Re: [ossec-list] OSSEC Invalid command name 'win_nullroute600'

Sun, 25 Dec 2011 17:22:52 -0800 

On 12/25/2011 3:28 PM, dan (ddp) wrote:

Now I see where you get the win_nullroute600:
# ./agent_control -L

OSSEC HIDS agent_control. Available active responses:

    Response name: pf-block0, command: pf.sh
    Response name: makelists0, command: makelists.sh
    Response name: win_nullroute600, command: win_nullroute.cmd
On the OSSEC server, when I run that command I'm only seeing the following options: 

# ./agent_control -L

OSSEC HIDS agent_control. Available active responses:

   Response name: host-deny900, command: host-deny.sh
   Response name: firewall-drop900, command: firewall-drop.sh
There is no win_nullroute600 listed. Am I suppose to have a line in the server ossec.conf which lists win_nullroute as one of the commands? Here is what I have on the OSSEC server side: 

<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>


<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  900 seconds.
      -->
<command>host-deny</command>
<location>local</location>
<level>11</level>
<timeout>900</timeout>
</active-response>

<active-response>
<!-- Firewall Drop response. Block the IP for
       - 900 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
<command>firewall-drop</command>
<location>local</location>
<level>11</level>
<timeout>900</timeout>
</active-response>


And this is what I have on the windows 2k3 agent side:

<active-response>
<disabled>no</disabled>
</active-response>

<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
<command>win_nullroute</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

Thanks,

SW

Reply via email to