On Wed, Apr 13, 2016 at 7:47 AM, Jacob Mcgrath <[email protected]> wrote: > Forgot that part before bed, > > Question is; Is it possible for a Windows agent to have an active response > let say to network scans? >
Yes, if you can detect the scan there should be a way to trigger an AR. For instance, you detect a scan, and log a message: "Network scan detected from 10.10.10.10" On the OSSEC manager create a decoder to read those messages and decode the IP address. Then configure a rule to match those log messages, and an AR to be triggered when that rule fires (rules_id, I believe). > On Tuesday, April 12, 2016 at 3:52:09 PM UTC-5, Rob B wrote: >> >> Hello Folks, >> >> Could someone help me wrap my head around the windows active response >> mechanism? >> >> If I understand correctly, the active response / bin folder on the server >> will house my .CMD file containing my windows response actions.? >> >> What I would like to do is have active response fire on an event such as: >> <rule id="182669" level="12"> >> <if_sid>18100</if_sid> >> </rule> >> Which would then run my .cmd file, where I want to run an executable that >> I have already packaged. >> >> My question here is: what is the logic to run my packaged executable from >> the .cmd file? Where do I store my packaged executable, how does it get to >> the client agent to fire? Where will it fire from, so that I may have the >> correct syntax in my .cmd file? Can the package be pushed from the server to >> all windows agents once they refresh somehow? >> >> I do understand the basics as to how to setup active response in the .conf >> file on the server ossec.conf file and where to turn it ON in the agent side >> .conf file. How can I turn ON all the agents active response from the >> server? (Currently i only know how to manually update the file at each >> client.) >> >> Any pointers from the Gurus would be greatly appreciated. =) >> >> Thanks much Guys!! >> >> >> Rob >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
