48 lines
1.5 KiB
Bash
48 lines
1.5 KiB
Bash
|
#!/bin/bash
|
||
|
|
|
||
|
|
# Path to Snort's alert log (snort.alert.fast)
|
||
|
|
SNORT_LOG="/var/log/snort/snort.alert.fast"
|
||
|
|
|
||
|
|
# Path to store blocked IPs (to avoid duplicates)
|
||
|
|
BLOCKED_IPS="/tmp/blocked_ips.txt"
|
||
|
|
|
||
|
|
# Function to block an IP using iptables
|
||
|
|
block_ip() {
|
||
|
|
local ip=$1
|
||
|
|
|
||
|
|
# Check if IP is already blocked
|
||
|
|
if ! grep -q "$ip" "$BLOCKED_IPS"; then
|
||
|
|
# Add IP to iptables block list
|
||
|
|
sudo iptables -I INPUT -s "$ip" -j DROP
|
||
|
|
|
||
|
|
# Log the blocked IP in the blocked_ips file
|
||
|
|
echo "$ip" >> "$BLOCKED_IPS"
|
||
|
|
echo "Blocked IP: $ip"
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
# Ensure the blocked_ips.txt file exists and is writable
|
||
|
|
if [ ! -f "$BLOCKED_IPS" ]; then
|
||
|
|
sudo touch "$BLOCKED_IPS"
|
||
|
|
sudo chmod 666 "$BLOCKED_IPS"
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Monitor the snort.alert.fast file for new malicious IPs
|
||
|
|
tail -F "$SNORT_LOG" | while read line; do
|
||
|
|
# Debug: Output the full line from Snort log
|
||
|
|
echo "Processing: $line"
|
||
|
|
|
||
|
|
# Extract source and destination IP addresses from Snort logs
|
||
|
|
if echo "$line" | grep -q "ICMP PING NMAP"; then
|
||
|
|
# Extract source IP (before "->")
|
||
|
|
ip=$(echo "$line" | awk -F' -> ' '{print $1}' | awk '{print $NF}')
|
||
|
|
echo "Found Source IP: $ip" # Debug: Show the IP being extracted
|
||
|
|
block_ip "$ip"
|
||
|
|
elif echo "$line" | grep -q "EXPLOIT"; then
|
||
|
|
# Extract source IP (before "->")
|
||
|
|
ip=$(echo "$line" | awk -F' -> ' '{print $1}' | awk '{print $NF}')
|
||
|
|
echo "Found Source IP: $ip" # Debug: Show the IP being extracted
|
||
|
|
block_ip "$ip"
|
||
|
|
fi
|
||
|
|
done
|