From d19c429add5bb51d0e97d985138914f41161d6bb Mon Sep 17 00:00:00 2001
From: Ankush Grover <ankush174@gmail.com>
Date: Tue, 14 Jun 2011 14:08:41 +0200
Subject: [PATCH] Initial version

---
 plugins/other/ossec-active-response | 79 +++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100755 plugins/other/ossec-active-response

diff --git a/plugins/other/ossec-active-response b/plugins/other/ossec-active-response
new file mode 100755
index 00000000..7dfd9ffd
--- /dev/null
+++ b/plugins/other/ossec-active-response
@@ -0,0 +1,79 @@
+
+# /bin/ sh
+#
+if [ "$1" = "autoconf" ] ; then
+
+ echo "yes"
+#
+exit 0 
+#
+fi
+#
+#
+logdir="/var/ossec/logs/"
+if [ "$1" = "config" ] ; then
+#
+echo "graph_title Active Response" 
+#
+echo "graph_args --base 1000 -l 0 " 
+#
+echo "graph_vlabel Number of active response" 
+#
+echo "graph_category Ossec" 
+#
+echo "graph_scale no" 
+#
+echo "c_add_actions.label Number of Rules added" 
+#
+echo "c_add_actions.draw LINE2" 
+#
+echo 'c_add_actions.min 0' 
+#
+echo "c_del_actions.label Number of Rules deleted" 
+#
+echo "c_del_actions.draw LINE2" 
+#
+echo 'c_del_actions.min 0' 
+#
+exit 0 
+#
+fi
+#
+#
+
+
+####Deleting the temporary logs files ##########
+rm -fr /tmp/ossecactive* 
+
+
+###For Loop for grepping the last 5 mins logs and moving it to the /tmp
+
+month="$(date "+%b")"; time="$(date "+%d")";year="$(date "+%Y")";
+if [ "$time" -le "9" ]; then
+search1="$month  $time"
+else
+search1="$month $time"
+fi
+
+#search1="$month  $time"
+#echo "$search1"
+for (( i = 5; i>=0; i-- )) ; do grep $(date "+%R" -d "-$i min") /var/ossec/logs/active-responses.log | grep "$search1" | grep "$year" >> /tmp/ossecactive.log;done	
+
+
+#############Fore Loop Ends##########
+
+####Grepping the Hosts Blocked in last 5 mins###########
+NB_ADD=`cat /tmp/ossecactive.log| grep add | wc -l` 
+
+###########Grepping the Hosts Removed from the blocked list in last 5 mins############
+
+NB_DEL=`cat /tmp/ossecactive.log | grep del | wc -l`
+#
+#
+
+############Displaying the VALUES#############
+echo "c_add_actions.value ${NB_ADD}" 
+#
+echo "c_del_actions.value ${NB_DEL}" #
+#
+exit 0