I have ossec server(CentOS) and ossec agent(win7).
-----On server-----
ossec.conf:
<command>
<name>eject_usb</name>
<executable>event.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>eject_usb</command>
<location>local</location>
<rules_id>120005</rules_id>
<timeout>30</timeout>
</active-response>
local_rule.xml:
<group name="Event_USB">
<rule id="120000" level="0">
<decoded_as>Event_USB</decoded_as>
<description>Event USB</description>
</rule>
<rule id="120005" level="7">
<if_sid>120000</if_sid>
<match>USB</match>
<description>Detected USB Storage</description>
</rule>
</group>
-----On agent------
I have event.cmd has content:
shutdown -s -t 00
When I plug USB on agent, I have alert on server but active response
doesn't working to shutdown agent.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
