Well then you have the same situation I had (a couple of threads ago). Just update your ar.conf on the agent side with your "win_nullroute" command - or whatever is its name.
Should work then. On Mon, Dec 26, 2011 at 2:24 AM, dan (ddp) <[email protected]> wrote: > Ugh, this didn't get sent to the list. > > On Sun, Dec 25, 2011 at 7:52 PM, Steve West <[email protected]> wrote: > > On 12/25/2011 3:28 PM, dan (ddp) wrote: > >> > >> Now I see where you get the win_nullroute600: > >> # ./agent_control -L > >> > >> OSSEC HIDS agent_control. Available active responses: > >> > >> Response name: pf-block0, command: pf.sh > >> Response name: makelists0, command: makelists.sh > >> Response name: win_nullroute600, command: win_nullroute.cmd > > > > On the OSSEC server, when I run that command I'm only seeing the > following > > options: > > > > > > # ./agent_control -L > > > > OSSEC HIDS agent_control. Available active responses: > > > > Response name: host-deny900, command: host-deny.sh > > Response name: firewall-drop900, command: firewall-drop.sh > > > > There is no win_nullroute600 listed. Am I suppose to have a line in the > > server ossec.conf which lists win_nullroute as one of the commands? Here > is > > Yes, AR is setup on the manager. > > > what I have on the OSSEC server side: > > > > <command> > > <name>host-deny</name> > > <executable>host-deny.sh</executable> > > > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <command> > > <name>firewall-drop</name> > > <executable>firewall-drop.sh</executable> > > > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <command> > > <name>disable-account</name> > > <executable>disable-account.sh</executable> > > <expect>user</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <command> > > <name>route-null</name> > > <executable>route-null.sh</executable> > > > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > > > <!-- Active Response Config --> > > <active-response> > > <!-- This response is going to execute the host-deny > > - command for every event that fires a rule with > > - level (severity) >= 6. > > - The IP is going to be blocked for 900 seconds. > > --> > > <command>host-deny</command> > > <location>local</location> > > <level>11</level> > > <timeout>900</timeout> > > </active-response> > > > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 900 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>local</location> > > <level>11</level> > > <timeout>900</timeout> > > </active-response> > > > > > > And this is what I have on the windows 2k3 agent side: > > > > > > <active-response> > > <disabled>no</disabled> > > </active-response> > > > > <command> > > <name>win_nullroute</name> > > <executable>route-null.cmd</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <active-response> > > <command>win_nullroute</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > Thanks, > > > > SW >
