Scribd Logo
Upload

Welcome to Scribd!

  • 26 views

    Manual: Active Response On Windows: Documentation Downloads

    Uploaded by

    Devin Fifield
    Active response on Windows is disabled by default. To enable it, add the following to the agent's ossec.conf: no After that, you need to go to the manager and specify when to run the response. You can test the active response by running the agent-control script on agent id 185 to block ip 2.3.4.5.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Manual: Active Response On Windows: Documentation Downloads

    Uploaded by

    Devin Fifield
    26 views2 pages
    Active response on Windows is disabled by default. To enable it, add the following to the agent's ossec.conf: no After that, you need to go to the manager and specify when to run the response. You can test the active response by running the agent-control script on agent id 185 to block ip 2.3.4.5.

    Original Description:

    Original Title

    Manual_ Active Response on Windows

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Active response on Windows is disabled by default. To enable it, add the following to the agent's ossec.conf: no After that, you need to go to the manager and specify when to run the response. You can test the active response by running the agent-control script on agent id 185 to block ip 2.3.4.5.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    26 views2 pages

    Manual: Active Response On Windows: Documentation Downloads

    Uploaded by

    Devin Fifield
    Active response on Windows is disabled by default. To enable it, add the following to the agent's ossec.conf: no After that, you need to go to the manager and specify when to run the response. You can test the active response by running the agent-control script on agent id 185 to block ip 2.3.4.5.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Manual: Active Response on Windows http://www.ossec.

    net/main/manual/manual-active-response-on-windows/

    Home
    About
    Documentation
    Downloads
    Support
    Our Team

    Manual: Active Response on Windows


    Manual -> Active responses ->Windows active response

    To start, you need to enable active response on Windows (disabled by default). To do that, just add the
    following to the agent’s ossec.conf:

    <active-response>
    <disabled>no</disabled>
    </active-response>

    After that, you need to go to the manager and specify when to run the response. Adding the following to
    ossec.conf will enable the responses for alerts above level 6:

    <command>
    <name>win_nullroute</name>
    <executable>route-null.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
    </command>

    <active-response>
    <command>win_nullroute</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
    </active-response>

    With the configuration completed (and the manager restarted), you can test the active response by running
    the agent-control script (in this case, I am running it on agent id 185 to block ip 2.3.4.5):

    # /var/ossec/bin/agent_control -L

    OSSEC HIDS agent_control. Available active responses:

    Response name: host-deny600, command: host-deny.sh


    Response name: firewall-drop600, command: firewall-drop.sh
    Response name: win_nullroute600, command: route-null.cmd

    # /var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute600 -u 185

    1 of 2 23/04/2009 11:54 AM
    Manual: Active Response on Windows http://www.ossec.net/main/manual/manual-active-response-on-windows/

    OSSEC HIDS agent_control: Running active response ‘win_nullroute600′ on: 185

    And looking at the agent you should see the new entry in the route table:

    C:\>route print
    ..
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    2.3.4.5 255.255.255.255 x.y.z x.y.z 1
    ..

    If you run into any issues, look at the ossec.log file (on the agent) for any entry for ossec-execd. If you
    enabled it correctly, you will see:

    2008/08/20 11:53:49 ossec-execd: INFO: Started (pid: 3896).

    Recent Entries
    >Rootcheck updated to v2.0Mar 6
    >OSSEC v2.0 releasedFeb 27
    >v2.0 - What is comingJan 20
    >OSSEC v1.6.1 releasedOct 9
    (Archives)

    Shortcuts
    >Getting Started
    >First steps
    >Manual | Wiki
    >Commercial Support

    News/Announcements
    >Join OSSEC Linked-in Group
    >Join Mailing List

    All Content © 2008,2009 Third Brigade, Inc.

    2 of 2 23/04/2009 11:54 AM

    You might also like