On Wed, 4 May 2016, Jacob Mcgrath wrote:
The script works locally at work....
If I invoke a active response from the ossec server like so
/var/ossec/bin/agent_control -b 1.2.3.4 -f win_nullroute600 -u 007
I see that the C:\Program Files
(x86)\ossec-agent\active-response\active-responses.log is generated...with
this input...
Wed 05/04/2016 13:27:16.81 C:\Program Files
(x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd"
add - "-"
Wed 05/04/2016 13:41:16.86 C:\Program Files
(x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd"
delete - "-"
route print on my windows agent does not show this route added and in turn
removed...
From what I can tell the script should work if the proper args are
received. But the ip to be routed from ossec never get seen in the windows
agent...could be the script or the way the arg is passed down from server
to agent.
I've been doing some testing and the script itself is ok. It seems the
windows agent is receiving the IP address and since the agent doesn't
attempt to run a duplicate request I think it's reasonable to assume it's
because the agent has already cached the IP address. So the mystery is
how the agent is losing the IP address info before calling route-null..
--
Antonio Querubin
e-mail: [email protected]
xmpp: [email protected]
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
