[ossec-list] Re: Windows active response not firing

[Leandro Meiners]

Hello,

Can you share the shutdown_powershell.cmd  script?

Thank you
Leandro

On Friday, July 20, 2018 at 3:00:53 PM UTC-3, soques...@gmail.com wrote:
>
> Hello,
>
> I am trying a very basic active response which would terminate a 
> powershell process when it is created on a host (Windows 10) machine.
>
> I have a standalone SO configuration, with 3 OSSEC agents (V2.9) 
> connected, all Windows machines.
>
> I have verified that the script shutdown_powershell.cmd works, independent 
> of OSSEC active response.
>
> My ossec.conf file looks like this:
>
> 
>  shutdown_powershell
>  shutdown_powershell.cmd
>  
> 
>
> 
>  shutdown_powershell
>  100051
>  defined-agent
>  003
> 
>
> I have verified that my rule 100051 (powershell_process_creation) works, 
> it populates in Sguil every time I open Powershell on any agent.
>
> I have restarted OSSEC on my server and agent several times and opening 
> Powershell on agent 003. I have recieved varying error messages in my agent 
> log:
>
> SET 1) 
>
> 2018/07/17 15:35:33 ossec-execd: INFO: Active response command not 
> present: 'active-response/bin/restart-ossec.sh'. Not using it on this 
> system.
>
> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not 
> present: 'active-response/bin/host-deny.sh'. Not using it on this system.
>
> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not 
> present: 'active-response/bin/firewall-drop.sh'. Not using it on this 
> system.
>
> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not 
> present: 'active-response/bin/shutdown_powershell.cmd'. Not using it on 
> this system.
>
> SET 2)
>
> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not 
> present: 'active-response/bin/restart-ossec.sh'. Not using it on this 
> system.
>
> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not 
> present: 'active-response/bin/host-deny.sh'. Not using it on this system.
>
> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not 
> present: 'active-response/bin/firewall-drop.sh'. Not using it on this 
> system.
>
> SET 3)
>
> 2018/07/18 10:37:31 ossec-execd: ERROR: Unable to create active response 
> process. 
>
> 2018/07/18 10:43:45 ossec-execd: ERROR: Unable to create active response 
> process. 
>
> 2018/07/18 11:08:55 ossec-execd: ERROR: Unable to create active response 
> process. 
>
> I seem to be having less and less success every time. Each set corresponds 
> to a time when I have opened Powershell, so the rule is definitely working 
> and my ossec.conf seems to have configured the active response correctly, 
> but ultimately the script is not running.
>
> Question:
>
> 1) For active response... do I need to place the active response script in 
> the folder C:\Program Files (x86)\ossec-agent\active-response\bin on the 
> host machine or in /var/ossec/active-response/bin on the server machine? I 
> have tried placing it in both. OSSEC documentation seems unclear on this 
> point
>
> Thanks,
>
> Clark
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/5f0b95c7-1ba8-41fe-a262-eb54274c2486o%40googlegroups.com.

[ossec-list] Re: Anyone knows how to install OSSEC agent in the ubuntu server 20.04?

[Arnau b s]

El diumenge, 7 juny de 2020 17:06:45 UTC+2, Arnau b s va escriure:
>
> Anyone knows how to install OSSEC agent in the ubuntu server 20.04?
>

At the end, we don't use an ubuntu 18.04 deb package.
We use, apt install libz-dev libssl-dev libpcre2-dev libevent-dev 
build-essential.
We clone a github repository, and use install.sh
This creates an executable with the correct libraries.
And the agent works fine. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/2e2d7af3-4a1e-4b7b-88dd-b24d7a147852o%40googlegroups.com.

Re: [ossec-list] Anyone knows how to install OSSEC agent in the ubuntu server 20.04?

[dan (ddp)]

On Sun, Jun 7, 2020 at 11:06 AM Arnau b s  wrote:
>
> Anyone knows how to install OSSEC agent in the ubuntu server 20.04?
>

I haven't had time to create an image for 20.04 yet. Are you
experiencing issues?
Can you provide details?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/7140cbb7-7dcc-417a-904a-71ab7a99ac22o%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrtS_dXKzRLV0ugZLFC70Zx2mzEiFvBDhke1M7yk7MAyA%40mail.gmail.com.