Hello,
Can you share the shutdown_powershell.cmd script?
Thank you
Leandro
On Friday, July 20, 2018 at 3:00:53 PM UTC-3, soques...@gmail.com wrote:
>
> Hello,
>
> I am trying a very basic active response which would terminate a
> powershell process when it is created on a host (Windows 10) machine.
>
> I have a standalone SO configuration, with 3 OSSEC agents (V2.9)
> connected, all Windows machines.
>
> I have verified that the script shutdown_powershell.cmd works, independent
> of OSSEC active response.
>
> My ossec.conf file looks like this:
>
>
> shutdown_powershell
> shutdown_powershell.cmd
>
>
>
>
> shutdown_powershell
> 100051
> defined-agent
> 003
>
>
> I have verified that my rule 100051 (powershell_process_creation) works,
> it populates in Sguil every time I open Powershell on any agent.
>
> I have restarted OSSEC on my server and agent several times and opening
> Powershell on agent 003. I have recieved varying error messages in my agent
> log:
>
> SET 1)
>
> 2018/07/17 15:35:33 ossec-execd: INFO: Active response command not
> present: 'active-response/bin/restart-ossec.sh'. Not using it on this
> system.
>
> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not
> present: 'active-response/bin/host-deny.sh'. Not using it on this system.
>
> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not
> present: 'active-response/bin/firewall-drop.sh'. Not using it on this
> system.
>
> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not
> present: 'active-response/bin/shutdown_powershell.cmd'. Not using it on
> this system.
>
> SET 2)
>
> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not
> present: 'active-response/bin/restart-ossec.sh'. Not using it on this
> system.
>
> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not
> present: 'active-response/bin/host-deny.sh'. Not using it on this system.
>
> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not
> present: 'active-response/bin/firewall-drop.sh'. Not using it on this
> system.
>
> SET 3)
>
> 2018/07/18 10:37:31 ossec-execd: ERROR: Unable to create active response
> process.
>
> 2018/07/18 10:43:45 ossec-execd: ERROR: Unable to create active response
> process.
>
> 2018/07/18 11:08:55 ossec-execd: ERROR: Unable to create active response
> process.
>
> I seem to be having less and less success every time. Each set corresponds
> to a time when I have opened Powershell, so the rule is definitely working
> and my ossec.conf seems to have configured the active response correctly,
> but ultimately the script is not running.
>
> Question:
>
> 1) For active response... do I need to place the active response script in
> the folder C:\Program Files (x86)\ossec-agent\active-response\bin on the
> host machine or in /var/ossec/active-response/bin on the server machine? I
> have tried placing it in both. OSSEC documentation seems unclear on this
> point
>
> Thanks,
>
> Clark
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/5f0b95c7-1ba8-41fe-a262-eb54274c2486o%40googlegroups.com.