Thank you Andre If I'm not mistaking, this script is only good for a linux machine. I'm trying to get a use out of ossec against fake anti-virus scanner problem that we have in our company on our windows machine.
We have over 10,000 computers that all run windows xp, some of them have this rogue anti-virus on them which disables users from doing anything. I want to find a way to find out how they are coming to our network and then block it. They of course make changes to the system which can be detected by ossec in integrity check. But the question is how do I prevent them by using ossec or your script. Thanks -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Andre Pawlowski Sent: Thursday, April 15, 2010 1:44 PM To: [email protected] Subject: Re: [ossec-list] IPS It can block the attack. If it detects it in any log it can do any action you want. I've written a script that mirrors the attack back to the attacker ( http://h4des.org/source/blog/mirroring-traffic.sh.txt ). If you want more, you can combine it with snort or any other NIDS. Ossec is a great platform to manage action agains intruders. Andre Pawlowski ------------------------------------------------------------------- Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. -Albert Einstein On 04/15/2010 05:35 PM, Saeid Ansaripour wrote: > Is osses doing any kind of IPS at all. > It looks like ossec is more like of a loging management than anything > else. > How does it prevent the intrusion if say a malware attacks a system? > > -- To unsubscribe, reply using "remove me" as the subject.
