Hello Folks, Could someone help me wrap my head around the windows active response mechanism?
If I understand correctly, the active response / bin folder on the server will house my .CMD file containing my windows response actions.? What I would like to do is have active response fire on an event such as: <rule id="182669" level="12"> <if_sid>18100</if_sid> </rule> Which would then run my .cmd file, where I want to run an executable that I have already packaged. My question here is: what is the logic to run my packaged executable from the .cmd file? Where do I store my packaged executable, how does it get to the client agent to fire? Where will it fire from, so that I may have the correct syntax in my .cmd file? Can the package be pushed from the server to all windows agents once they refresh somehow? I do understand the basics as to how to setup active response in the .conf file on the server ossec.conf file and where to turn it ON in the agent side .conf file. How can I turn ON all the agents active response from the server? (Currently i only know how to manually update the file at each client.) Any pointers from the Gurus would be greatly appreciated. =) Thanks much Guys!! Rob -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
