Mihai

Sorry for the late reply, I have been off the grid for the past few weeks. Thks to Tony for finding the problem, I must have edited the configuration files in the Win environment but can not remember why I would do such a thing? my bad.

I now have to start working on Tony assignment:

Whoever created these files for a Unix/Linux system like this should write 100 lines ...

mihai wrote:

script works fine...but my root password not anymore
:P damn..

wrong post...my bad deleting the /var/log/* that's the issue.
solved already.

script works fine...but my root password not anymore
:P damn..

Tony...I owe you some beer man

hexdump -C /etc/tie.d/tie-ti1-plugin.conf
00000000 23 20 54 49 45 3a 20 54 68 72 65 61 74 20 49 6e |# TIE: Threat In|
00000010 74 72 75 73 69 6f 6e 20 45 6e 61 62 6c 65 72 20 |trusion Enabler |
00000020 70 6c 75 67 2d 69 6e 20 63 6f 6e 66 69 67 75 72 |plug-in configur|
00000030 61 74 69 6f 6e 20 66 69 6c 65 0d 0a 23 0d 0a 50 |ation file..#..P|
00000040 4c 55 47 49 4e 5f 56 45 52 53 49 4f 4e 3d 31 2e |LUGIN_VERSION=1.|
00000050 30 20 23 20 53 63 72 69 70 74 20 76 65 72 73 69 |0 # Script versi|
00000060 6f 6e 0d 0a 0d 0a 5b 5b 20 2d 66 20 2f 65 74 63 |on....[[ -f /etc|
00000070 2f 74 69 65 2e 64 2f 74 69 65 2d 74 69 31 2d 66 |/tie.d/tie-ti1-f|
00000080 69 72 65 77 61 6c 6c 20 5d 5d 20 26 26 20 73 6f |irewall ]] && so|
00000090 75 72 63 65 20 2f 65 74 63 2f 74 69 65 2e 64 2f |urce /etc/tie.d/|
000000a0 74 69 65 2d 74 69 31 2d 66 69 72 65 77 61 6c 6c |tie-ti1-firewall|
000000b0 0d 0a 5b 5b 20 2d 66 20 2f 65 74 63 2f 74 69 65 |..[[ -f /etc/tie|
000000c0 2e 64 2f 74 69 65 2d 74 69 31 2d 6d 61 69 6c 20 |.d/tie-ti1-mail |
000000d0 5d 5d 20 26 26 20 73 6f 75 72 63 65 20 2f 65 74 |]] && source /et|
000000e0 63 2f 74 69 65 2e 64 2f 74 69 65 2d 74 69 31 2d |c/tie.d/tie-ti1-|
000000f0 6d 61 69 6c 0d 0a 5b 5b 20 2d 66 20 2f 65 74 63 |mail..[[ -f /etc|
00000100 2f 74 69 65 2e 64 2f 74 69 65 2d 74 69 31 2d 73 |/tie.d/tie-ti1-s|
00000110 6e 6f 72 74 2d 6e 65 74 77 6f 72 6b 2d 61 64 64 |nort-network-add|
00000120 72 65 73 73 65 73 20 5d 5d 20 26 26 20 73 6f 75 |resses ]] && sou|
00000130 72 63 65 20 2f 65 74 63 2f 74 69 65 2e 64 2f 74 |rce /etc/tie.d/t|
00000140 69 65 2d 74 69 31 2d 73 6e 6f 72 74 2d 6e 65 74 |ie-ti1-snort-net|
00000150 77 6f 72 6b 2d 61 64 64 72 65 73 73 65 73 0d 0a |work-addresses..|
00000160 5b 5b 20 2d 66 20 2f 65 74 63 2f 74 69 65 2e 64 |[[ -f /etc/tie.d|
00000170 2f 74 69 65 2d 74 69 31 2d 73 6e 6f 72 74 2d 6c |/tie-ti1-snort-l|
00000180 69 73 74 2d 61 76 61 69 6c 61 62 6c 65 2d 72 75 |ist-available-ru|
00000190 6c 65 73 20 5d 5d 20 26 26 20 73 6f 75 72 63 65 |les ]] && source|
000001a0 20 2f 65 74 63 2f 74 69 65 2e 64 2f 74 69 65 2d | /etc/tie.d/tie-|
000001b0 74 69 31 2d 73 6e 6f 72 74 2d 6c 69 73 74 2d 61 |ti1-snort-list-a|
000001c0 76 61 69 6c 61 62 6c 65 2d 72 75 6c 65 73 |vailable-rules|
000001ce
[root@Bumblebee /]# dos2unix /etc/tie.d/tie-ti1-plugin.conf
dos2unix: converting file /etc/tie.d/tie-ti1-plugin.conf to UNIX format ...
[root@Bumblebee /]# tie
: command not foundfirewall: line 8:
'etc/tie.d/tie-ti1-firewall: line 11: syntax error near unexpected token `{
'etc/tie.d/tie-ti1-firewall: line 11: `doBlocksFirewallPlugin() {
: command not foundmail: line 8:
'etc/tie.d/tie-ti1-mail: line 12: syntax error near unexpected token `{
'etc/tie.d/tie-ti1-mail: line 12: `doMailPlugin() {
: command not foundsnort-network-addresses: line 8:
'etc/tie.d/tie-ti1-snort-network-addresses: line 12: syntax error near unexpected token `{
'etc/tie.d/tie-ti1-snort-network-addresses: line 12: `doSnortNetworkAddressesPlugin() {
: command not foundsnort-list-available-rules: line 13:
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: syntax error near unexpected token `{
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: `doSnortListAvailableRulesPlugin() {
: No such file or directory6: /bin/false
[root@Bumblebee /]# dos2unix /etc/tie.d/tie-ti1-*
dos2unix: converting file /etc/tie.d/tie-ti1-firewall to UNIX format ...
dos2unix: converting file /etc/tie.d/tie-ti1-mail to UNIX format ...
dos2unix: converting file /etc/tie.d/tie-ti1-plugin.conf to UNIX format ...
dos2unix: converting file /etc/tie.d/tie-ti1-snort-list-available-rules to UNIX format ...
dos2unix: converting file /etc/tie.d/tie-ti1-snort-network-addresses to UNIX format ...
[root@Bumblebee /]# tie

done...works now
i have never thought on this....even it's quite common.

mihai - I have seen this problem before where something seems to exists - yet the system seemingly ignores it.

To confirm my suspicion I downloaded the .zip file in the link above and looked at one of two of the files with hexdump.
Here is one of them

[root@alex tie]# hexdump -C tie-ti1-plugin.conf 

00000000  23 20 54 49 45 3a 20 54  68 72 65 61 74 20 49 6e  |# TIE: Threat In|

00000010  74 72 75 73 69 6f 6e 20  45 6e 61 62 6c 65 72 20  |trusion Enabler |

00000020  70 6c 75 67 2d 69 6e 20  63 6f 6e 66 69 67 75 72  |plug-in configur|

00000030  61 74 69 6f 6e 20 66 69  6c 65 0d 0a 23 0d 0a 50  |ation file..#..P|

00000040  4c 55 47 49 4e 5f 56 45  52 53 49 4f 4e 3d 31 2e  |LUGIN_VERSION=1.|

00000050  30 20 23 20 53 63 72 69  70 74 20 76 65 72 73 69  |0 # Script versi|

00000060  6f 6e 0d 0a 0d 0a 5b 5b  20 2d 66 20 2f 65 74 63  |on....[[ -f /etc|

00000070  2f 74 69 65 2e 64 2f 74  69 65 2d 74 69 31 2d 66  |/tie.d/tie-ti1-f|

00000080  69 72 65 77 61 6c 6c 20  5d 5d 20 26 26 20 73 6f  |irewall ]] && so|

00000090  75 72 63 65 20 2f 65 74  63 2f 74 69 65 2e 64 2f  |urce /etc/tie.d/|

000000a0  74 69 65 2d 74 69 31 2d  66 69 72 65 77 61 6c 6c  |tie-ti1-firewall|

000000b0  0d 0a 5b 5b 20 2d 66 20  2f 65 74 63 2f 74 69 65  |..[[ -f /etc/tie|

000000c0  2e 64 2f 74 69 65 2d 74  69 31 2d 6d 61 69 6c 20  |.d/tie-ti1-mail |

000000d0  5d 5d 20 26 26 20 73 6f  75 72 63 65 20 2f 65 74  |]] && source /et|

000000e0  63 2f 74 69 65 2e 64 2f  74 69 65 2d 74 69 31 2d  |c/tie.d/tie-ti1-|

000000f0  6d 61 69 6c 0d 0a 5b 5b  20 2d 66 20 2f 65 74 63  |mail..[[ -f /etc|

00000100  2f 74 69 65 2e 64 2f 74  69 65 2d 74 69 31 2d 73  |/tie.d/tie-ti1-s|

00000110  6e 6f 72 74 2d 6e 65 74  77 6f 72 6b 2d 61 64 64  |nort-network-add|

00000120  72 65 73 73 65 73 20 5d  5d 20 26 26 20 73 6f 75  |resses ]] && sou|

00000130  72 63 65 20 2f 65 74 63  2f 74 69 65 2e 64 2f 74  |rce /etc/tie.d/t|

00000140  69 65 2d 74 69 31 2d 73  6e 6f 72 74 2d 6e 65 74  |ie-ti1-snort-net|

00000150  77 6f 72 6b 2d 61 64 64  72 65 73 73 65 73 0d 0a  |work-addresses..|

00000160  5b 5b 20 2d 66 20 2f 65  74 63 2f 74 69 65 2e 64  |[[ -f /etc/tie.d|

00000170  2f 74 69 65 2d 74 69 31  2d 73 6e 6f 72 74 2d 6c  |/tie-ti1-snort-l|

00000180  69 73 74 2d 61 76 61 69  6c 61 62 6c 65 2d 72 75  |ist-available-ru|

00000190  6c 65 73 20 5d 5d 20 26  26 20 73 6f 75 72 63 65  |les ]] && source|

000001a0  20 2f 65 74 63 2f 74 69  65 2e 64 2f 74 69 65 2d  | /etc/tie.d/tie-|

000001b0  74 69 31 2d 73 6e 6f 72  74 2d 6c 69 73 74 2d 61  |ti1-snort-list-a|

000001c0  76 61 69 6c 61 62 6c 65  2d 72 75 6c 65 73        |vailable-rules|

000001ce

[root@alex tie]# ls

You will see on line 00000060 the sequence "0d 0a 0d 0a", and some later lines with "0d 0a" such as the end of line 00000150. This indicates these files were created in DOS/Windows format - not unix - a real no-no :-( Unix/Linux files should only end with a newline i.e. 0a. Whoever created these files for a Unix/Linux system like this should write 100 lines like this :-) "Unix/Linux files must be created with just a newline character for the end-of-the-line indicator. I must not use Dos/Windows programs to create files intended for use on Unix/Linux in DOS/Windows format".

A little utility called dos2unix can convert the files - see the "man" pages for use... if not installed use
# yum --enablerepo=clearos-core list dos2unix
assuming you have ClearOS Ver 6.x - for Ver 5.x you should drop --enablerepo=clearos-core

Now I know nothing about this software, and cannot confirm this will fix your problem - but files on ClearOS clearly and decidedly should not be in this windows text format...

i'm still not able to determine from where it shows me this first error line:
command not foundplugin.conf: line 4:
& then those:
: No such file or directoryonf: line 5: /etc/tie.d/tie-ti1-firewall
: No such file or directoryonf: line 6: /etc/tie.d/tie-ti1-mail
: No such file or directoryonf: line 7: /etc/tie.d/tie-ti1-snort-network-addresses

all files are in place:
ls -la /etc/tie.d/
total 40
drwxr-xr-x 2 root root 4096 2014-07-16 16:05 .
drwxr-xr-x. 107 root root 12288 2014-07-19 11:40 ..
-rwxr-xr-x 1 root root 2934 2014-07-16 16:05 tie-ti1-firewall
-rwxr-xr-x 1 root root 847 2014-07-14 15:37 tie-ti1-mail
-rwxr-xr-x 1 root root 462 2014-07-14 15:37 tie-ti1-plugin.conf
-rwxr-xr-x 1 root root 3580 2014-07-14 15:38 tie-ti1-snort-list-available-rules
-rwxr-xr-x 1 root root 4163 2014-07-14 15:38 tie-ti1-snort-network-addresses

Again seems i have a syntax error on the line 18 of the tie-ti1-snort-list-available-rules:

17 DO_SNORT_LIST_AVAILABLE_RULES_PLUGIN_ENABLED="$FALSE"
18 doSnortListAvailableRulesPlugin() {
19 doDebug "Enter function doSnortListAvailableRulesPlugin() ..."
20
21 for webPageURL in "${SNORT_LIST_AVAIL_RULES_URLS[@]}"; do
22 # Create a unique name from the url location
23 local webPageList=$(sed 's/[http:]*//g;s/[\/]*//g' <<<"$webPageURL").list
24 # Remove if file already exist
25 if [[ -f "$webPageList" ]]; then
26 rm -f $webPageList
27 fi


Can you please compare it with yours?

thanks

Mihai

This is a strange situation I cant seem to make any sense out of your errors. All seem to work when you are reading the main script as soon as the scripts attempts to open any external configuration files it fails?

[root@Bumblebee tie.d]# cat /var/log/tie.d/ti1
[Wed Jul 16 16:09:32] [info]
[Wed Jul 16 16:09:32] [info] Threats Intrusion Detection Enabler Script started..
[Wed Jul 16 16:09:32] [debug] --logger-verbosity=debug
[Wed Jul 16 16:09:32] [debug] SysLogger: "false", Logger Verbosity: 1
[Wed Jul 16 16:09:32] [debug] Enter function doParseScriptConf() ...
[Wed Jul 16 16:09:32] [debug] function doParseScriptConf() Parameter --logger=logfile ignored. Handled at the Script Execution Start.
[Wed Jul 16 16:09:32] [debug] function doParseScriptConf() Parameter --logger-verbosity=debug ignored. Handled at the Script Execution Start.
[Wed Jul 16 16:09:32] [info] Execute script: tie with the following list of Source Types enabled: c,r,b
[Wed Jul 16 16:09:32] [info] Execute script: tie with default configuration file: /etc/tie-ti1-source.conf
[Wed Jul 16 16:09:32] [debug] Success doParseConfCommands(); confsUpdateEnabled: "true", rulesUpdateEnabled: "true", blocksUpdateEnabled: "true", firewallUpdateEnabled: "false", setsConf: "/etc/tie-ti1-source.conf"
[Wed Jul 16 16:09:32] [debug] Exit function doParseConfCommands() with exit code: 0
[Wed Jul 16 16:09:32] [warning] doUpdateFirewallRules() IPSET firewall rules and chain missing. Will proceed to update the block sets but IPSET will
not be active until the firewall is updated.
[Wed Jul 16 16:09:32] [debug] Enter function doCreateIpSetList() ...
[Wed Jul 16 16:09:32] [info] doCreateIpSetList() Will not attempt to create /usr/sbin/ipset tie-list-ti1 it already exist.
[Wed Jul 16 16:09:32] [debug] Exit function doCreateIpSetList() with exit code: 0
[Wed Jul 16 16:09:32] [debug] Enter function doReadConfCommands() ...
[Wed Jul 16 16:09:32] [debug] Enter function doParseConfCommands() ...
is not a valid parameter entry.tp://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/reference.config --source snort:config
[Wed Jul 16 16:09:32] [debug] Exit function doParseConfCommands() with exit code: 1
[Wed Jul 16 16:09:32] [fatal error] You may want to check your configuraton file: /etc/tie-ti1-source.conf for the correct syntax.
[Wed Jul 16 16:09:32] [fatal error] Threats Intrusion Detection Enabler Script Finished ..

Philippe Eveleigh wrote:

Followed your instructions.

I can see that ... Well I have the same configuration could we be running into a permission issue? I have folder /etc/tie.d and all files in that folder are executable by root

already checked that.all seems well configured.

Followed your instructions.

I can see that ... Well I have the same configuration could we be running into a permission issue? I have folder /etc/tie.d and all files in that folder are executable by root

Philippe Eveleigh wrote:

mihai I was not successful at reproducing your problem. Can you let me know the location of all your files? and if the log file exist, the content of the log file.

Note: log file can be found in /var/log/tie.d if the script was able to create it.

Hey Philippe

Here it is:

tie: Main bash script, suggested location: /usr/local/bin
tie.cron: Daily cron batch, suggested location: /etc/cron.daily
tie-ti1-source.conf: Configuration file, suggested location: /etc
tie-ti1-plugin.conf: plug-in include bellow plug-in source files, suggested location: /etc/tie.d
tie-ti1-firewall: Allows to modify the default firewall configuration (INPUT chain only) to also block FORWARD and OUTPUT chains, suggested location: /etc/tie.d
tie-ti1-mail: Enables mail message on error, requires configuration, suggested location: /etc/tie.d
tie-ti1-snort-list-available-rules: Provides list of available rules, suggested location: /etc/tie.d
tie-ti1-snort-network-addresses: Temporary fix for problem identified by Nick, suggested location: /etc/tie.d

Followed your instructions.

mihai I was not successful at reproducing your problem. Can you let me know the location of all your files? and if the log file exist, the content of the log file.

Note: log file can be found in /var/log/tie.d if the script was able to create it.

Philippe Eveleigh wrote:

mihai my apologies I missed the email notification

command not foundplugin.conf: line 4:
: No such file or directoryonf: line 5: /etc/tie.d/tie-ti1-firewall
: No such file or directoryonf: line 6: /etc/tie.d/tie-ti1-mail
: No such file or directoryonf: line 7: /etc/tie.d/tie-ti1-snort-network-addresses
: command not foundsnort-list-available-rules: line 13:
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: syntax error near unexpected token `{
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: `doSnortListAvailableRulesPlugin() {

I am assuming that this is console messages not log messages?

Can you also let me know what you want the script to do ? snort rules, snort config, ipset blocks? or what is in your /etc/tie.do folder ?

If you wish you can also run the following:

./tie  --logger=logfile --logger-verbosity=debug

Pending where the script is failing we might be able to get some logging information in: /var/log/tie.d

Hi Philippe
Sorry for my verry late answer this time

here you have the output:

[root@Bumblebee tie]# ./tie --logger=logfile --logger-verbosity=debug
: command not foundplugin.conf: line 4:
: No such file or directoryonf: line 5: /etc/tie.d/tie-ti1-firewall
: No such file or directoryonf: line 6: /etc/tie.d/tie-ti1-mail
: No such file or directoryonf: line 7: /etc/tie.d/tie-ti1-snort-network-addresses
: command not foundsnort-list-available-rules: line 13:
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: syntax error near unexpected token `{
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: `doSnortListAvailableRulesPlugin() {

mihai my apologies I missed the email notification

command not foundplugin.conf: line 4:
: No such file or directoryonf: line 5: /etc/tie.d/tie-ti1-firewall
: No such file or directoryonf: line 6: /etc/tie.d/tie-ti1-mail
: No such file or directoryonf: line 7: /etc/tie.d/tie-ti1-snort-network-addresses
: command not foundsnort-list-available-rules: line 13:
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: syntax error near unexpected token `{
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: `doSnortListAvailableRulesPlugin() {

I am assuming that this is console messages not log messages?

Can you also let me know what you want the script to do ? snort rules, snort config, ipset blocks? or what is in your /etc/tie.do folder ?

If you wish you can also run the following:

./tie  --logger=logfile --logger-verbosity=debug

Pending where the script is failing we might be able to get some logging information in: /var/log/tie.d

thx for the reply Nick
waiting for the share

That script is huge but I assume corrects a minor issue that he spotted in mine when mirrors were out of sync. I use a variant of the one I posted earlier in the thread, but I am thinking of simplifying what I've done a bit using the loop you posted in the other thread to avoid creating the intermediate files. It is not high on my list of priorities as what I currently do works.

so?
did anyone made it work?

@Philippe Eveleigh : Just tried your uploaded set of scipts/cfg files without changing anything and seems not to work.
when executing the /usr/local/bin/tie
tie
: command not foundplugin.conf: line 4:
: No such file or directoryonf: line 5: /etc/tie.d/tie-ti1-firewall
: No such file or directoryonf: line 6: /etc/tie.d/tie-ti1-mail
: No such file or directoryonf: line 7: /etc/tie.d/tie-ti1-snort-network-addresses
: command not foundsnort-list-available-rules: line 13:
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: syntax error near unexpected token `{
'etc/tie.d/tie-ti1-snort-list-available-rules: line 18: `doSnortListAvailableRulesPlugin() {

All files in place :
: No such file or directoryonf: line 5: /etc/tie.d/tie-ti1-firewall
: No such file or directoryonf: line 6: /etc/tie.d/tie-ti1-mail
: No such file or directoryonf: line 7: /etc/tie.d/tie-ti1-snort-network-addresses

That makes my brain ache. One for slow time!

Nick interesting information your modification has allowed me to find weaknesses in the script that I have created and I have applied a few modifications.

You mentioned that you would be interested in the fix that allows the retrieval of files that where modified, wget is not very well suited to do this so it had to be resolved by using time comparison. The solution sits in the vicinity of the $WGET code, it might be a little hard to follow because the script is built to fetch configuration, rules & blocks files in multiple conditions. I do time comparison to confirm the fetching of files.

If you wish you or anyone else is welcome to use this script.

tie: Main bash script, suggested location: /usr/local/bin
tie.cron: Daily cron batch, suggested location: /etc/cron.daily
tie-ti1-source.conf: Configuration file, suggested location: /etc
tie-ti1-plugin.conf: plug-in include bellow plug-in source files, suggested location: /etc/tie.d
tie-ti1-firewall: Allows to modify the default firewall configuration (INPUT chain only) to also block FORWARD and OUTPUT chains, suggested location: /etc/tie.d
tie-ti1-mail: Enables mail message on error, requires configuration, suggested location: /etc/tie.d
tie-ti1-snort-list-available-rules: Provides list of available rules, suggested location: /etc/tie.d
tie-ti1-snort-network-addresses: Temporary fix for problem identified by Nick, suggested location: /etc/tie.d

Here is an overview of the script and its capabilities: This script adds additional rules to the current ClearOS SNORT configuration. This script will also configure IPSET and the firewall to block list if ip’s. All is done via configuration once the bash script is enabled.

instance capabilities parameter: The script was designed with the principle that it can be instantiated multiple times it allows the script to run independently from each others. Default: ti1

source enabled parameter: Enable snort config, snort rules, ipset blocking and ipset firewall rules (INPUT chain only)

source config parameter: Script configuration filename for the IDS/IPS activities. Default name: /etc/tie-ti1-source.conf

plugin config parameter: filename for the code insertion of the plug-ins code. Default name: /etc/tie.d/tie-ti1-plugin.conf

logger parameter: supported logger choices. Default to syslog

logger verbosity parameter: supported logger verbosity choices. Level notices is the default

Here is a configuration example: The main bash script ‘tie’ can be stored in folder: /usr/local/bin, the script must be obviously made executable, the configuration file tie-ti1-source.conf can be located in folder: /etc. Note: ti1 is the default instance name. tie.cron can be added to folder: /etc/cron.daily to run daily. If you wish to use the ipset blocks capabilites you must run the script at least one with the --source-enabled=b,f parameter to initiate the ipset blocks firewall capabilities

I have included a few of few plug-in for use, none of the plug-ins are required to run the main script. Suggested location as noted above default, in folder: /etc/tie.d
For use, you will be required to enable by editing the plug-in and changing its constant to … PLUGIN_ENABLED="$TRUE"

Files, folders and entries of interest created or modified by script are:
/etc/logrotate.d/tie-ti1
/etc/snort.d/reference.config
/etc/snort.d/rules/tie.d/ti1
/etc/snort.conf
/etc/clearos/firewall.d/90-tie-ti1
/var/log/tie.d/ti1
/var/tmp/tie.d/ti1/blocks/…
/var/tmp/tie.d/ti1/rules/…
/var/tmp/tie.d/ti1/available-snort-rules.txt
/var/tmp/tie.d/ti1/saved-ipset
/var/tmp/tie.d/ti1/saved-iptables
ipset and iptables entries

One last thing, if you decide to override the instantiation name all above references to ti1 will be replaced by your new instance name in the script. I suggest you keep the instance name as short as possible due to IPSET referenced set name length limitations. The script will warn you of this in its log.

As all can see the building of this script was influenced by Nick & Tim. Thank you to both of you.
[file name=tie.zip size=19116]http://www.clearfoundation.com/media/kunena/attachments/legacy/files/tie.zip[/file]

Philippe,

You're welcome to tweak the script. It was based on one both Tim and I found on the ET web site and had the original one has the same issue. I am not too bothered about it being exactly right but I'd be interested to see your fix. Having said that it may just be easier to download the file daily and update whatever.

While you're at it I've actually done some more scripting. If you look in the open-nogpl rules area you'll find some more files. There is a file "compromised-ips.txt" which is an IP list equivalent to emerging-compromised.rules. Also if you look at the emerging-tor rules they are really just IP lists duplicated for tcp and udp and split into two - tor exit-nodes and tor routers/non-exit nodes. non-exit nodes are irrelevant and you can block a lot of incorrect traffic. I have another script which can parse the rules file dropping the non-exit nodes and feed all the IP's into an ipset set. The script will also work on the compromised-ips.txt file. There is some irrelevant stuff because it also updates my snort riles but here they are:

The cron bit:

#!/bin/bash



cd /etc/snort.d/rules/emerging_threats/temp



# Execute some rules on Saturday only

if [[ $(date +%u) = 6 ]] ; then

	wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-attack_response.rules

	wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-exploit.rules

	# wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-smtp.rules

	wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_server.rules

	wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-web_specific_apps.rules

	wget -q https://rules.emergingthreats.net/blockrules/emerging-tor.rules

	wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/classification.config

	wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/reference.config

fi

wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-current_events.rules

wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-malware.rules

wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-trojan.rules

wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-worm.rules

wget -q https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/compromised-ips.txt

wget -q https://rules.emergingthreats.net/blockrules/emerging-compromised-BLOCK.rules





mv -f * ..



service snort restart > /dev/null









INPUTFILES='/etc/snort.d/rules/emerging_threats/compromised-ips.txt /etc/snort.d/rules/emerging_threats/emerging-tor.rules'

IPSET_BLOCKLIST_HOST=blocklist

IPSET_RESTOREFILE="/etc/snort.d/rules/emerging_threats/ipset_block.rules"



# Make sure the ip_set module is loaded

if [ "`lsmod | grep ip_set`" = "" ]; then

	modprobe ip_set

fi



echo "-N ${IPSET_BLOCKLIST_HOST}_TEMP iphash --hashsize 26244" >$IPSET_RESTOREFILE



for INPUTFILE in $INPUTFILES; do

OLDIFS="$IFS"

IFS=","

	sed '/^$/d; /udp/d; /^#/d; /Relay\/Router\ (Not\sExit)/d; s/^.*\[//; s/\].*//' "$INPUTFILE" | while read IPS ; do

		for IP in $IPS; do

			echo "-A -exist ${IPSET_BLOCKLIST_HOST}_TEMP $IP" >> $IPSET_RESTOREFILE

		done

	done

IFS="$OLDIFS"

done



# needed for ipset --restore

echo "COMMIT" >> $IPSET_RESTOREFILE



# ensure that ipsets exist

ipset create $IPSET_BLOCKLIST_HOST iphash --hashsize 26244 -exist 



# ensure that temp sets do not exist

ipset destroy -q "${IPSET_BLOCKLIST_HOST}_TEMP"



ipset restore < $IPSET_RESTOREFILE



# swap sets

ipset swap ${IPSET_BLOCKLIST_HOST} ${IPSET_BLOCKLIST_HOST}_TEMP



# remove temp sets

ipset destroy ${IPSET_BLOCKLIST_HOST}_TEMP

and the iptables bit which I put at the end of /etc/clearos/firewall.d/local:

$IPTABLES -N ET_BLOCK > /dev/null 2>&1

#comment out the next line if you do not want any firewall logging

$IPTABLES -A ET_BLOCK -j LOG --log-level INFO --log-prefix "ET_RULES: "

$IPTABLES -A ET_BLOCK -j DROP



echo $IPTABLES

IPSET_BLOCKLIST_HOST=blocklist

# ensure that ipsets exist

ipset create $IPSET_BLOCKLIST_HOST iphash --hashsize 26244 -exist 

$IPTABLES -I INPUT -m set --match-set $IPSET_BLOCKLIST_HOST src -j ET_BLOCK

$IPTABLES -I FORWARD -m set --match-set $IPSET_BLOCKLIST_HOST src -j ET_BLOCK

$IPTABLES -I FORWARD -m set --match-set $IPSET_BLOCKLIST_HOST dst -j ET_BLOCK

$IPTABLES -I OUTPUT -m set --match-set $IPSET_BLOCKLIST_HOST dst -j ET_BLOCK

It is not properly scripted with error checking as it was just a hack for me.

Also in both scripts I changed my mind and now block forwarding in both directions, input and output. In theory blocking one direction will block everything as either you can't initiate a connection or you cant receive a response, but by blocking both you have a better chance to see if you have an infected machine by monitoring outbound traffic and and stopping unwanted intrusion attempts by blocking inbound traffic - or at least that is my view.

Once you are able to process an IP list or subnet list it then becomes relatively easy to extend the method to do country blocking - but I have not bothered.

Nick I am currently working on a script that will allow you to add, modify & delete list based on a configuration file for both Snort and IPSET to consume.

As I am doing some testing with my script I noticed that the list coming from the emergingthreats servers are not always very well synchronised: Server 1 and Server 2

Just to say that this highlight a logic problem with your script. Your script might fetch different versions for FWrev & emerging-Block-IPs.txt

To fix the problem would be to or find the revision number in emerging-Block-IPs.txt or use the WGET -N option and compare dates. I personally use the latter for my script. I would share my script and post it but it is not ready yet.

Minor tweak to the cron script (adding "-exist") to the first echo line in the Host IP and Net sections to stop the script falling over with duplicate addresses (there was one last night).

In some ways it suits splitting into three files with one for the variables, logging, executable check, loading ip_set and creating the default blacklists in ipset but someone else is welcome to do it.

Nice tweaks! been away this week and just got back to looking at this again, thanks for posting

I could not resist tinkering and I've split the file into two:

File 1 - place in /etc/cron.daily and make executable:

#!/bin/sh

#

# Update emerging fwrules ipset

#

# * checks online for newer fwrev

# * downloads new ip list only if the online fwrev is not the local one

# * generates ipset --restore file with temporary ipsets

#

# Changelog:

# 08 Dec 2009 / 1.0 [email protected] initial version

# 10 Feb 2014 / 1.1 [email protected] patched for debug and iptables entries in ClearOS

# 21 Feb 2014 / 1.2a [email protected] Split into two programs. This part downloads and formats

#                    the file and load the ipset data sets and module





IPSET_BLACKLIST_HOST=blacklist

IPSET_BLACKLIST_NET=blacklistnet

IPSET_RESTOREFILE="/etc/clearos/firewall.d/ipset.rules"

ET_FWREV_URL="http://rules.emergingthreats.net/fwrules/FWrev"

ET_FWREV="/etc/clearos/firewall.d/FWrev"

ET_FWRULES="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"

ET_FWRULES_TEMP="/etc/clearos/firewall.d/emerging-Block-IPs.txt"

ET_FWREV_ENABLE_LOGGING=1



SYSLOG_TAG="EMERGING-IPSET-UPDATE"



WGET="/usr/bin/wget"

CMP="/usr/bin/cmp"

IPSET="/usr/sbin/ipset"



do_log () {

       if [ $ET_FWREV_ENABLE_LOGGING -eq 1 ]

	then

		local PRIO=$1; shift;

		logger -p "$PRIO" -t "$SYSLOG_TAG" "$*"

	fi

}





# check executable

for i in "$WGET" "$CMP" "$IPSET"

do

	if ! [ -x "$i" ]

	then

		do_log error "$i does not exist or is not executable"

		exit 1

	fi

done



# See if the file FWrev exists. If not populate it and assume it is the first run

if ! [ -f $ET_FWREV ];

then

	echo "none" > $ET_FWREV

	ET_FIRST_RUN=1

fi



# get fwrev online

if ! $WGET -O $ET_FWREV.temp -q $ET_FWREV_URL;

then

	do_log error "can't download $ET_FWREV_URL to $ET_FWREV.temp"

	exit 1

fi



do_log notice "Local fwrev version " `cat $ET_FWREV`

do_log notice "Online fwrev version " `cat $ET_FWREV.temp`



# Check if local version of rules is the same as the ET version. If so, exit with no update.

if $CMP -s $ET_FWREV $ET_FWREV.temp; then

	do_log notice "no update required"

	rm -f $ET_FWREV.temp

	exit

fi



do_log notice "Local fwrev " `cat $ET_FWREV` " does not match online fwrev " `cat $ET_FWREV.temp` ". Start update"





# Download new list

if ! "$WGET" -O "$ET_FWRULES_TEMP" -q "$ET_FWRULES"

then

	do_log error "can't download $ET_FWRULES to $ET_FWRULES_TEMP"

	exit 1

fi



# Host IP Adresses

echo "-N ${IPSET_BLACKLIST_HOST}_TEMP iphash --hashsize 26244 -exist" >$IPSET_RESTOREFILE

for i in $(egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}$' "$ET_FWRULES_TEMP")

do

	echo "-A ${IPSET_BLACKLIST_HOST}_TEMP $i" >> $IPSET_RESTOREFILE

done



# NET addresses

echo "-N ${IPSET_BLACKLIST_NET}_TEMP nethash --hashsize 3456 -exist" >>$IPSET_RESTOREFILE

for i in $(egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/[[:digit:]]{1,2}$' "$ET_FWRULES_TEMP")

do

	echo "-A ${IPSET_BLACKLIST_NET}_TEMP $i" >> $IPSET_RESTOREFILE

done



# needed for ipset --restore

echo "COMMIT" >> $IPSET_RESTOREFILE



mv -f $ET_FWREV.temp $ET_FWREV

rm -f $ET_FWRULES_TEMP



do_log notice "downloaded latest rules to $IPSET_RESTOREFILE at revision `cat $ET_FWREV`"



# Make sure the ip_set module is loaded

if [ "`lsmod | grep ip_set`" = "" ]; then

	modprobe ip_set

fi



# ensure that ipsets exist

$IPSET create $IPSET_BLACKLIST_HOST iphash --hashsize 26244 -exist 

$IPSET create $IPSET_BLACKLIST_NET nethash --hashsize 3456 -exist



# ensure that temp sets do not exist

$IPSET destroy -q "${IPSET_BLACKLIST_HOST}_TEMP"

$IPSET destroy -q "${IPSET_BLACKLIST_NET}_TEMP"



if ! $IPSET restore < $IPSET_RESTOREFILE

then

	do_log error "ipset restore failed. restorefile is $IPSET_RESTOREFILE"; exit 1;

else

	do_log notice "ipset rules committed at revision " `cat $ET_FWREV`

fi



# swap sets

$IPSET swap ${IPSET_BLACKLIST_HOST} ${IPSET_BLACKLIST_HOST}_TEMP

$IPSET swap ${IPSET_BLACKLIST_NET} ${IPSET_BLACKLIST_NET}_TEMP



# remove temp sets

$IPSET destroy ${IPSET_BLACKLIST_HOST}_TEMP

$IPSET destroy ${IPSET_BLACKLIST_NET}_TEMP



if [ -n $ET_FIRST_RUN ]; then

	service firewall restart > /dev/null

fi

File 2 - place in /etc/clearos/firewall.d/, call it something like 10-ET_IP_Blocks and make it executable:

#!/bin/sh

#

# Update emerging fwrules ipset

#

# * ensures that 2 ipsets (IPSET_BLACKLIST_HOST / IPSET_BLACKLIST_NET) exist

# * generates ipset --restore file with temporary ipsets

# * swaps temporary ipsets with current ipsets

# * delets temporary ipsets

#

# Changelog:

# 08 Dec 2009 / 1.0 [email protected] initial version

# 10 Feb 2014 / 1.1 [email protected] patched for debug and iptables entries in ClearOS

# 21 Feb 2014 / 1.2b [email protected] Split into two programs, loads ip_set module

#                    and loads firewall rules





IPSET_BLACKLIST_HOST=blacklist

IPSET_BLACKLIST_NET=blacklistnet

ET_FWREV_ENABLE_LOGGING=0



IPSET="/usr/sbin/ipset"



SYSLOG_TAG="EMERGING-IPSET-UPDATE"



do_log () {

       if [ $ET_FWREV_ENABLE_LOGGING -eq 1 ]

	then

		local PRIO=$1; shift;

		logger -p "$PRIO" -t "$SYSLOG_TAG" "$*"

	fi

}





# check executable



if ! [ -x "$IPSET" ]

then

	do_log error "$IPSET does not exist or is not executable"

	exit 1

fi



# Make sure the ip_set module is loaded

if [ "`lsmod | grep ip_set`" = "" ]; then

	modprobe ip_set

fi



# ensure that ipsets exist - only necessary before first cron.daily runs.

$IPSET create $IPSET_BLACKLIST_HOST iphash --hashsize 26244 -exist 

$IPSET create $IPSET_BLACKLIST_NET nethash --hashsize 3456 -exist



#commit iptables rules

$IPTABLES -N ET_LOGNDROP > /dev/null 2>&1

#comment out the next line if you do not want any firewall logging

$IPTABLES -A ET_LOGNDROP -j LOG --log-level INFO --log-prefix "ET_BLOCK: "

$IPTABLES -A ET_LOGNDROP -j DROP

$IPTABLES -I INPUT -m set --match-set $IPSET_BLACKLIST_HOST src -j ET_LOGNDROP

$IPTABLES -I INPUT -m set --match-set $IPSET_BLACKLIST_NET src -j ET_LOGNDROP

do_log notice "iptables entries for $IPSET_BLACKLIST_HOST and $IPSET_BLACKLIST_NET created in INPUT chain"

$IPTABLES -I FORWARD -m set --match-set $IPSET_BLACKLIST_HOST src -j ET_LOGNDROP

$IPTABLES -I FORWARD -m set --match-set $IPSET_BLACKLIST_NET src -j ET_LOGNDROP

do_log notice "iptables entries for $IPSET_BLACKLIST_HOST and $IPSET_BLACKLIST_NET created in FORWARD chain for incoming traffic"

$IPTABLES -I FORWARD -m set --match-set $IPSET_BLACKLIST_HOST dst -j ET_LOGNDROP

$IPTABLES -I FORWARD -m set --match-set $IPSET_BLACKLIST_NET dst -j ET_LOGNDROP

do_log notice "iptables entries for $IPSET_BLACKLIST_HOST and $IPSET_BLACKLIST_NET created in FORWARD chain for outgoing traffic"

Significant changes on the initial program:
1 - Updates nightly without restarting the firewall
2 - loads ip_set module if necessary
3 - allows logging to be turned off
4 - stop echoing to screen (otherwise cron sends you a message every time the program runs)
5 - quietened down various commands using inbuilt features rather than redirecting to /dev/null
6 - The firewall logs blocked packets to /var/log/messages

Prerequisites: you must have wget and ipset installed.


[edit]
Stupid forum killing tabs! If you want to see the indenting, hit quote and copy from that.
[/edit]

[edit 25 Frb 14]
Small code fix
[/edit]

Thanks for the modprobe tip. I did not see a reference to it.

I'd started work on the same script as you last night and it was when testing it that it failed. To me the script has a relatively fundamental issue with it which I was going to try to crack. It needs to access the internet every time the firewall restarted and that is the only time it will run, so presumably you need to restart the firewall nightly for updates. One of the things about ipset is that you don't need to restart the firewall when there is a list change. The original script script it is totally independant of the firewall so could perhaps be put in cron.daily but I suspect the ipsec tables do not survive a ClearOS restart so the tables were never initialised. I was thinking of splitting the script into two. One part goes into cron.daily to do the update and create the $IPSET_RESTOREFILE. The second part goes into (or is called from) /etc/clearos/firewall.d/local and loads the ipset tables and finishes as you did. I would also block the FORWARD chain so that no one behind the firewall can contact these IP's (or at least get a response from them) in case some sort of trojan gets in.

Also, me being me, I'd remove some of the error checking for things like the presence of wget and ipset and not go down the route of creating random ipset restorefiles (they are never purged and will not work well with splitting the script into two)

I also have another script which does a much simpler test to see if a new rule set is available something like:

cmp -s filename_1 filename_2 > /dev/null

if [ $? -eq 1 ]; then

    echo is different

else

    echo is not different

fi

Cat'ing each file into a variable then comparing the variables seems over complicated and is just more variables in the program.

I do like this approach if ipset can work. It would have been even more relevant had ET not deleted the RBN list. As one for the future I was thinking of perhaps writing a script to pull some of the ET rule sets which just block IP's to pieces to generate more IP lists for this solution. If anyone uses it, it would be better for country blocks as well.

PS I've just noticed you're missing a space in your first iptables rule between the "src" and "-j".

Slightly modified version of the ET version, and adds the iptables entries to refer to two new blacklist and blacklistnet hash tables. You need to create a temporary statefile first at 'touch /var/run/emerging-ipset-update.fwrev'

Create the script here and it will run every time the firewall starts up
/etc/clearos/firewall.d/10-emerging-ipset-update

#!/bin/sh

#

# Update emerging fwrules ipset

#

# * creates local statefile with fwrev

# * checks online for newer fwrev

# * downloads new ip list only if the online fwrev is not the local one

# * ensures that 2 ipsets (IPSET_BLACKLIST_HOST / IPSET_BLACKLIST_NET) exist

# * generates ipset --restore file with temporary ipsets

# * swaps temporary ipsets with current ipsets

# * delets temporary ipsets

#

# Changelog:

# 08 Dec 2009 / 1.0 [email protected] initial version

# 10 Feb 2014 / 1.1 [email protected] patched for debug and iptables entries in ClearOS





IPSET_BLACKLIST_HOST=blacklist

IPSET_BLACKLIST_NET=blacklistnet

IPSET_RESTOREFILE=$(mktemp -t emerging-ipset-update-ipsetrestorefile.XXX)



ET_FWREV_STATEFILE="/var/run/emerging-ipset-update.fwrev"

ET_FWREV_URL="http://rules.emergingthreats.net/fwrules/FWrev"

ET_FWREV_TEMP=$(mktemp -t emerging-ipset-update-fwrevtemp.XXX)

ET_FWREV_LOCAL="0"

ET_FWREV_ONLINE="0"

ET_FWRULES="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"

ET_FWRULES_TEMP=$(mktemp -t emerging-ipset-update-fwrules.XXXX)



SYSLOG_TAG="EMERGING-IPSET-UPDATE"



WGET="/usr/bin/wget"

IPSET="/usr/sbin/ipset"

IPTABLES="/sbin/iptables"





do_log () {

        local PRIO=$1; shift;

        echo "$PRIO: $*"

        echo "$*" | logger -p "$PRIO" -t "$SYSLOG_TAG"

}





# check executables

for i in "$WGET" "$IPSET" "$IPTABLES"

do

    if ! [ -x "$i" ]

    then

        do_log error "$i does not exist or is not executable"

        exit 1

    fi

done



# check files

for i in "$IPSET_RESTOREFILE" "$ET_FWREV_STATEFILE" "$ET_FWREV_TEMP" "$ET_FWRULES_TEMP"

do

    if ! [ -w "$i" ]

        then

                do_log error "$i does not exist or is not writeable"

                exit 1

        fi

done



# Create statefile if not exists

if ! [ -f "$ET_FWREV_STATEFILE" ];

then

    echo 0 >"$ET_FWREV_STATEFILE"

fi



# get fwrev online

if ! $WGET -O "$ET_FWREV_TEMP" -q "$ET_FWREV_URL";

then

    do_log error "can't download $ET_FWREV_URL to $ET_FWREV_TEMP"

    exit 1

fi



ET_FWREV_ONLINE=$(cat $ET_FWREV_TEMP)

ET_FWREV_LOCAL=$(cat $ET_FWREV_STATEFILE)



do_log notice "Local fwrev version $ET_FWREV_LOCAL"

do_log notice "Online fwrev version $ET_FWREV_ONLINE"





if [ "$ET_FWREV_ONLINE" != "$ET_FWREV_LOCAL" ]

then

    do_log notice "Local fwrev $ET_FWREV_LOCAL does not match online fwrev $ET_FWREV_ONLINE. start update"



    if ! "$WGET" -O "$ET_FWRULES_TEMP" -q "$ET_FWRULES"

    then

        do_log error "can't download $ET_FWRULES to $ET_FWREV_TEMP"

    else

        do_log notice "downloaded latest rules to $ET_FWREV_TEMP"

    fi



    # ensure that ipsets exist

    $IPSET -N $IPSET_BLACKLIST_HOST iphash --hashsize 26244 >/dev/null 2>&1

    $IPSET -N $IPSET_BLACKLIST_NET nethash --hashsize 3456 >/dev/null 2>&1



    # ensure that temp sets do not exist

    $IPSET --destroy "${IPSET_BLACKLIST_HOST}_TEMP" >/dev/null 2>&1

    $IPSET --destroy "${IPSET_BLACKLIST_NET}_TEMP" >/dev/null 2>&1





    # Host IP Adresses

    echo "-N ${IPSET_BLACKLIST_HOST}_TEMP iphash --hashsize 26244" >>$IPSET_RESTOREFILE

    for i in $(egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}$' "$ET_FWRULES_TEMP")

    do

        echo "-A ${IPSET_BLACKLIST_HOST}_TEMP $i" >>$IPSET_RESTOREFILE

    done



    # NET addresses

    echo "-N ${IPSET_BLACKLIST_NET}_TEMP nethash --hashsize 3456" >>$IPSET_RESTOREFILE

    for i in $(egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/[[:digit:]]{1,2}$' "$ET_FWRULES_TEMP")

        do

                echo "-A ${IPSET_BLACKLIST_NET}_TEMP $i" >>$IPSET_RESTOREFILE

        done



    # needed for ipset --restore

    echo "COMMIT" >>$IPSET_RESTOREFILE



    if ! ipset --restore <$IPSET_RESTOREFILE

    then

        do_log error "ipset restore failed. restorefile is $IPSET_RESTOREFILE"; exit 1;

    else

        do_log notice "ipset rules committed at revision $ET_FWREV_LOCAL"

    fi

    # swap sets

    $IPSET --swap ${IPSET_BLACKLIST_HOST} ${IPSET_BLACKLIST_HOST}_TEMP

    $IPSET --swap ${IPSET_BLACKLIST_NET} ${IPSET_BLACKLIST_NET}_TEMP



    # remove temp sets

    $IPSET --destroy ${IPSET_BLACKLIST_HOST}_TEMP

    $IPSET --destroy ${IPSET_BLACKLIST_NET}_TEMP



    if ! echo $ET_FWREV_ONLINE >$ET_FWREV_STATEFILE

    then

        do_log error "failed to write to fwrev statefile $ET_FWREV_STATEFILE"; exit 1;

    fi

else

    do_log notice "no update required"

fi



#commit iptables rules

$IPTABLES -I INPUT -m set --match-set $IPSET_BLACKLIST_HOST src -j DROP >/dev/null

$IPTABLES -I INPUT -m set --match-set $IPSET_BLACKLIST_NET src -j DROP >/dev/null

do_log notice "iptables entries for $IPSET_BLACKLIST_HOST and $IPSET_BLACKLIST_NET created in INPUT chain"



rm -f "$IPSET_RESTOREFILE" "$ET_FWRULES_TEMP" "$ET_FWREV_TEMP"

You also need to load the iptables netfilter extension

modprobe ip_set

Should do the trick, you can find other modules at /lib/modules/2.6.32-431.3.1.v6.x86_64/kernel/net/netfilter/ipset/

Interesting post by the way - not one I've seen before