From 0f903ed3490fe868d28ece768f87475cae57d53a Mon Sep 17 00:00:00 2001 From: Midi12 Date: Tue, 25 Feb 2020 18:22:55 +0100 Subject: [PATCH 1/6] Added AWS WAF active response script --- active-response/ossec-aws-waf.sh | 79 ++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 active-response/ossec-aws-waf.sh diff --git a/active-response/ossec-aws-waf.sh b/active-response/ossec-aws-waf.sh new file mode 100644 index 000000000..b763f035f --- /dev/null +++ b/active-response/ossec-aws-waf.sh @@ -0,0 +1,79 @@ +#!/bin/sh +# Adds an IP to an existing IPSet in AWS Web Application Firewall +# Requirements: Linux with aws installed and configured +# Expect: srcip +# Author: Midi12 +# Last modified: Feb 25, 2020 + +# Change this values +IPSETID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # target ip set identifier +REGION="xx-xxxx-x" # target waf region +IS_REGIONAL=1 # put 0 to use waf or 1 to use waf-regional + +# Setup +if ! [ -x "$(command -v aws)" ]; then + echo "aws cli is not installed" >&2 + exit 1; +fi + +AWS=$(command -v aws) +PWD=`pwd` +LOCAL=`dirname $0` +ACTION=$1 +IP=$2 +P_REGION="" +P_IPTYPE="" +P_ACTION="" +P_CHGTKN="" +P_RESP="" + +cd $LOCAL +cd ../ + +FILENAME=$(basename "$0") +LOGFILE="${PWD}/../logs/active-responses.log" + +echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOGFILE} + +# Check for an action +if [ "x${ACTION}" = "x" ]; then + echo "$0: " >&2 + exit 1; +fi + +# Check for an IP +if [ "x${IP}" = "x" ]; then + echo "$0: " >&2 + exit 1; +fi + +# Determining regional +case "${IS_REGIONAL}" in + 0 ) P_REGION="waf";; + 1 ) P_REGION="waf-regional";; + * ) echo "`date` Unable to run active response (ill-formed parameter: IS_REGIONAL '${IS_REGIONAL}'" >> ${LOGFILE} && exit 1;; +esac + +# Determining action +case "${ACTION}" in + ADD|add ) P_ACTION="INSERT";; + DEL|del ) P_ACTION="DELETE";; + * ) echo "`date` Unable to run active response (ill-formed argument Action: '${ACTION}'" >> ${LOGFILE} && exit 1;; +esac + +# Determining IP type +case "${IP}" in + *:* ) P_IPTYPE="IPV6";; + *.* ) P_IPTYPE="IPV4";; + * ) echo "`date` Unable to run active response (ill-formed argument IP: '${IP}')" >> ${LOGFILE} && exit 1;;esac + +P_CHGTKN="$(${AWS} ${P_REGION} get-change-token --region ${REGION} --output text)" + +P_RESP="$(${AWS} ${P_REGION} update-ip-set --ip-set-id ${IPSETID} --change-token ${P_CHGTKN} --updates Action=\"${P_ACTION}\",IPSetDescriptor=\{Type="${P_IPTYPE}",Value="${IP}/32"\} --region $REGION --output text)" + +if [ "${P_RESP}" != "${P_CHGTKN}" ]; then + echo "`date` Failed to update waf ipset: '${P_ACTION} ${IP} ${P_RESP}'" >> ${LOGFILE} + exit 1; +fi + +echo "Action ${ACTION} on IP ${IP} succeed" \ No newline at end of file From 1b83688fa127f44961716a5e5a57fa34984ae17f Mon Sep 17 00:00:00 2001 From: Midi12 Date: Tue, 25 Feb 2020 18:25:01 +0100 Subject: [PATCH 2/6] Added newline at end of ossec-aws-waf.sh --- active-response/ossec-aws-waf.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/active-response/ossec-aws-waf.sh b/active-response/ossec-aws-waf.sh index b763f035f..a83785327 100644 --- a/active-response/ossec-aws-waf.sh +++ b/active-response/ossec-aws-waf.sh @@ -76,4 +76,5 @@ if [ "${P_RESP}" != "${P_CHGTKN}" ]; then exit 1; fi -echo "Action ${ACTION} on IP ${IP} succeed" \ No newline at end of file +echo "Action ${ACTION} on IP ${IP} succeed" + From 77a849414e5c644572753071d748af0cccbc8685 Mon Sep 17 00:00:00 2001 From: Midi12 Date: Thu, 27 Feb 2020 09:45:35 +0100 Subject: [PATCH 3/6] Fixed prefix use for IPV6 type in ossec-aws-waf.sh active response --- active-response/ossec-aws-waf.sh | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/active-response/ossec-aws-waf.sh b/active-response/ossec-aws-waf.sh index a83785327..2495c2085 100644 --- a/active-response/ossec-aws-waf.sh +++ b/active-response/ossec-aws-waf.sh @@ -1,6 +1,6 @@ #!/bin/sh # Adds an IP to an existing IPSet in AWS Web Application Firewall -# Requirements: Linux with aws installed and configured +# Requirements: Linux with aws cli installed and configured (aws cli needs python) # Expect: srcip # Author: Midi12 # Last modified: Feb 25, 2020 @@ -8,7 +8,7 @@ # Change this values IPSETID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # target ip set identifier REGION="xx-xxxx-x" # target waf region -IS_REGIONAL=1 # put 0 to use waf or 1 to use waf-regional +IS_REGIONAL=0 # put 0 to use waf (Cloudfront) or 1 to use waf-regional (eg. API Gateway regional endpoint) # Setup if ! [ -x "$(command -v aws)" ]; then @@ -20,7 +20,8 @@ AWS=$(command -v aws) PWD=`pwd` LOCAL=`dirname $0` ACTION=$1 -IP=$2 +USER=$2 +IP=$3 P_REGION="" P_IPTYPE="" P_ACTION="" @@ -51,25 +52,27 @@ fi case "${IS_REGIONAL}" in 0 ) P_REGION="waf";; 1 ) P_REGION="waf-regional";; - * ) echo "`date` Unable to run active response (ill-formed parameter: IS_REGIONAL '${IS_REGIONAL}'" >> ${LOGFILE} && exit 1;; + * ) echo "`date` Unable to run active response (invalid configuration parameter: IS_REGIONAL '${IS_REGIONAL}'" >> ${LOGFILE} && exit 1;; esac # Determining action case "${ACTION}" in - ADD|add ) P_ACTION="INSERT";; - DEL|del ) P_ACTION="DELETE";; - * ) echo "`date` Unable to run active response (ill-formed argument Action: '${ACTION}'" >> ${LOGFILE} && exit 1;; + add ) P_ACTION="INSERT";; + delete ) P_ACTION="DELETE";; + * ) echo "`date` Unable to run active response (invalid argument Action: '${ACTION}'" >> ${LOGFILE} && exit 1;; esac # Determining IP type case "${IP}" in - *:* ) P_IPTYPE="IPV6";; - *.* ) P_IPTYPE="IPV4";; - * ) echo "`date` Unable to run active response (ill-formed argument IP: '${IP}')" >> ${LOGFILE} && exit 1;;esac + *:* ) IP="${IP}/128" && P_IPTYPE="IPV6";; + *.* ) IP="${IP}/32" && P_IPTYPE="IPV4";; + * ) echo "`date` Unable to run active response (invalid argument IP: '${IP}')" >> ${LOGFILE} && exit 1;; +esac P_CHGTKN="$(${AWS} ${P_REGION} get-change-token --region ${REGION} --output text)" -P_RESP="$(${AWS} ${P_REGION} update-ip-set --ip-set-id ${IPSETID} --change-token ${P_CHGTKN} --updates Action=\"${P_ACTION}\",IPSetDescriptor=\{Type="${P_IPTYPE}",Value="${IP}/32"\} --region $REGION --output text)" +P_RESP="$(${AWS} ${P_REGION} update-ip-set --ip-set-id ${IPSETID} --change-token ${P_CHGTKN} --updates Action=\"${P_ACTION}\",IPSetDescriptor=\{Type="${P_IPTYPE}",Value="${IP}"\} --region $REGION --output text)" + if [ "${P_RESP}" != "${P_CHGTKN}" ]; then echo "`date` Failed to update waf ipset: '${P_ACTION} ${IP} ${P_RESP}'" >> ${LOGFILE} @@ -77,4 +80,4 @@ if [ "${P_RESP}" != "${P_CHGTKN}" ]; then fi echo "Action ${ACTION} on IP ${IP} succeed" - +echo "`date` Action ${ACTION} on IP ${IP} succeed" >> ${LOGFILE} \ No newline at end of file From 323ce3216c5168aeda6411c324757b38fcaa47e1 Mon Sep 17 00:00:00 2001 From: Midi12 Date: Thu, 27 Feb 2020 09:47:41 +0100 Subject: [PATCH 4/6] Added newline ending in ossec-aws-waf.sh active response --- active-response/ossec-aws-waf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/active-response/ossec-aws-waf.sh b/active-response/ossec-aws-waf.sh index 2495c2085..0727f4104 100644 --- a/active-response/ossec-aws-waf.sh +++ b/active-response/ossec-aws-waf.sh @@ -80,4 +80,4 @@ if [ "${P_RESP}" != "${P_CHGTKN}" ]; then fi echo "Action ${ACTION} on IP ${IP} succeed" -echo "`date` Action ${ACTION} on IP ${IP} succeed" >> ${LOGFILE} \ No newline at end of file +echo "`date` Action ${ACTION} on IP ${IP} succeed" >> ${LOGFILE} From 3cd77a838f4e8f05fce4d9527b33881d00f82c96 Mon Sep 17 00:00:00 2001 From: Midi12 Date: Thu, 27 Feb 2020 09:51:01 +0100 Subject: [PATCH 5/6] Fixed command help on arguments error --- active-response/ossec-aws-waf.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/active-response/ossec-aws-waf.sh b/active-response/ossec-aws-waf.sh index 0727f4104..f27193dfc 100644 --- a/active-response/ossec-aws-waf.sh +++ b/active-response/ossec-aws-waf.sh @@ -38,13 +38,13 @@ echo "`date` $0 $1 $2 $3 $4 $5" >> ${LOGFILE} # Check for an action if [ "x${ACTION}" = "x" ]; then - echo "$0: " >&2 + echo "$0: " >&2 exit 1; fi # Check for an IP if [ "x${IP}" = "x" ]; then - echo "$0: " >&2 + echo "$0: " >&2 exit 1; fi @@ -79,5 +79,5 @@ if [ "${P_RESP}" != "${P_CHGTKN}" ]; then exit 1; fi -echo "Action ${ACTION} on IP ${IP} succeed" +echo "Action ${ACTION} on IP ${IP} succeed" >&2 echo "`date` Action ${ACTION} on IP ${IP} succeed" >> ${LOGFILE} From 3e6ffe3709bf58e3631e9ff7dc381fa2c4861f80 Mon Sep 17 00:00:00 2001 From: Midi12 Date: Thu, 27 Feb 2020 17:24:19 +0100 Subject: [PATCH 6/6] Fix output log --- active-response/ossec-aws-waf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/active-response/ossec-aws-waf.sh b/active-response/ossec-aws-waf.sh index f27193dfc..f940dfd7a 100644 --- a/active-response/ossec-aws-waf.sh +++ b/active-response/ossec-aws-waf.sh @@ -79,5 +79,5 @@ if [ "${P_RESP}" != "${P_CHGTKN}" ]; then exit 1; fi -echo "Action ${ACTION} on IP ${IP} succeed" >&2 +echo "Action ${ACTION} on IP ${IP} succeed" >&1 echo "`date` Action ${ACTION} on IP ${IP} succeed" >> ${LOGFILE}