Hey martin, These scripts contain some commands that are OS specific. So when the server sees events, it executes the script whihc execute commands on the client be it to deny a host or to add a rule to firewall (iptables).
Also, the scripts can be used as intended. It means u cannot use a unix related AR script on windows, as the commands in that script will be unix specific. Howveer, u can try understand the logic , and create ur own scripts. Sent from BlackBerry® on Airtel -----Original Message----- From: Martin Gottlieb <[email protected]> Sender: [email protected] Date: Fri, 22 Apr 2011 16:37:43 To: <[email protected]> Reply-To: [email protected] Subject: Re: [ossec-list] Active Response on Windows events I guess what I'm trying to understand is this: When an event is triggered from a Linux agent, the firewall drop script is run on the OSSEC server (in addition to the hosts deny script being called on the agent). I don't recall doing anything special to make this happen when I installed OSSEC, I assume it is part of the default behavior. When an event is triggered on a Windows agent, the firewall drop script is NOT called on the server, but I would like it to be. I would like the default behavior on Windows agents to be the same as Linux agents, at least as far as what happens on the OSSEC server. The Windows agent is obviously reporting the event to the server as it logs it and reports it to me. Am I understanding the responses so far to mean that I have to write a script to make this happen, and that the script needs to reside on the Windows agent? Thanks again. Martin On 4/22/2011 4:24 PM, dan (ddp) wrote: > Hi Tanishk, > The active response scripts should exist on the systems (agents and > servers) they need to be run on. > > On Fri, Apr 22, 2011 at 4:17 PM, Tanishk Lakhaani<[email protected]> > wrote: >> Hey martin, >> See, the active response related scripts will be placed at the server side, >> executed at the server/client side (depending upon the way it is configured >> in ossec.conf using the location tab) and the commands written in these >> scripts will actually take an action on the agent side. This is the basic of >> active response. >> Sent from BlackBerry® on Airtel >> >> -----Original Message----- >> From: Martin Gottlieb<[email protected]> >> Sender: [email protected] >> Date: Fri, 22 Apr 2011 16:04:14 >> To:<[email protected]> >> Reply-To: [email protected] >> Subject: Re: [ossec-list] Active Response on Windows events >> >> >> Thanks, Tanishk. I'm really surprised nothing has been written for >> windows yet. Am I correct >> in assuming the script would reside on the Windows agent machine? >> >> Obviously, the windows agent communicates with the Linux server. Is it >> not possible to have >> an active response script triggered on the server side as happens with >> Linux agents? >> >> Thanks. >> >> Martin >> >> On 4/22/2011 3:28 PM, Tanishk Lakhaani wrote: >>> Hey martin, >>> All these default active response scripts are written for a specific event. >>> Read these scripts to understand these scripts. >>> >>> For the event of ur interest -- multiple logon failures...for linux, there >>> is a default active response script -- for locking the account. But for >>> windows there is no such script. What u can do is that u can create your >>> own customised script and use it for active response purposes. >>> >>> Regards >>> Tanishk lakhaani >>> Sent from BlackBerry® on Airtel >>> >>> -----Original Message----- >>> From: Martin Gottlieb<[email protected]> >>> Sender: [email protected] >>> Date: Fri, 22 Apr 2011 08:22:37 >>> To:<[email protected]> >>> Reply-To: [email protected] >>> Subject: [ossec-list] Active Response on Windows events >>> >>> Hi, >>> >>> Is OSSEC capable of triggering an active response on Windows events? In >>> particular, I am frequently >>> seeing event 18152, "Multiple Windows Logon Failures", but no active >>> response is ever triggered. >>> There are 2 (at least) different variations on the events, 1 for Windows >>> log-in failures and another >>> for SQL Server log-in failures. >>> >>> I added the null_cmd command mentioned in the docs, but I'd be happy if >>> it just triggered the firewall drop script. >>> >>> Am I missing something in the configuration? >>> >>> thanks. >>> >>> Martin >>
