The only idea I have is to stop the agent's ossec service, clear the AR logfile, and start the service again.
On Mon, Sep 20, 2010 at 3:37 PM, blacklight <[email protected]> wrote: > Hello Folks, > > I am wondering why active response on an OSSEC client which happens to > be an MS Windows 2008 Server is not being triggered. What is > frustrating is that it was working this morning while I was > troubleshooting it. > > To start: > > (1) The OSSEC server is properly configured: > > OSSEC HIDS agent_control. Available active responses: > > Response name: firewall-drop600, command: firewall-drop.sh > Response name: firewall-drop3600, command: firewall-drop.sh > Response name: win_nullroute600, command: route-null.cmd > Response name: win_nullroute3600, command: route-null.cmd > > [r...@wiggum alerts]# > > > (2) The OSSEC server is talking to the OSSEC agent, a shown below: > > > [r...@wiggum alerts]# agent_control -i 114 > > > OSSEC HIDS agent_control. Agent information: > Agent ID: 114 > Agent Name: reports.capitalplan.org > IP address: 100.100.100.100 > Status: Active > > Operating system: Microsoft Windows Server 2008 Enterprise > Edition (fu.. > Client version: OSSEC HIDS v2.3 / > c9bc807c7443d9ac069afac46a9d2635 > Last keep alive: Mon Sep 20 15:04:47 2010 > > Syscheck last started at: Mon Sep 20 14:49:54 2010 > Rootcheck last started at: Mon Sep 20 14:50:26 2010 > > > (3) active response is configured to be triggered from the OSSEC > server: > > [r...@wiggum alerts]# agent_control -b 100.100.100.100 -f > win_nullroute600 -u 114 > > OSSEC HIDS agent_control: Running active response 'win_nullroute600' > on: 114 > [r...@wiggum alerts]# > > The problem is that the active-responses.log has shown no updated > entry since 1230 PM EST (add 3 hours to the time that you are > reading) > > 09/20/2010 07:00 "active-response/bin/route-null.cmd" add "-" > "2.3.4.5" "(from_the_server) (no_rule_id)" > 09/20/2010 07:06 "active-response/bin/route-null.cmd" add "-" > "224.224.224.224" "(from_the_server) (no_rule_id)" > 09/20/2010 07:08 "active-response/bin/route-null.cmd" add "-" > "100.100.100.100" "(from_the_server) (no_rule_id)" > 09/20/2010 07:10 "active-response/bin/route-null.cmd" delete "-" > "2.3.4.5" "(from_the_server) (no_rule_id)" > 09/20/2010 07:18 "active-response/bin/route-null.cmd" delete "-" > "224.224.224.224" "(from_the_server) (no_rule_id)" > 09/20/2010 07:29 "active-response/bin/route-null.cmd" add "-" > "100.100.100.100" "(from_the_server) (no_rule_id)" > 09/20/2010 07:41 "active-response/bin/route-null.cmd" add "-" > "100.100.100.100" "(from_the_server) (no_rule_id)" > 09/20/2010 07:49 "active-response/bin/route-null.cmd" add "-" > "100.100.100.100" "(from_the_server) (no_rule_id)" > 09/20/2010 07:57 "active-response/bin/route-null.cmd" add "-" > "100.100.100.100" "(from_the_server) (no_rule_id)" > 09/20/2010 08:49 "active-response/bin/route-null.cmd" add "-" > "100.100.100.100" "(from_the_server) (no_rule_id)" > 09/20/2010 09:08 "active-response/bin/route-null.cmd" add "-" > "100.100.100.100" "(from_the_server) (no_rule_id)" > 64.62.138.162(Preferred) > 09/20/2010 09:20 "active-response/bin/route-null.cmd" add "-" > "100.100.100.100" "(from_the_server) (no_rule_id)" > 64.62.138.162(Preferred) > > > Note that the module responsible for active response on the OSSEC > agent is up and operational > 2010/09/20 11:47:15 ossec-execd: INFO: Started (pid: 8568) > > If I were to deliberately screw up the syntax of the agent_control > command: > OSSEC HIDS agent_control: Running active response 'win_nulroute600' > on: 114 > > I'd get on the OSSEC server: > > OSSEC HIDS agent_control: Running active response 'win_nulroute600' > on: 114 > [r...@wiggum alerts]# > > And I'd get on the ossec.log of the OSSEC agent: > > 9/20 12:25:52 ossec-execd(1311): ERROR: Invalid command name > 'win_nulroute600' provided. > > (I had to restart OSSEC on the agent to get this feedback line) > > > However, the active-response log doesn't get updated with new entries. > > > For reference, I had to edit the route-null.cmd script on the OSSEC > agent (it's buggy for Windows Server 2008): > > :: Simple script to null route an ip address. > > @ECHO OFF > > ECHO. > > > > > > :: Logging it all > > FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DATE=%%B > > FOR /F "TOKENS=1* DELIMS= " %%A IN ('TIME/T') DO SET TIME=%%A > > > > > > > > IF "%1"=="add" GOTO ADD > > IF "%1"=="delete" GOTO DEL > > :ERROR > > > > ECHO "Invalid argument. %1" > > GOTO Exit; > > > > > > :: Adding to the blocked. > > > > :ADD > > :: Extracts last ip address from ipconfig. > > FOR /F "TOKENS=2* DELIMS=:" %%A IN ('IPCONFIG | FIND "IPv4"') DO FOR % > %B IN (%%A) DO SET IPADDR=%%B <-- I made the change here > > > # route add %3 mask 255.255.255.255 %IPADDR% > route add %3 mask 255.255.255.255 150.150.150.150 <-- I made the > change here > > ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 %IPADDR% >> active- > response\active-responses.log > > GOTO Exit; > > > > :DEL > > route delete %3 > > > > :Exit > > > Questions: Why is active response no longer working? > > > Regards, > > Vietnhi Phuvan >
