#!/bin/bash

# Path to Snort's alert log (snort.alert.fast)
SNORT_LOG="/var/log/snort/snort.alert.fast"

# Path to store blocked IPs (to avoid duplicates)
BLOCKED_IPS="/tmp/blocked_ips.txt"

# Function to block an IP using iptables
block_ip() {
    local ip=$1

    # Check if IP is already blocked
    if ! grep -q "$ip" "$BLOCKED_IPS"; then
        # Add IP to iptables block list
        sudo iptables -I INPUT -s "$ip" -j DROP

        # Log the blocked IP in the blocked_ips file
        echo "$ip" >> "$BLOCKED_IPS"
        echo "Blocked IP: $ip"
    fi
}

# Ensure the blocked_ips.txt file exists and is writable
if [ ! -f "$BLOCKED_IPS" ]; then
    sudo touch "$BLOCKED_IPS"
    sudo chmod 666 "$BLOCKED_IPS"
fi

# Monitor the snort.alert.fast file for new malicious IPs
tail -F "$SNORT_LOG" | while read line; do
    # Debug: Output the full line from Snort log
    echo "Processing: $line"

    # Extract source and destination IP addresses from Snort logs
    if echo "$line" | grep -q "ICMP PING NMAP"; then
        # Extract source IP (before "->")
        ip=$(echo "$line" | awk -F' -> ' '{print $1}' | awk '{print $NF}')
        echo "Found Source IP: $ip"  # Debug: Show the IP being extracted
        block_ip "$ip"
    elif echo "$line" | grep -q "EXPLOIT"; then
        # Extract source IP (before "->")
        ip=$(echo "$line" | awk -F' -> ' '{print $1}' | awk '{print $NF}')
        echo "Found Source IP: $ip"  # Debug: Show the IP being extracted
        block_ip "$ip"
    fi
done