hi
i did some modification on the pf.sh script for active-response.
1. on OpenBSD you never edit the rc.conf , the old script works not
with the new config style on openbsd with rc.conf.local.
2. if ossec add an ip for blocking he run also an pfctl -k ip
to kill , maybe , existing states.
rest see diff
holger
sysanga:/var/ossec/active-response/bin# diff pf.sh pf.sh_new
4c4
<
---
> # last edit 27.12.2011 by holger glaess
14a15,23
> # Getting pf rules file from rc.conf.local .
> if [ -f /etc/rc.conf.local ] ; then
> PFCTL_RULES=`${GREP} pf_rules /etc/rc.conf.local | awk -F"=" '{print
$2}' | awk '{print $1}' | awk -F"\"" '{print $1 $2}'`
> if [ "X${PFCTL_RULES}" = "X" ]; then
> PFCTL_RULES="/etc/pf.conf"
> fi
> fi
>
>
38d46
<
52a61
>
61d69
<
72a81
>
73a83,84
>
>
79a91,95
> # if an active state exist with given ip , delete state
> if [ "x${ACTION}" = "xadd" ]; then
> ${PFCTL} "-k ${IP}"
> fi
>
