Forgot that part before bed, Question is; Is it possible for a Windows agent to have an active response let say to network scans?
On Tuesday, April 12, 2016 at 3:52:09 PM UTC-5, Rob B wrote: > > Hello Folks, > > Could someone help me wrap my head around the windows active response > mechanism? > > If I understand correctly, the active response / bin folder on the server > will house my .CMD file containing my windows response actions.? > > What I would like to do is have active response fire on an event such as: > <rule id="182669" level="12"> > <if_sid>18100</if_sid> > </rule> > Which would then run my .cmd file, where I want to run an executable that > I have already packaged. > > My question here is: what is the logic to run my packaged executable from > the .cmd file? Where do I store my packaged executable, how does it get to > the client agent to fire? Where will it fire from, so that I may have the > correct syntax in my .cmd file? Can the package be pushed from the server > to all windows agents once they refresh somehow? > > I do understand the basics as to how to setup active response in the .conf > file on the server ossec.conf file and where to turn it ON in the agent > side .conf file. How can I turn ON all the agents active response from the > server? (Currently i only know how to manually update the file at each > client.) > > Any pointers from the Gurus would be greatly appreciated. =) > > Thanks much Guys!! > > > Rob > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
