I love OSSEC on linux, just wish I had the same functionality in window $. I read an older post about windows Ipsec possibilities for active response. I have the netsh commands all worked out to add and then delete an IP. I'm about to go home, I guess I'm soliciting direction on what to tackle next. I posted the netsh to block my page ip and slashdot, then unblock my page here: http://windowsnerd.com/2010/02/17/windows-and-ossec-ipsec-blocks/
I chose just a straight IP block vs doing a port because if someone is attacking, I'd rather go ahead and block the whole source IP than the individual port or service. I can modify the netsh fun if you want it per port etc. Anyhow I hope this can help with any sort of development work. I'm sure it won't be too hard to change the IP dynamically based on parsing logs. I'll be more than happy to help out as much as I can on OSSEC for windows. I'm not a coder, but I can go bug the dev guys down the hall if you give me tasks. Thanks, Pete Fahlenkamp
