Thanks for interest. We are deploying OSSEC with active response enabled both linux and windows;
Actually, I wonder why different linux and windows configuration of active response are different. I realized that there is no special reason for disable/enable active response for windows. And also I think https://github.com/ossec/ossec-hids/blob/master/src/win32/ossec.conf#L133 <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fossec%2Fossec-hids%2Fblob%2Fmaster%2Fsrc%2Fwin32%2Fossec.conf%23L133&sa=D&sntz=1&usg=AFQjCNGrJmRrbcM5MsC7vyMCSZIhKJq4iA> this configuration file should be changed in github. 8 Şubat 2016 Pazartesi 12:50:40 UTC+2 tarihinde Pedro S yazdı: > > You are totally alright, excuse me. > > OSSEC documentation is really weird, you can find here info about windows > active response: > > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > About the disabled by default, it is specified here: > > https://github.com/ossec/ossec-hids/blob/master/src/win32/ossec.conf#L133 > > I think OSSEC use that file to compile windows binary, if you change that > line and compile the agent, it will have active-response active by default. > > > On Monday, February 8, 2016 at 11:44:43 AM UTC+1, dan (ddpbsd) wrote: >> >> >> On Feb 8, 2016 5:39 AM, "Pedro S" <[email protected]> wrote: >> > >> > Hi, >> > >> > Active-response is only supported by installations: local and server. >> > Local and server installation only works on Linux so Windows does not >> have active-response functionality, that's why it is disabled by default on >> Windows agents. >> > >> > Refer to OSSEC documentation: >> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html >> > >> >> The documentation is weird, you can use active reponse on agents as well. >> It is supported on Windows, but I don't know why it's disabled by default >> >> > Regards, >> > >> > Pedro S. >> > >> > >> > On Thursday, February 4, 2016 at 7:55:42 AM UTC+1, Abdulvehhab Agin >> wrote: >> >> >> >> Hi >> >> >> >> Ossec setup which is prepared Windows install ossec.conf file with >> active response <disabled>yes</disabled> at Default >> >> >> >> However in linux there is no active response tag which means that it >> is ready for active response >> >> >> >> >> >> Why in windows installation it is default disabled >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
