Re: [ossec-list] Active Response in windows 2008

Thu, 14 May 2015 08:02:16 -0700 

First , sorry for my English 

I am new to OSSEC 
what happened is I was trying some attacks on iis on windows machine and 
alerts are generated in ossec server , I have supposed that  ossec will 
block the attacking ip for 600 seconds, but that did not happen and when I 
did manually by  /var/ossec/bin/agent_control -b 192.168.55.29 -f 
win_nullroute600 -u 002     the ip is blocked. can ossec do that 
automatically or not?

my current configuration on ossec server is 

.........................
.........................
 <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>8.8.8.8</white_list>
  </global>

  <remote>
    <connection>syslog</connection>
  </remote>

  <remote>
    <connection>secure</connection>
  </remote>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>6</email_alert_level>
  </alerts>

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>
                  

  <command>
    <name>route-null</name>
    <executable>route-null.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_nullroute</name>
    <executable>route-null.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>


  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    

  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    
<rules_id>5551,5701,5703,5705,5706,5707,5712,5714,5719,5720,5731,31151,30101,30102,30105,30106,30107,30108,30109,30110,30112,30116,
              
11402,11403,11404,11451,11452,9501,9505,9510,9551,50106,50108,50120,50126,50180,31411,
              
31103,31104,31105,31106,31110,31109,31115,31151,31152,31153,31154,31161,31162,31163,31164,31165,31501,31502,31503,31504,31505,
              
31506,31507,31508,31510,31511,31512,31513,31514,31515,31516,31533,31550
    </rules_id>
    <timeout>600</timeout>
  </active-response>
  
  <active-response>
    <command>win_nullroute</command>
    <location>local</location>
    
<rules_id>11510,11511,11512,3851,3852,31501,31502,31503,31504,31505,18110,18111,18112,18113,18115,18116,18117,18118,18128,18129,18134,18138,
              
18141,18143,18144,18217,18219,18222,18225,18227,18228,18229,18230,18231,18232,18234,18235,18236,18237,18238,18239,18240,18241,18242,
              
18243,18244,18245,18246,18247,18248,18249,18250,18251,18252,18253,18254,18255,18256,18170,18171,18172,18151,18152,18153,18154,18155,
              
18156,50106,50108,50120,50126,50180,31411,9505,9510,9551,14151,5631,
              
31506,31507,31508,31510,31511,31512,31513,31514,31515,31516,31533,31550, 
              
31103,31104,31105,31106,31110,31109,31115,31151,31152,31153,31154,31161,31162,31163,31164,31165
    </rules_id>
    <timeout>600</timeout>
  </active-response>
 



On Thursday, May 14, 2015 at 4:43:16 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, May 14, 2015 at 10:22 AM, HMath <[email protected] <javascript:>> 
> wrote: 
> > Hi all , 
> > 
> > I have ossec manager running on centos ,and two agents one of them is 
> > running on windows 2008. 
> > The active response work fine on centos agent but on windows server not 
> work 
> > automatically  and work fine manually . 
> > 
> > I hope to figure out the problem. 
> > 
>
> Can you provide any details? 
>
> What isn't working? 
>
> What is happening? 
>
> What do you expect to happen? 
>
> What is your current configuration? 
>
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to [email protected] <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to