Hi, I am running on windows 2003 server agent 2.5.1 and linux (centos 5.4) server same version. I get the e-mail level 10 but agent not reponse. It not in the white_list (on server ossec.conf)
ossec.conf client: <active-response> <disabled>no</disabled> </active-response> ossec.conf server: <command> <name>win-nullroute</name> <executable>route-null.cmd</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>win-nullroute</command> <location>local</location> <level>10</level> <timeout>600</timeout> </active-response> then I restarted the ossec agent and the ossec server on the server, [root@localhost ~]# /app/ossec/bin/agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: win-nullroute600, command: route-null.cmd Response name: host-deny600, command: host-deny.sh Response name: firewall-drop600, command: firewall-drop.sh [root@localhost ~]# /app/ossec/bin/agent_control -r -u 008 -b 2.3.4.5 - f win-nullroute600 OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 008 but it seems not add the 2.3.4.5 into the route table in the client I have C:\Program Files\ossec-agent\active-response/bin/route- null.cmd but see no active-responses.log file. in C:\Program Files\ossec-agent\shared\ar.conf Now i can see restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 win-nullroute600 - route-null.cmd - 600 host-deny600 - host-deny.sh - 600 firewall-drop600 - firewall-drop.sh - 600 Sorry for my bad english. Best regards, Netkey
