Hi Jacob, Is it possible for a Windows agent to have an active response let say to > network scans?
Yes, it is possible. As Dan said, you must be able to detect the attack and then you use the proper active-response. Detect attacks is the hardest part. I did it reading Fortinet logs. Regards, Jesus Linares. On Wednesday, April 13, 2016 at 1:54:33 PM UTC+2, dan (ddpbsd) wrote: > > On Wed, Apr 13, 2016 at 7:47 AM, Jacob Mcgrath > <[email protected] <javascript:>> wrote: > > Forgot that part before bed, > > > > Question is; Is it possible for a Windows agent to have an active > response > > let say to network scans? > > > > Yes, if you can detect the scan there should be a way to trigger an AR. > For instance, you detect a scan, and log a message: > "Network scan detected from 10.10.10.10" > > On the OSSEC manager create a decoder to read those messages and > decode the IP address. > Then configure a rule to match those log messages, and an AR to be > triggered when that rule fires (rules_id, I believe). > > > On Tuesday, April 12, 2016 at 3:52:09 PM UTC-5, Rob B wrote: > >> > >> Hello Folks, > >> > >> Could someone help me wrap my head around the windows active response > >> mechanism? > >> > >> If I understand correctly, the active response / bin folder on the > server > >> will house my .CMD file containing my windows response actions.? > >> > >> What I would like to do is have active response fire on an event such > as: > >> <rule id="182669" level="12"> > >> <if_sid>18100</if_sid> > >> </rule> > >> Which would then run my .cmd file, where I want to run an executable > that > >> I have already packaged. > >> > >> My question here is: what is the logic to run my packaged executable > from > >> the .cmd file? Where do I store my packaged executable, how does it > get to > >> the client agent to fire? Where will it fire from, so that I may have > the > >> correct syntax in my .cmd file? Can the package be pushed from the > server to > >> all windows agents once they refresh somehow? > >> > >> I do understand the basics as to how to setup active response in the > .conf > >> file on the server ossec.conf file and where to turn it ON in the agent > side > >> .conf file. How can I turn ON all the agents active response from the > >> server? (Currently i only know how to manually update the file at each > >> client.) > >> > >> Any pointers from the Gurus would be greatly appreciated. =) > >> > >> Thanks much Guys!! > >> > >> > >> Rob > >> > >> > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
