Another thing , I am sure now when I run the command : /var/ossec/bin/agent_control -b xxx.xxx.xxx.xxx -f win_nullroute -u 002 it did not work on the agent i.e when I run command
C:\>route print the ip did not appear , but when on agent I run the file route-null.cmd and write ADD xxx.xxx.xxx.xxx the IP appears What is the problem in this case? On Tuesday, May 26, 2015 at 11:06:57 AM UTC+2, HMath wrote: > > I reinstalled the windows server , but the case is similar . > I have a question: > how ossec server knows the path of the file route-null.cmd existing on > windows agent in order to perform the response? > > Thank you in advance > > On Friday, May 22, 2015 at 1:39:25 PM UTC+2, dan (ddpbsd) wrote: >> >> On Sun, May 17, 2015 at 3:36 AM, HMath <h.i.yo...@gmail.com> wrote: >> > another point, there are some system errors in windows machine I saw >> them in >> > log file in windows ossec >> > >> >> Errors could be bad. >> >> I didn't check, but are you sure all of the rule IDs you added to the >> AR configuration have source IPs decoded in the log messages? >> >> > >> > On Saturday, May 16, 2015 at 1:06:47 PM UTC+2, HMath wrote: >> >> >> >> yes , I was getting alerts for them in the alert.log and some of them >> >> emailed depending on the level. >> >> another point , there are some system errors in windows machine I saw >> them >> >> in conf file in windows ossec >> >> >> >> On Friday, May 15, 2015 at 1:55:47 PM UTC+2, dan (ddpbsd) wrote: >> >>> >> >>> On Thu, May 14, 2015 at 10:59 AM, HMath <h.i.yo...@gmail.com> wrote: >> >>> > First , sorry for my English >> >>> > >> >>> > I am new to OSSEC >> >>> > what happened is I was trying some attacks on iis on windows >> machine >> >>> > and >> >>> > alerts are generated in ossec server , I have supposed that ossec >> will >> >>> > block the attacking ip for 600 seconds, but that did not happen and >> >>> > when I >> >>> > did manually by /var/ossec/bin/agent_control -b 192.168.55.29 -f >> >>> > win_nullroute600 -u 002 the ip is blocked. can ossec do that >> >>> > automatically or not? >> >>> > >> >>> >> >>> Are the rules you have listed in the AR configuration below actually >> >>> being triggered? Are you getting alerts for them from those systems? >> >>> >> >>> > my current configuration on ossec server is >> >>> > >> >>> > ......................... >> >>> > ......................... >> >>> > <global> >> >>> > <white_list>127.0.0.1</white_list> >> >>> > <white_list>^localhost.localdomain$</white_list> >> >>> > <white_list>8.8.8.8</white_list> >> >>> > </global> >> >>> > >> >>> > <remote> >> >>> > <connection>syslog</connection> >> >>> > </remote> >> >>> > >> >>> > <remote> >> >>> > <connection>secure</connection> >> >>> > </remote> >> >>> > >> >>> > <alerts> >> >>> > <log_alert_level>1</log_alert_level> >> >>> > <email_alert_level>6</email_alert_level> >> >>> > </alerts> >> >>> > >> >>> > <command> >> >>> > <name>host-deny</name> >> >>> > <executable>host-deny.sh</executable> >> >>> > <expect>srcip</expect> >> >>> > <timeout_allowed>yes</timeout_allowed> >> >>> > </command> >> >>> > >> >>> > <command> >> >>> > <name>firewall-drop</name> >> >>> > <executable>firewall-drop.sh</executable> >> >>> > <expect>srcip</expect> >> >>> > <timeout_allowed>yes</timeout_allowed> >> >>> > </command> >> >>> > >> >>> > <command> >> >>> > <name>disable-account</name> >> >>> > <executable>disable-account.sh</executable> >> >>> > <expect>user</expect> >> >>> > <timeout_allowed>yes</timeout_allowed> >> >>> > </command> >> >>> > >> >>> > <command> >> >>> > <name>restart-ossec</name> >> >>> > <executable>restart-ossec.sh</executable> >> >>> > <expect></expect> >> >>> > </command> >> >>> > >> >>> > >> >>> > <command> >> >>> > <name>route-null</name> >> >>> > <executable>route-null.sh</executable> >> >>> > <expect>srcip</expect> >> >>> > <timeout_allowed>yes</timeout_allowed> >> >>> > </command> >> >>> > >> >>> > <command> >> >>> > <name>win_nullroute</name> >> >>> > <executable>route-null.cmd</executable> >> >>> > <expect>srcip</expect> >> >>> > <timeout_allowed>yes</timeout_allowed> >> >>> > </command> >> >>> > >> >>> > >> >>> > <!-- Active Response Config --> >> >>> > <active-response> >> >>> > <!-- This response is going to execute the host-deny >> >>> > - command for every event that fires a rule with >> >>> > - level (severity) >= 6. >> >>> > - The IP is going to be blocked for 600 seconds. >> >>> > --> >> >>> > <command>host-deny</command> >> >>> > <location>local</location> >> >>> > <level>6</level> >> >>> > <timeout>600</timeout> >> >>> > </active-response> >> >>> > >> >>> > >> >>> > <!-- Firewall Drop response. Block the IP for >> >>> > - 600 seconds on the firewall (iptables, >> >>> > - ipfilter, etc). >> >>> > --> >> >>> > >> >>> > >> >>> > <active-response> >> >>> > <command>firewall-drop</command> >> >>> > <location>local</location> >> >>> > >> >>> > >> >>> > >> <rules_id>5551,5701,5703,5705,5706,5707,5712,5714,5719,5720,5731,31151,30101,30102,30105,30106,30107,30108,30109,30110,30112,30116, >> >> >> >>> > >> >>> > >> >>> > >> 11402,11403,11404,11451,11452,9501,9505,9510,9551,50106,50108,50120,50126,50180,31411, >> >> >> >>> > >> >>> > >> >>> > >> 31103,31104,31105,31106,31110,31109,31115,31151,31152,31153,31154,31161,31162,31163,31164,31165,31501,31502,31503,31504,31505, >> >> >> >>> > >> >>> > >> 31506,31507,31508,31510,31511,31512,31513,31514,31515,31516,31533,31550 >> >>> > </rules_id> >> >>> > <timeout>600</timeout> >> >>> > </active-response> >> >>> > >> >>> > <active-response> >> >>> > <command>win_nullroute</command> >> >>> > <location>local</location> >> >>> > >> >>> > >> >>> > >> <rules_id>11510,11511,11512,3851,3852,31501,31502,31503,31504,31505,18110,18111,18112,18113,18115,18116,18117,18118,18128,18129,18134,18138, >> >> >> >>> > >> >>> > >> >>> > >> 18141,18143,18144,18217,18219,18222,18225,18227,18228,18229,18230,18231,18232,18234,18235,18236,18237,18238,18239,18240,18241,18242, >> >> >> >>> > >> >>> > >> >>> > >> 18243,18244,18245,18246,18247,18248,18249,18250,18251,18252,18253,18254,18255,18256,18170,18171,18172,18151,18152,18153,18154,18155, >> >> >> >>> > >> >>> > >> 18156,50106,50108,50120,50126,50180,31411,9505,9510,9551,14151,5631, >> >>> > >> >>> > >> >>> > >> 31506,31507,31508,31510,31511,31512,31513,31514,31515,31516,31533,31550, >> >>> > >> >>> > >> >>> > >> 31103,31104,31105,31106,31110,31109,31115,31151,31152,31153,31154,31161,31162,31163,31164,31165 >> >> >> >>> > </rules_id> >> >>> > <timeout>600</timeout> >> >>> > </active-response> >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > On Thursday, May 14, 2015 at 4:43:16 PM UTC+2, dan (ddpbsd) wrote: >> >>> >> >> >>> >> On Thu, May 14, 2015 at 10:22 AM, HMath <h.i.yo...@gmail.com> >> wrote: >> >>> >> > Hi all , >> >>> >> > >> >>> >> > I have ossec manager running on centos ,and two agents one of >> them >> >>> >> > is >> >>> >> > running on windows 2008. >> >>> >> > The active response work fine on centos agent but on windows >> server >> >>> >> > not >> >>> >> > work >> >>> >> > automatically and work fine manually . >> >>> >> > >> >>> >> > I hope to figure out the problem. >> >>> >> > >> >>> >> >> >>> >> Can you provide any details? >> >>> >> >> >>> >> What isn't working? >> >>> >> >> >>> >> What is happening? >> >>> >> >> >>> >> What do you expect to happen? >> >>> >> >> >>> >> What is your current configuration? >> >>> >> >> >>> >> > -- >> >>> >> > >> >>> >> > --- >> >>> >> > You received this message because you are subscribed to the >> Google >> >>> >> > Groups >> >>> >> > "ossec-list" group. >> >>> >> > To unsubscribe from this group and stop receiving emails from >> it, >> >>> >> > send >> >>> >> > an >> >>> >> > email to ossec-list+...@googlegroups.com. >> >>> >> > For more options, visit https://groups.google.com/d/optout. >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> send >> >>> > an >> >>> > email to ossec-list+...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
