On Fri, Aug 10, 2012 at 8:44 AM, Deerwalker <[email protected]> wrote: > hello All, > > Good day, > > We have configured active-response for windows machine as suggested in > http://www.ossec.net/doc/manual/ar/ar-windows.html > > while executing agent_control -b 1.2.3.6 -f win_nullroute600 -u 001 we are > getting response below and we are also getting the null route added for the > ip address 1.2.3.6 in target machine > > agent_control -b 1.2.3.6 -f win_nullroute600 -u 001 > > OSSEC HIDS agent_control: Running active response 'win_nullroute600' on: 001 > > However, when someone trying to make unauthorized access then at that time > the active response seems not working because we are still getting multiple > login failure message with following details. > > Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." > Portion of the log(s): > > WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: ip-0A00FD07: An > account failed to log on. Subject: Security ID: S-1-5-18 Account Name: > IP-0A00FD07$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 > Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: > administrator Account Domain: IP-0A00FD07 Failure Information: Failure > Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process > Information: Caller Process ID: 0x77c Caller Process Name: > C:\Windows\System32\winlogon.exe Network Information: Workstation Name: > IP-0A00FD07 Source Network Address: 115.236.163.106 Source Port: 55909 > Detailed Authentication Information: Logon Process: User32 > Authentication Package: Negotiate Transited Services: - Package Name (NTLM > only): - Key Length: 0 This event is generated when a logon request > fails. It is generated on the computer where access was attempted. > > any clue ? > > is there other way to know if active response is working or not ? > > thanks >
On non-windows platforms there's an active response log file. Check to see if one exists for Windows. Also, double check to make sure that AR is enabled on the agent, and that your test actually works (check on the agent). > > On Tuesday, April 12, 2011 12:43:20 AM UTC+5:45, dan (ddpbsd) wrote: >> >> You can use ossec-logtest to see how ossec decodes an event in another >> language. >> >> On Fri, Apr 8, 2011 at 1:58 AM, netkey <[email protected]> wrote: >> > i solve this,now on the server >> > >> > [root@localhost rules]# /app/ossec/bin/agent_control -u 008 -b 2.3.4.5 >> > -f win_nullroute600 >> > >> > OSSEC HIDS agent_control: Running active response 'win_nullroute600' >> > on: 008 >> > >> > and on the client,the active-response.log is: >> > >> > 星期五 12:10 "active-response/bin/route-null.cmd" delete "-" "3.3.3.4" >> > "(from_the_server) (no_rule_id)" >> > >> > my client's language is chinese.it seems work。 >> > >> > but when someone try to get my administrator's password,I received >> > some email alerts with level 10,but the active response doesn't work。 >> > >> > some email alert like this: >> > >> > =============================================================== >> > >> > eceived From: (Name-53-xxx) xxx.xxx.53.xxx->WinEvtLog >> > Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." >> > Portion of the log(s): >> > >> > WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT >> > AUTHORITY: ZJTG53-xxx: 登录失败: 原因: 用户名未知或密码错误 用户名: >> > administrator 域: ZYC 登录类型: 3 登录进程: NtLmSsp >> > 身份验证数据包: >> > NTLM 工作站名称: ZYC 调用方用户名: - 调用方域: - 调用方登录 >> > ID: - 调用方进 >> > 程 ID: - 传递服务: - 源网络地址: 122.xxx.xxx.11 源端口: >> > 1318 >> > =============================================================== >> > >> > I think because my event log is in Chinese,so the decoder can't get >> > the srcip。isn't it? >> > >> > Best reguards。 >> > >> > Netkey >> > >> > On 4月8日, 上午11时04分, netkey <[email protected]> wrote: >> >> Hi, >> >> >> >> I am running on windows 2003 server agent 2.5.1 and linux (centos 5.4) >> >> server >> >> same version. >> >> I get the e-mail level 10 but agent not reponse. It not in the >> >> white_list >> >> (on server ossec.conf) >> >> >> >> ossec.conf client: >> >> >> >> <active-response> >> >> <disabled>no</disabled> >> >> </active-response> >> >> >> >> ossec.conf server: >> >> >> >> <command> >> >> <name>win-nullroute</name> >> >> <executable>route-null.cmd</executable> >> >> <expect>srcip</expect> >> >> <timeout_allowed>yes</timeout_allowed> >> >> </command> >> >> >> >> <active-response> >> >> <command>win-nullroute</command> >> >> <location>local</location> >> >> <level>10</level> >> >> <timeout>600</timeout> >> >> </active-response> >> >> >> >> then I restarted the ossec agent and the ossec server >> >> >> >> on the server, >> >> [root@localhost ~]# /app/ossec/bin/agent_control -L >> >> >> >> OSSEC HIDS agent_control. Available active responses: >> >> >> >> Response name: win-nullroute600, command: route-null.cmd >> >> Response name: host-deny600, command: host-deny.sh >> >> Response name: firewall-drop600, command: firewall-drop.sh >> >> >> >> [root@localhost ~]# /app/ossec/bin/agent_control -r -u 008 -b 2.3.4.5 - >> >> f win-nullroute600 >> >> >> >> OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 008 >> >> >> >> but it seems not add the 2.3.4.5 into the route table in the client >> >> >> >> I have C:\Program Files\ossec-agent\active-response/bin/route- >> >> null.cmd but >> >> see no active-responses.log file. >> >> in C:\Program Files\ossec-agent\shared\ar.conf >> >> Now i can see >> >> restart-ossec0 - restart-ossec.sh - 0 >> >> restart-ossec0 - restart-ossec.cmd - 0 >> >> win-nullroute600 - route-null.cmd - 600 >> >> host-deny600 - host-deny.sh - 600 >> >> firewall-drop600 - firewall-drop.sh - 600 >> >> >> >> Sorry for my bad english. >> >> >> >> Best regards, >> >> >> >> Netkey
