Hi All, I have had similar problems, and I can see in this thread that many people have discovered a number of the problems. But I'd like to write them out here so that everyone understands them fully.
For completeness, I am using OSSEC 2.8.1 on Ubuntu 14.04 LTS and a gamut of hosts, Windows, MacOS, Linux. The active-response script that comes with the Windows agent is just hopelessly broken... here is why... - The 2.8.1 script expects positional parameter %2 to be the IP Address, its not, %3 is - The regular expression for validating IP's is wrong. Findstr's RegExp facility is well... just terrible, so [0-9]*\.[0-9]*\.[0-9]*\.[0-9]* is the best you can do, but its not 100% correct for validating IP addresses either, but it works for the complete subset of valid addresses. - The OSSECPATH variable is not set. This *should* be set in the environment via the install, or manually (via Start|Right-Click Computer Properties|Advanced System Settings|Environment Variables, be admin when you do so) Obviously some people prefer setting a registry key and looking it up... and that's fine too. - The method used to choose the null-route is a bit flawed. It doesn't take into account any combination of multiple IP's or network interfaces; which is common for people using any kind of virtualization (Virtual Box, VMware, Virtual PC) or servers with multiple IPs or NICS. Technically, it will still work, it is just... not fundamentally correct and your mileage may vary. Lastly, testing the active-response does not seem to work... at least for me... I'm still working on that... however I can say the following for certain. First, when I issue a test, I see the packet received via wireshark, the agent just doesn't seem to respond. However, when a real active-response comes in from the manager, the route-null.cmd script is executed; with the fixes mentioned above, the script does work. I have a theory that the packet from agent_control for testing is just slightly different from an actual active-response event packet, but... the packets appear... rightfully so, encrypted or obscured... so technically I can't tell what the difference is using wireshark. I'd have to dive into the agent_control and manager daemons source code to know for sure if there is any difference... I'm just not that intrepid enough to do that just right now. I see a few people have replaced the script completely, I am considering that myself using a powershell or VBScript (both of which have a *much* better regex facility for validating strings (and IP addresses)) as well as giving me APIs (particularly WMI) to determine the best IP to null route on from the available interfaces and local addresses, or just use the internal firewall to block via NETSH or the ActiveX control for the firewall facility. Anyhow, the point is, you can fix the bundled script or replace it; replacing will give you access to better AND more functionality, IMHO. Either way fixed or replaced, when it works... its a beautiful thing. I would however, like to see the agent_control, OSSECPATH variable and script fixed in the distro, mainly because the bugs are *extremely* frustrating and at least two of them are easily fixable. Anyhow, that's my 2 cents on the matter. - Eric On Thursday, July 31, 2014 9:53:54 AM UTC-4, James Whittington wrote: > I am trying to get Active Response working on a Windows 2012 server. > I enabled AR in the local Windows 2012 OSSEC config file. > On the agent side OSSEC Log I get some warnings about some linux shell > based active responses not being present (which makes sense) > > I copied over a Windows null route script we use on a Windows 2008r2 > server. > I created the command and ar configuration on the OSSEC server > I then tried to test the AR script which looked like this: > > *root@monitor:/var/ossec/bin# ./agent_control -b 120.138.126.238 -f > win_route-null1800 -u 001* > > *OSSEC HIDS agent_control: Running active response 'win_route-null1800' > on: 001 * > > > *Under OSSEC 2.7 I would see this line when I tried to trigger an AR * > > *2014/07/30 21:32:08 ossec-agent: ERROR: Unable to create active response > process.* > > *Setting windows.debug levels in internal_options.conf generated more log > output but not any more detail on why AR was not triggering?* > > *I upgraded to OSSEC 2.8 upgrading both the OSSEC Server and Windows agen* > t > Now I don't see anything logged in the agent side ossec log when I trigger > the active response > > The interesting thing to me is under either version I can trigger a > restart of the agent from the OSSEC server and that event does appear in a > client side active response log so it appears some communication is > occuring. > > Any ideas on how to troubleshoot why AR doesn't appear to be triggering? > Thanks, > > James Whittington > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
