Hello, Please check on the windows side file called ar.conf in: C:\Program Files\ossec-agent\shared
there should be a line like in my case: restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 win_nullroute2147483647 - win_nullroute.cmd - 2147483647 so I would execute: /var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute2147483647 -u 005 In your case, when trying to execute "win_nullroute600" from the command line, be sure that the same command exists in the ar.conf on the agent side. Knowing from different cases - either ar.conf has not been copied yet to the agent or there's a wrong command specified. Both should be the same. P. On Sun, Dec 25, 2011 at 4:59 PM, Steve West <[email protected]> wrote: > Version: OSSEC 2.6 > OS: Windows 2003 SP2 > > Can't seem to get the active response to work on the windows side. We are > running the lastest version of ossec 2.6 and in the logs, I see the > following: > > 2011/12/25 10:52:46 ossec-execd(1311): ERROR: Invalid command name > 'win_nullroute600' provided. > > I'm sending the following command from the ossec server: > > # /var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute600 -u 005 > > OSSEC HIDS agent_control: Running active response 'win_nullroute600' on: > 005 > > And here is what I have on the windows agent ossec.conf: > > <active-response> > <disabled>no</disabled> > </active-response> > > <command> > <name>win_nullroute</name> > <executable>route-null.cmd</**executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_**allowed> > </command> > > <active-response> > <command>win_nullroute</**command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > Am I missing something? I did follow the instruction here: > http://www.ossec.net/main/**manual/manual-active-response-**on-windows<http://www.ossec.net/main/manual/manual-active-response-on-windows> > > Please advise. > > Thanks, > > SW > >
