With regard to Active Response on Windows 2012; I still believe there is an issue.
I altered my custom script to accept 6 arguments. The first and third arguments (action, ip address) are the only things I am using right now. >From the base OSSEC directory on the Windows 2012 server I can run the >following command: active-response\bin\cognito-check-activity.pl delete - 69.197.128.114 1371701158.243133 110499 At this point the script does exactly what is was designed to do However when I launch it from the OSSEC server I see this: ## root@monitor:/var/ossec/bin# ./agent_control -b 120.138.126.238 -f cognito-check-activity0 -u 001 ## OSSEC HIDS agent_control: Running active response 'cognito-check-activity0' on: 001 On the Agent Side I see: ## 2014/08/01 20:34:50 ossec-agent: ERROR: Unable to create active response process. I ran Sysinternals Process Monitor filtering for disk and process activity in the active-response\bin folder - I could see activity when run from a normal windows command prompt session - however when AR script is called from the OSSEC server I see no activity in the active-response\bin folder of the client - however using agent_control to restart the remote agent works and that activity is picked up my process monitor I am not quite sure where to go from here? Any ideas out there? James Whittington -----Original Message----- From: James Whittington [mailto:[email protected]] Sent: Friday, August 01, 2014 15:06 To: '[email protected]' Subject: RE: [ossec-list] Issue triggering Active Response on Windows 2012 Okay I am going to take a step back for a moment with AR not working on Windows 2012. I have found several issues that I need to address on my end first. So far I can see my route-null script - was referencing environment variables that did not exist - was being prompted to run under elevated permissions The custom script I created ran fine from the commandline however: - my script just took in a ip address as an argument - the idea is if we see patterns of suspicious usage like repeated registration attempts to our web based products from the same source ip, we would trigger a trace history script that would track all activity seen from that address in recent history and create a ticket on our helpdesk for further followup - In looking through how AR Commands are defined I wondered how arguments were passed in - then read the documentation and now see 6 arguments are actually passed into the AR script, WHOOPS guess I should have read the docs on creating customized AR scripts So I am going to alter my custom script to accept the expected arguments and then see of things work. James Whittington -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Starks Sent: Friday, August 01, 2014 11:54 To: [email protected] Subject: Re: [ossec-list] Issue triggering Active Response on Windows 2012 On 2014-08-01 8:03, James Whittington wrote: > I am trying to get Active Response working on a Windows 2012 server. > > I enabled AR in the local Windows 2012 OSSEC config file. > > On the agent side OSSEC Log I get some warnings about some linux shell > based active responses not being present (which makes sense) > > I copied over a Windows null route script we use on a Windows 2008r2 > server. What happens if you run the script manually? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
