On Sun, Dec 25, 2011 at 3:07 PM, dan (ddp) <[email protected]> wrote: > On Sun, Dec 25, 2011 at 10:59 AM, Steve West <[email protected]> wrote: >> Version: OSSEC 2.6 >> OS: Windows 2003 SP2 >> >> Can't seem to get the active response to work on the windows side. We are >> running the lastest version of ossec 2.6 and in the logs, I see the >> following: >> >> 2011/12/25 10:52:46 ossec-execd(1311): ERROR: Invalid command name >> 'win_nullroute600' provided. >> >> I'm sending the following command from the ossec server: >> >> # /var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute600 -u 005 >> >> OSSEC HIDS agent_control: Running active response 'win_nullroute600' on: 005 >> >> And here is what I have on the windows agent ossec.conf: >> >> <active-response> >> <disabled>no</disabled> >> </active-response> >> >> <command> >> <name>win_nullroute</name> >> <executable>route-null.cmd</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <active-response> >> <command>win_nullroute</command> >> <location>local</location> >> <level>6</level> >> <timeout>600</timeout> >> </active-response> >> > > I don't see the "win_nullroute600" command. >
Now I see where you get the win_nullroute600: # ./agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: pf-block0, command: pf.sh Response name: makelists0, command: makelists.sh Response name: win_nullroute600, command: win_nullroute.cmd Oops. Back to Christmas troubleshooting. >> Am I missing something? I did follow the instruction here: >> http://www.ossec.net/main/manual/manual-active-response-on-windows >> >> Please advise. >> >> Thanks, >> >> SW >>
