Hello, I am trying a very basic active response which would terminate a powershell process when it is created on a host (Windows 10) machine.
I have a standalone SO configuration, with 3 OSSEC agents (V2.9) connected, all Windows machines. I have verified that the script shutdown_powershell.cmd works, independent of OSSEC active response. My ossec.conf file looks like this: <command> <name>shutdown_powershell</name> <executable>shutdown_powershell.cmd</executable> <expect></expect> </command> <active-response> <command>shutdown_powershell</command> <rules_id>100051</rules_id> <location>defined-agent</location> <agent_id>003</agent_id> </active-response> I have verified that my rule 100051 (powershell_process_creation) works, it populates in Sguil every time I open Powershell on any agent. I have restarted OSSEC on my server and agent several times and opening Powershell on agent 003. I have followed the tutorial at https://ossec-docs.readthedocs.io/en/latest/manual/ar/ar-custom.html and everything works to a T. Problem is when I run this on the manager: ./agent_control -b 2.2.3.3 -f win_nullroute600 -u 003 ...the active-response.log file on the agent is generating these kinds of feedback: Wed 08/22/2018 16:56:19.28 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" add "-" "2.2.3.3" (This makes me think the file path used by active-response is corrupted) Whereas when I run: ./agent_control -b 2.3.2.3 -f shutdown_powershell0 -u 003 ...the command does not appear in the log at all. Changing the script code and adding "srcip" in the manager's ossec.conf file does not fix this problem. We have also determined file permissions to not be a problem. Could you give some pointers to this problem? Thanks, Clark -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
