Re: [ossec-list] OSSEC Invalid command name 'win_nullroute600'

Sun, 25 Dec 2011 17:22:14 -0800 

Hi Peter,
I see that there are 2 files one w/ a period infront (.ar.conf) and the other is the ar.conf. Both files don't have the win_nullroute line. They only contain the following lines: 

restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
host-deny900 - host-deny.sh - 900
firewall-drop900 - firewall-drop.sh - 900


Where is the "2147483647" in your example coming from? How is that 
determined so the OSSEC server/agent know to run that command?


Thanks,

SW

On 12/25/2011 12:25 PM, Peter Skurczak wrote:

Hello,

Please check on the windows side file called ar.conf in:
C:\Program Files\ossec-agent\shared

there should be a line like in my case:
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
win_nullroute2147483647 -  win_nullroute.cmd - 2147483647

so I would execute:
/var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute2147483647 -u 005


In your case, when trying to execute "win_nullroute600" from the 
command line, be sure that the same command exists in the ar.conf on 
the agent side. Knowing from different cases - either ar.conf has not 
been copied yet to the agent or there's a wrong command specified. 
Both should be the same.


P.



On Sun, Dec 25, 2011 at 4:59 PM, Steve West <[email protected] 
<mailto:[email protected]>> wrote:


    Version: OSSEC 2.6
    OS: Windows 2003 SP2

    Can't seem to get the active response to work on the windows side.
    We are running the lastest version of ossec 2.6 and in the logs, I
    see the following:

    2011/12/25 10:52:46 ossec-execd(1311): ERROR: Invalid command name
    'win_nullroute600' provided.

    I'm sending the following command from the ossec server:

    # /var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute600 -u 005

    OSSEC HIDS agent_control: Running active response
    'win_nullroute600' on: 005

    And here is what I have on the windows agent ossec.conf:

    <active-response>
    <disabled>no</disabled>
    </active-response>

    <command>
    <name>win_nullroute</name>
    <executable>route-null.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
    </command>

    <active-response>
    <command>win_nullroute</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
    </active-response>

    Am I missing something? I did follow the instruction here:
    http://www.ossec.net/main/manual/manual-active-response-on-windows

    Please advise.

    Thanks,

    SW


























					Reply via email to