For me it was the IP checking part of the script on Windows 7 Enterprise...
I commented it out for now until I have a little time to rework the
checking function... I will post it later when this happens.
:: Check for a valid IP
::ECHO "%2" | %WINDIR%\system32\findstr.exe /R
"[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*"
>nul || ECHO Invalid IP && EXIT /B 2
:: Extracts last ip address from ipconfig and routes to this address.
Windows will not allow routing to 127.0.0.1
FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^|
%WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A)
DO SET IPADDR=%%B
%WINDIR%\system32\route.exe ADD %2 MASK 255.255.255.255 %IPADDR%
On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote:
>
> Hi
>
> I cannot get active response to work
>
> how can I debug why active response on Windows agents is not working ?
>
> linux agents are fine - i.e drop/active response is working
>
> I have followed -
> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html
>
> when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f
> win_nullroute600 -u 002
>
> it doesn''t block / add a route on the windows agent
>
> tried on Windows 2012/2008 both os's same result.
>
> How can I find out why ?
>
> regards
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
