Version: OSSEC 2.6
OS: Windows 2003 SP2
Can't seem to get the active response to work on the windows side. We
are running the lastest version of ossec 2.6 and in the logs, I see the
following:
2011/12/25 10:52:46 ossec-execd(1311): ERROR: Invalid command name
'win_nullroute600' provided.
I'm sending the following command from the ossec server:
# /var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute600 -u 005
OSSEC HIDS agent_control: Running active response 'win_nullroute600' on: 005
And here is what I have on the windows agent ossec.conf:
<active-response>
<disabled>no</disabled>
</active-response>
<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>win_nullroute</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
Am I missing something? I did follow the instruction here:
http://www.ossec.net/main/manual/manual-active-response-on-windows
Please advise.
Thanks,
SW
