ "X${UNAME}" = "XDarwin" ]; then
ls ${IPFW} >> /dev/null 2>&1
if [ $? != 0 ]; then
exit 0;
fi
# Executing and exiting
if [ "x${ACTION}" = "xadd" ]; then
#${IPFW} set disable ${SET_ID}
${IPFW} -q add set ${SET_ID} deny ip from ${IP} to any
${IPFW} -q add set ${SET_ID} deny ip from any to ${IP}
${IPFW} -q set enable ${SET_ID}
exit 0;
fi
if [ "x${ACTION}" = "xdelete" ]; then
#${IPFW} -S show | grep "set ${SET_ID}" | grep "${IP}" >/dev/null
2>&1
#get list of ipfw rules ID to delete
RULES_TO_DELETE=`${IPFW} -S show | grep "set ${SET_ID}" | grep "$
{IP}" | awk '{print $1}'`
for RULE_ID in ${RULES_TO_DELETE}
do
${IPFW} -q delete ${RULE_ID}
done
exit 0;
fi
exit 0;
fi
# Not Darwin
exit 1;
#############################
The script was included in the ossec-source, but I might have
overwritten it at a later point with the original version posted in a
thread on the mailing-list.
Thanks,
/ Lars
Den 13/02/2007 kl. 16.51 skrev Joshua Gimer:
Lars
Could you please attach the contents of ipfw_mac.sh? I do not know
how it is suppose to work in MacOS, and would be curious as to what
it is doing.
Thanks
Josh
On 2/13/07, Lars Skovgaard <[EMAIL PROTECTED]> wrote:
Hi guys,
I'm running ossec on my MacOS X (10.4.8) based box, and have tried to
enable active response by way of the supplied script ipfw_mac.sh, but
so far without any luck.
The script is places in /var/ossec/active-response/bin/ and have the
following permissions:
-rwxr-xr-x 1 root ossec 1604 Feb 7
10:06 ipfw_mac.sh
I might add that the rest of ossec seems to run just fine, and I
recieve alerts by email when something's wrong – only thing not
working is active response.
If anyone has succeded in setting up ossec with active response on a
Mac, I would be extremely grateful for your help. Any suggestions are
welcome.
/Lars
--
Thx
Joshua Gimer
