On Tue, Apr 12, 2016 at 4:52 PM, Rob B <[email protected]> wrote: > Hello Folks, > > Could someone help me wrap my head around the windows active response > mechanism? > > If I understand correctly, the active response / bin folder on the server > will house my .CMD file containing my windows response actions.? >
I'm not totally sure on Windows, but I think so. > What I would like to do is have active response fire on an event such as: > <rule id="182669" level="12"> > <if_sid>18100</if_sid> > </rule> > Which would then run my .cmd file, where I want to run an executable that I > have already packaged. > > My question here is: what is the logic to run my packaged executable from > the .cmd file? Where do I store my packaged executable, how does it get to It should be on the agent you want to run it. > the client agent to fire? Where will it fire from, so that I may have the > correct syntax in my .cmd file? Can the package be pushed from the server to That's a good question, I would assume either the ossec directory, or the ar/bin directory. It shouldn't be too hard to test though. > all windows agents once they refresh somehow? > What package? The AR configuration should be pushed, but it's up to you to put your executable in place. > I do understand the basics as to how to setup active response in the .conf > file on the server ossec.conf file and where to turn it ON in the agent side > .conf file. How can I turn ON all the agents active response from the > server? (Currently i only know how to manually update the file at each > client.) > It's possible the agent.conf can be used for this, but if not your configuration management solution should be able to handle pushing new ossec.confs to the agents. > Any pointers from the Gurus would be greatly appreciated. =) > > Thanks much Guys!! > > > Rob > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
