/scripts/alcasar-bl-autoupdate.sh |
---|
20,8 → 20,8 |
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL |
CNC_BL_NAME="ossi-bl-candc" |
CNC_URL="https://osint.bambenekconsulting.com/feeds/" |
CNC_DNS_BL_URL=${CNC_URL}c2-dommasterlist-high.txt |
CNC_IP_BL_URL=${CNC_URL}c2-ipmasterlist-high.txt |
CNC_DNS=${CNC_URL}c2-dommasterlist-high.txt |
CNC_IP=${CNC_URL}c2-ipmasterlist-high.txt |
SED="/bin/sed -i" |
CURL="/usr/bin/curl" |
94,18 → 94,18 |
-update_ossi-bl-candc | --update_ossi-bl-candc) |
# check availability of the lists |
echo "Downloading blacklists from ${CNC_URL}..." |
STATUS_URL_BL=$(${CURL} --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${CNC_DNS_BL_URL}) |
STATUS_IP_BL=$(${CURL} --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${CNC_IP_BL_URL}) |
STATUS_DNS_BL=$(${CURL} --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${CNC_DNS}) |
STATUS_IP_BL=$(${CURL} --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${CNC_IP}) |
# if downloaded successfully |
if [ $STATUS_URL_BL = 200 ] && [ $STATUS_IP_BL = 200 ]; then |
if [ $STATUS_DNS_BL = 200 ] && [ $STATUS_IP_BL = 200 ]; then |
## parse domain names and ips from feed (cut first 19 lines (comments) and extract first column) |
CNC_URLS=$($CURL $CNC_DNS_BL_URL | tail -n +19 | awk -F, '{print $1}') |
CNC_IPS=$($CURL $CNC_IP_BL_URL | tail -n +19 | awk -F, '{print $1}') |
CNC_DOMAINS=$($CURL $CNC_DNS | tail -n +19 | awk -F, '{print $1}') |
CNC_IPS=$($CURL $CNC_IP | tail -n +19 | awk -F, '{print $1}') |
## create files and adapt downloaded data to alcasar structure (add newlines after each ip/domain) |
BL_DIR=${DIR_DG_BL}/${CNC_BL_NAME} |
rm -rf ${BL_DIR} |
mkdir $BL_DIR |
echo $CNC_URLS | tr " " "\n" > ${BL_DIR}/urls |
echo $CNC_DOMAINS | tr " " "\n" > ${BL_DIR}/urls |
echo $CNC_IPS | tr " " "\n" > ${BL_DIR}/domains |
## reload ossi-blacklists to add the created blacklist to ALCASAR |
echo "Download successfull." |
114,13 → 114,13 |
# if server responded with a code different than 200 |
else |
## 000 means that curl failed |
if [ $STATUS_URL_BL = 000 ] || [ $STATUS_IP_BL = 000 ]; then |
if [ $STATUS_DNS_BL = 000 ] || [ $STATUS_IP_BL = 000 ]; then |
echo "ERROR: curl could not access the internet to download blacklists." |
echo "This appears to be an error on your side: please check the connection to the internet." |
else |
echo "ERROR: could not donwload blacklists: Server returned non-200 codes:" |
echo "${CNC_DNS_BL_URL} returned ${STATUS_URL_BL}" |
echo "${CNC_IP_BL_URL} returned ${STATUS_IP_BL}" |
echo "${CNC_DNS} returned ${STATUS_DNS_BL}" |
echo "${CNC_IP} returned ${STATUS_IP_BL}" |
echo "Check the availability of the sites. Maybe the server removed its content or changed its address." |
fi |
exit 1 |
/scripts/alcasar-bl.sh |
---|
33,7 → 33,6 |
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories) |
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (ossi and ossi-* imported from ACC) |
REHABILITATED_DNS_FILE="/etc/unbound/conf.d/blacklist/rehabilitated.conf" |
CNC_BL_NAME="ossi-bl-candc" |
BL_SERVER="dsi.ut-capitole.fr" |
SED="/bin/sed -i" |
110,7 → 109,7 |
# search for correction egrep "([a-zA-Z0-9_-.]+\.){1,2}[a-zA-Z]{2,$MAX_TLD}" $ossi_custom_dir/domains > $FILE_tmp |
} |
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload } | { -install_ossi_candc or --install_ossi_candc }" |
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload }" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
282,22 → 281,6 |
rm -f $FILE_tmp $FILE_ip_tmp |
rm -rf $DIR_tmp |
;; |
# install C&C-Server Blacklist. |
-install_ossi_candc | --install_ossi_candc) |
## download |
/usr/local/bin/alcasar-bl-autoupdate.sh --update_ossi-bl-candc |
## enable blacklist by default by creating symlinks |
if [ -e ${DIR_DNS_BL_ENABLED}/${CNC_BL_NAME} ]; then |
rm ${DIR_DNS_BL_ENABLED}/${CNC_BL_NAME} |
fi |
if [ -e ${DIR_IP_BL_ENABLED}/${CNC_BL_NAME} ]; then |
rm ${DIR_IP_BL_ENABLED}/${CNC_BL_NAME} |
fi |
echo "Creating symlinks to enable blacklist" |
ln -s ${DIR_DNS_BL}/${CNC_BL_NAME}.conf ${DIR_DNS_BL_ENABLED}/${CNC_BL_NAME} |
ln -s ${DIR_IP_BL}/${CNC_BL_NAME} ${DIR_IP_BL_ENABLED}/${CNC_BL_NAME} |
exit 0 |
;; |
# reload when selected categories are changed or when ossi change his custom files |
-reload | --reload) |
# for E2Gardian |
/scripts/alcasar-iot_capture.sh |
---|
0,0 → 1,60 |
#!/bin/bash |
# alcasar-iot_capture.sh |
# by Guillaume Gellusseau, Dorian Lemoine & REXY |
# This script is distributed under the Gnu General Public License (GPL) |
# Ce script lance une capture de flux réseau en fonction d'une adresse IP source ($1) |
# This script performs a network flow capture based on source ip address ($1) |
CONF_FILE="/usr/local/etc/alcasar.conf" |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
function info |
{ |
_PID=$(ps -ef | grep tcpdump | grep $1 | awk {'print $2'}) |
if [[ -n $_PID ]] |
then |
echo "CaptureON" |
else |
echo "CaptureOFF" |
fi |
} |
function kill |
{ |
_PID=$(ps -ef | grep tcpdump | grep $1 | awk {'print $2'}) |
sudo kill -2 $_PID |
} |
function launch |
{ |
tcpdump ether host $1 -i $INTIF -n -w /tmp/capture_$1.pcap |
} |
function flush |
{ |
sudo rm /tmp/capture_$1.pcap -f |
} |
while getopts "l k i f" option; do |
case "${option}" in |
l) |
launch $2 |
;; |
k) |
kill $2 |
;; |
i) |
info $2 |
;; |
f) |
flush $2 |
;; |
esac |
done |
#End |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
+* |
\ No newline at end of property |
/scripts/alcasar-urpmi.sh |
---|
15,7 → 15,7 |
KERNEL="kernel-server-5.3.7-4.mga7-1-1.mga7" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
# perl-Socket6 : needed by nfsen |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav perl-rrdtool perl-MailTools fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch tinyproxy vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server gammu wkhtmltopdf perl-Socket6" |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav perl-rrdtool perl-MailTools fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch tinyproxy vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server wkhtmltopdf perl-Socket6 tcpdump" |
rpm_repository_sync () |
{ |