Hi Peter,
I tried that and it's still not being invoked when I test it. The
ar.conf on the win2k3 now has the following content:
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
host-deny900 - host-deny.sh - 900
firewall-drop900 - firewall-drop.sh - 900
win_nullroute600 - route-null.cmd - 600
What else did you do differently to get it to work? It seems the how-to
doc must be missing something as I'm not the only one that seems to be
running into this problem.
Thanks,
SW
On 12/26/2011 4:44 AM, Peter Skurczak wrote:
Well then you have the same situation I had (a couple of threads ago).
Just update your ar.conf on the agent side with your "win_nullroute"
command - or whatever is its name.
Should work then.
On Mon, Dec 26, 2011 at 2:24 AM, dan (ddp) <[email protected]
<mailto:[email protected]>> wrote:
Ugh, this didn't get sent to the list.
On Sun, Dec 25, 2011 at 7:52 PM, Steve West <[email protected]
<mailto:[email protected]>> wrote:
> On 12/25/2011 3:28 PM, dan (ddp) wrote:
>>
>> Now I see where you get the win_nullroute600:
>> # ./agent_control -L
>>
>> OSSEC HIDS agent_control. Available active responses:
>>
>> Response name: pf-block0, command: pf.sh
>> Response name: makelists0, command: makelists.sh
>> Response name: win_nullroute600, command: win_nullroute.cmd
>
> On the OSSEC server, when I run that command I'm only seeing the
following
> options:
>
>
> # ./agent_control -L
>
> OSSEC HIDS agent_control. Available active responses:
>
> Response name: host-deny900, command: host-deny.sh
> Response name: firewall-drop900, command: firewall-drop.sh
>
> There is no win_nullroute600 listed. Am I suppose to have a line
in the
> server ossec.conf which lists win_nullroute as one of the
commands? Here is
Yes, AR is setup on the manager.
> what I have on the OSSEC server side:
>
> <command>
> <name>host-deny</name>
> <executable>host-deny.sh</executable>
>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <command>
> <name>firewall-drop</name>
> <executable>firewall-drop.sh</executable>
>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <command>
> <name>disable-account</name>
> <executable>disable-account.sh</executable>
> <expect>user</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <command>
> <name>route-null</name>
> <executable>route-null.sh</executable>
>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
>
> <!-- Active Response Config -->
> <active-response>
> <!-- This response is going to execute the host-deny
> - command for every event that fires a rule with
> - level (severity) >= 6.
> - The IP is going to be blocked for 900 seconds.
> -->
> <command>host-deny</command>
> <location>local</location>
> <level>11</level>
> <timeout>900</timeout>
> </active-response>
>
> <active-response>
> <!-- Firewall Drop response. Block the IP for
> - 900 seconds on the firewall (iptables,
> - ipfilter, etc).
> -->
> <command>firewall-drop</command>
> <location>local</location>
> <level>11</level>
> <timeout>900</timeout>
> </active-response>
>
>
> And this is what I have on the windows 2k3 agent side:
>
>
> <active-response>
> <disabled>no</disabled>
> </active-response>
>
> <command>
> <name>win_nullroute</name>
> <executable>route-null.cmd</executable>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <active-response>
> <command>win_nullroute</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
>
> Thanks,
>
> SW
