Hi Pete, That's a very good idea. We have an active response on Windows using the route command (to redirect to a null route), but having one using netsh would be great. Btw, do you know which versions of Windows come with netsh by default?
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Feb 17, 2010 at 10:51 PM, Pete F <[email protected]> wrote: > I love OSSEC on linux, just wish I had the same functionality in window > $. I read an older post about windows Ipsec possibilities for active > response. I have the netsh commands all worked out to add and then > delete an IP. I'm about to go home, I guess I'm soliciting direction > on what to tackle next. I posted the netsh to block my page ip and > slashdot, then unblock my page here: > http://windowsnerd.com/2010/02/17/windows-and-ossec-ipsec-blocks/ > > I chose just a straight IP block vs doing a port because if someone is > attacking, I'd rather go ahead and block the whole source IP than the > individual port or service. I can modify the netsh fun if you want it > per port etc. Anyhow I hope this can help with any sort of development > work. I'm sure it won't be too hard to change the IP dynamically based > on parsing logs. I'll be more than happy to help out as much as I can > on OSSEC for windows. I'm not a coder, but I can go bug the dev guys > down the hall if you give me tasks. > > Thanks, > > Pete Fahlenkamp > >
