#!/usr/bin/perl # # OSSEC Perl script to populate suspicious IP addresses in a # temporary MySQL table # # History # ------- # 2011/02/01 xavier at rooshell dot be Created # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. # use strict; use DBI; use LWP::UserAgent; use Crypt::SSLeay; # Add URLS containing suspicious IP addresses # This list was grabbed from http://code.google.com/p/arcosi/ # Fee free to add yours! my @URLS = ( "http://www.mtc.sri.com/live_data/attackers/", "http://isc.sans.edu/reports.html", "http://www.projecthoneypot.org/list_of_ips.php", "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist", "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist" ); # Fix for your MySQL environment my $dbName = "ossec"; my $dbUser = "ossecuser"; my $dbPass = "xxxxxxxx"; my $i; my $dbh = DBI->connect('DBI:mysql:' . $dbName, $dbUser, $dbPass) || \ die "Could not connect to database: $DBI::errstr"; print STDERR "Connection to MySQL DB...\n"; # Main loop for ($i = 0; $i < scalar(@URLS); $i++) { my $userAgent = LWP::UserAgent->new; $userAgent->timeout(30); print STDERR "Fetching IPs from " . $URLS[$i] . " ...\n"; my $response = $userAgent->get($URLS[$i]); my $ipAddr; if ($response->is_success) { my $htmlData = $response->decoded_content; while ($htmlData =~ m/([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])\.([01]?\d\d|2[0-4]\d|25[0-5])/g) { $ipAddr = $1 . "." . $2 . "." . $3 . "." . $4; my $sth = $dbh->prepare( 'SELECT ip FROM suspicious_ip WHERE ip = "' . $ipAddr . '"'); $sth->execute(); my $result = $sth->fetchrow_hashref(); if (!$result->{ip}) { $sth = $dbh->prepare('INSERT INTO suspicious_ip VALUES ("' . $ipAddr . '",NOW(), NOW() + INTERVAL 5 DAY,"' . $URLS[$i] . '")'); if (!$sth->execute) { print STDERR "Cannot insert new IP address: $DBI::errstr\n"; } } } } else { print STDERR "Cannot fetch URL " . $URLS[$i] . ". Error: " . $response->status_line . "\n"; } } # Performing cleanup (expired IP addresses) my $sth = $dbh->prepare('DELETE FROM suspicious_ip WHERE date_expire < NOW()'); $sth->execute(); # Display some statistics $sth = $dbh->prepare('SELECT COUNT(ip) FROM suspicious_ip'); $sth->execute(); my $result = ${$sth->fetch}[0];; print STDERR $result . " IP addresses in the database.\n"; # Eof