The script works locally at work.... If I invoke a active response from the ossec server like so
/var/ossec/bin/agent_control -b 1.2.3.4 -f win_nullroute600 -u 007 I see that the C:\Program Files (x86)\ossec-agent\active-response\active-responses.log is generated...with this input... Wed 05/04/2016 13:27:16.81 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" add - "-" Wed 05/04/2016 13:41:16.86 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" delete - "-" route print on my windows agent does not show this route added and in turn removed... >From what I can tell the script should work if the proper args are received. But the ip to be routed from ossec never get seen in the windows agent...could be the script or the way the arg is passed down from server to agent. On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
