i solve this,now on the server [root@localhost rules]# /app/ossec/bin/agent_control -u 008 -b 2.3.4.5 -f win_nullroute600
OSSEC HIDS agent_control: Running active response 'win_nullroute600' on: 008 and on the client,the active-response.log is: 星期五 12:10 "active-response/bin/route-null.cmd" delete "-" "3.3.3.4" "(from_the_server) (no_rule_id)" my client's language is chinese.it seems work。 but when someone try to get my administrator's password,I received some email alerts with level 10,but the active response doesn't work。 some email alert like this: =============================================================== eceived From: (Name-53-xxx) xxx.xxx.53.xxx->WinEvtLog Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." Portion of the log(s): WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: ZJTG53-xxx: 登录失败: 原因: 用户名未知或密码错误 用户名: administrator 域: ZYC 登录类型: 3 登录进程: NtLmSsp 身份验证数据包: NTLM 工作站名称: ZYC 调用方用户名: - 调用方域: - 调用方登录 ID: - 调用方进 程 ID: - 传递服务: - 源网络地址: 122.xxx.xxx.11 源端口: 1318 =============================================================== I think because my event log is in Chinese,so the decoder can't get the srcip。isn't it? Best reguards。 Netkey On 4月8日, 上午11时04分, netkey <[email protected]> wrote: > Hi, > > I am running on windows 2003 server agent 2.5.1 and linux (centos 5.4) > server > same version. > I get the e-mail level 10 but agent not reponse. It not in the > white_list > (on server ossec.conf) > > ossec.conf client: > > <active-response> > <disabled>no</disabled> > </active-response> > > ossec.conf server: > > <command> > <name>win-nullroute</name> > <executable>route-null.cmd</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>win-nullroute</command> > <location>local</location> > <level>10</level> > <timeout>600</timeout> > </active-response> > > then I restarted the ossec agent and the ossec server > > on the server, > [root@localhost ~]# /app/ossec/bin/agent_control -L > > OSSEC HIDS agent_control. Available active responses: > > Response name: win-nullroute600, command: route-null.cmd > Response name: host-deny600, command: host-deny.sh > Response name: firewall-drop600, command: firewall-drop.sh > > [root@localhost ~]# /app/ossec/bin/agent_control -r -u 008 -b 2.3.4.5 - > f win-nullroute600 > > OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 008 > > but it seems not add the 2.3.4.5 into the route table in the client > > I have C:\Program Files\ossec-agent\active-response/bin/route- > null.cmd but > see no active-responses.log file. > in C:\Program Files\ossec-agent\shared\ar.conf > Now i can see > restart-ossec0 - restart-ossec.sh - 0 > restart-ossec0 - restart-ossec.cmd - 0 > win-nullroute600 - route-null.cmd - 600 > host-deny600 - host-deny.sh - 600 > firewall-drop600 - firewall-drop.sh - 600 > > Sorry for my bad english. > > Best regards, > > Netkey
