[ossec-list] OSSEC Active Response - Windows Server 2012

Fri, 06 Oct 2017 10:56:31 -0700 

Hey Everyone,

So I have been struggling to get active response working. I googled around 
for a few days and couldnt really find a solution to the problem so I am 
hoping someone here can get this working for me.

The server is running on Ubuntu. I have active response set and working 
good for all my linux boxes.

AR config from the server:

  <command>
    <name>win_nullroute</name>
    <executable>route-null.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>win_nullroute</command>
    <location>local</location>
    <rules_id>600000,31151,31515,31508</rules_id>
    <timeout>120</timeout>
    <repeated_offenders>5,10,30</repeated_offenders>
  </active-response>

Active response is enabled on the client. When I run the route-null.cmd 
manually on the server it runs fine. The route for the target system is 
inserted into the routing table. The reverse also works when removing it. 
The log entry for the add and delete are added to the active-response.log.

When I run the block command from the server, nothing happens. The route is 
not added and northing is added into the active-response.log or the 
ossec.log indicating anything.

# ../bin/agent_control -L

OSSEC HIDS agent_control. Available active responses:

   Response name: firewall-drop120, command: firewall-drop.sh
   Response name: win_nullroute120, command: route-null.cmd

#:/var/ossec/etc# ./agent_control -u 050 -b 10.10.10.10 -f win_nullroute120

# ../bin/agent_control -i 050

OSSEC HIDS agent_control. Agent information:
   Agent ID:   050
   Agent Name: <servername>
   IP address: any/any
   Status:     Active

   Operating system:    Microsoft Windows Server 2012 Standard Edition  
(Bui..
   Client version:      OSSEC HIDS v2.8.3
   Last keep alive:     Fri Oct  6 13:51:22 2017

   Syscheck last started  at: Fri Oct  6 13:32:11 2017
   Rootcheck last started at: Fri Oct  6 13:42:03 2017

Help..please =)

Thanks,

Keith

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to