On Tue, Apr 12, 2016 at 11:29 PM, Jacob Mcgrath <[email protected]> wrote: > I am as well interested in this process in regards to OSSEC and windows > active response. I am considering a deployment on a > AD controlled business environment. Was considering active response for > windows clients when network scans are detected, nmap Nessus, MBSA ect ect. > > As well as logging any time any past or future when a external storage > device (usb) is detected on a Windows client. > > Any incite on how OSSEC governs its active response on Windows agents would > be helpful. >
Do you have specific questions? > > > On Tuesday, April 12, 2016 at 3:52:09 PM UTC-5, Rob B wrote: >> >> Hello Folks, >> >> Could someone help me wrap my head around the windows active response >> mechanism? >> >> If I understand correctly, the active response / bin folder on the server >> will house my .CMD file containing my windows response actions.? >> >> What I would like to do is have active response fire on an event such as: >> <rule id="182669" level="12"> >> <if_sid>18100</if_sid> >> </rule> >> Which would then run my .cmd file, where I want to run an executable that >> I have already packaged. >> >> My question here is: what is the logic to run my packaged executable from >> the .cmd file? Where do I store my packaged executable, how does it get to >> the client agent to fire? Where will it fire from, so that I may have the >> correct syntax in my .cmd file? Can the package be pushed from the server to >> all windows agents once they refresh somehow? >> >> I do understand the basics as to how to setup active response in the .conf >> file on the server ossec.conf file and where to turn it ON in the agent side >> .conf file. How can I turn ON all the agents active response from the >> server? (Currently i only know how to manually update the file at each >> client.) >> >> Any pointers from the Gurus would be greatly appreciated. =) >> >> Thanks much Guys!! >> >> >> Rob >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
