On Thu, Dec 22, 2011 at 3:45 PM, Peter Skurczak <[email protected]> wrote: > On the agent, in ossec.conf I've got the following section: > > (...) > <active-response> > <disabled>no</disabled> > </active-response> > > </ossec_config> > > I actually followed the manual > on http://www.ossec.net/main/manual/manual-active-response-on-windows >
I don't know who maintains that, so I don't know how up to date it is. I also do as little as possible with Windows, so I'm glad you have something that works. > I will turn on windows debug and let you know what it says when I execute > "remote ip ban" > # Windows debug (used by the windows agent) > windows.debug=2 > > > On Thu, Dec 22, 2011 at 9:00 PM, dan (ddp) <[email protected]> wrote: >> >> Is AR enabled on the agent? >> >> On Thu, Dec 22, 2011 at 2:56 PM, Peter Skurczak >> <[email protected]> wrote: >> > Hello everyone, >> > >> > Although I read a lot on the internet about it, still I can't get why do >> > I >> > have these kind of errors on the agent side (below). >> > Every time I'm trying to fire up: /var/ossec/bin/agent_control -b >> > 1.2.3.5 -f >> > win_nullroute -u 002 I get: >> > >> > 2011/12/22 20:22:09 ossec-execd(1311): ERROR: Invalid command name >> > 'win_nullroute' provided. >> > 2011/12/22 20:22:16 ossec-execd(1311): ERROR: Invalid command name >> > 'win_nullroute' provided. >> > 2011/12/22 20:22:23 ossec-execd(1311): ERROR: Invalid command name >> > 'win_nullroute' provided. >> > >> > on the master server in ossec.conf I've got: >> > >> > <name>win_nullroute</name> >> > <executable>win_nullroute.cmd</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > on the agent side I also have got "win_nulroute.cmd" file ready to >> > fire-up. >> > >> > I have also checked ar.conf on both sides the agent and the master - >> > they >> > are identically the same. At the beginning I was thinking that maybe the >> > agent does not have the latest version from the master but this is not >> > the >> > case. I am trying everything but nothing helps.... anyone any idea? >> > >> > Pete >> > >> > >> > > >
