I am as well interested in this process in regards to OSSEC and windows active response. I am considering a deployment on a AD controlled business environment. Was considering active response for windows clients when network scans are detected, nmap Nessus, MBSA ect ect.
As well as logging any time any past or future when a external storage device (usb) is detected on a Windows client. Any incite on how OSSEC governs its active response on Windows agents would be helpful. On Tuesday, April 12, 2016 at 3:52:09 PM UTC-5, Rob B wrote: > > Hello Folks, > > Could someone help me wrap my head around the windows active response > mechanism? > > If I understand correctly, the active response / bin folder on the server > will house my .CMD file containing my windows response actions.? > > What I would like to do is have active response fire on an event such as: > <rule id="182669" level="12"> > <if_sid>18100</if_sid> > </rule> > Which would then run my .cmd file, where I want to run an executable that > I have already packaged. > > My question here is: what is the logic to run my packaged executable from > the .cmd file? Where do I store my packaged executable, how does it get to > the client agent to fire? Where will it fire from, so that I may have the > correct syntax in my .cmd file? Can the package be pushed from the server > to all windows agents once they refresh somehow? > > I do understand the basics as to how to setup active response in the .conf > file on the server ossec.conf file and where to turn it ON in the agent > side .conf file. How can I turn ON all the agents active response from the > server? (Currently i only know how to manually update the file at each > client.) > > Any pointers from the Gurus would be greatly appreciated. =) > > Thanks much Guys!! > > > Rob > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
