Re: [ossec-list] Active Response not working at all

2017-04-28 Thread Jesus Linares
Hi, you are right Tony. The syntax for *ossec.conf* is not user-friendly. You must think in the following way: If it is a setting like yes/no, it will be overwritten if the parser found the same setting below. Example: yes no The final value will be 'no'. However, if the setting is

Re: [ossec-list] Active Response not working at all

2017-04-27 Thread Tony Bryant
For anyone curious it was an incredibly simple fix :(. Apparently if any active-responses in your ossec.config file are disabled, it will disable all of the active responses. I had 4 enabled and 1 disabled, but because of that 1, they all were disabled. On Wednesday, April 19, 2017 at 3:42:46

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread Tony Bryant
Hmm, ok, is this the only active-response config on your agent? I'm not seeing any so that may be my problem. Is it one active-response config for all (like the one you posted below should serve all future ARs)? And what I posted was on the server. I'll give this a try though On Wednesday,

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread dan (ddp)
On Wed, Apr 19, 2017 at 5:54 PM, dan (ddp) wrote: > On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote: >> How would I go about checking if AR is disabled on agents? Checking config >> files and don't see anything about it. Running v2.8.3 for OSSEC. Also,

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread dan (ddp)
On Wed, Apr 19, 2017 at 5:34 PM, Tony Bryant wrote: > How would I go about checking if AR is disabled on agents? Checking config > files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this > on Ubuntu > I think it's enabled by default. This is all I have

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread Tony Bryant
How would I go about checking if AR is disabled on agents? Checking config files and don't see anything about it. Running v2.8.3 for OSSEC. Also, this on Ubuntu On Wednesday, April 19, 2017 at 2:21:47 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread dan (ddp)
On Wed, Apr 19, 2017 at 5:09 PM, Rob Williams wrote: > Still no luck. Just to verify, the scripts should be located in > /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't > really telling me anything either. > Yep, that's where they go. AR isn't

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread Rob Williams
Still no luck. Just to verify, the scripts should be located in /var/ossec/active-response/bin/, correct? Unfortunately the logs aren't really telling me anything either. On Wednesday, April 19, 2017 at 12:31:41 PM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread dan (ddp)
On Wed, Apr 19, 2017 at 3:23 PM, Tony Bryant wrote: > Yes test.sh is on the agent. Execd is also running and yep the alert is > firing. > Try removing the level option and leave just the rules_id. > On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: >>

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread Tony Bryant
Yes test.sh is on the agent. Execd is also running and yep the alert is firing. On Wednesday, April 19, 2017 at 11:30:37 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant > wrote: > > Hello, > > > > I'm pretty new to OSSEC and I'm working to

Re: [ossec-list] Active Response not working at all

2017-04-19 Thread dan (ddp)
On Wed, Apr 19, 2017 at 2:26 PM, Tony Bryant wrote: > Hello, > > I'm pretty new to OSSEC and I'm working to get some active responses > working. I have tried a number of different active responses but cannot seem > to get it to work anywhere (not on the server or agents).