Hey martin, All these default active response scripts are written for a specific event. Read these scripts to understand these scripts.
For the event of ur interest -- multiple logon failures...for linux, there is a default active response script -- for locking the account. But for windows there is no such script. What u can do is that u can create your own customised script and use it for active response purposes. Regards Tanishk lakhaani Sent from BlackBerry® on Airtel -----Original Message----- From: Martin Gottlieb <[email protected]> Sender: [email protected] Date: Fri, 22 Apr 2011 08:22:37 To: <[email protected]> Reply-To: [email protected] Subject: [ossec-list] Active Response on Windows events Hi, Is OSSEC capable of triggering an active response on Windows events? In particular, I am frequently seeing event 18152, "Multiple Windows Logon Failures", but no active response is ever triggered. There are 2 (at least) different variations on the events, 1 for Windows log-in failures and another for SQL Server log-in failures. I added the null_cmd command mentioned in the docs, but I'd be happy if it just triggered the firewall drop script. Am I missing something in the configuration? thanks. Martin
