Hey Everyone, So I have been struggling to get active response working. I googled around for a few days and couldnt really find a solution to the problem so I am hoping someone here can get this working for me.
The server is running on Ubuntu. I have active response set and working good for all my linux boxes. AR config from the server: <command> <name>win_nullroute</name> <executable>route-null.cmd</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <disabled>no</disabled> <command>win_nullroute</command> <location>local</location> <rules_id>600000,31151,31515,31508</rules_id> <timeout>120</timeout> <repeated_offenders>5,10,30</repeated_offenders> </active-response> Active response is enabled on the client. When I run the route-null.cmd manually on the server it runs fine. The route for the target system is inserted into the routing table. The reverse also works when removing it. The log entry for the add and delete are added to the active-response.log. When I run the block command from the server, nothing happens. The route is not added and northing is added into the active-response.log or the ossec.log indicating anything. # ../bin/agent_control -L OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop120, command: firewall-drop.sh Response name: win_nullroute120, command: route-null.cmd #:/var/ossec/etc# ./agent_control -u 050 -b 10.10.10.10 -f win_nullroute120 # ../bin/agent_control -i 050 OSSEC HIDS agent_control. Agent information: Agent ID: 050 Agent Name: <servername> IP address: any/any Status: Active Operating system: Microsoft Windows Server 2012 Standard Edition (Bui.. Client version: OSSEC HIDS v2.8.3 Last keep alive: Fri Oct 6 13:51:22 2017 Syscheck last started at: Fri Oct 6 13:32:11 2017 Rootcheck last started at: Fri Oct 6 13:42:03 2017 Help..please =) Thanks, Keith -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.