Professional Documents
Culture Documents
Manual: Active Response On Windows: Documentation Downloads
Manual: Active Response On Windows: Documentation Downloads
Manual: Active Response On Windows: Documentation Downloads
net/main/manual/manual-active-response-on-windows/
Home
About
Documentation
Downloads
Support
Our Team
To start, you need to enable active response on Windows (disabled by default). To do that, just add the
following to the agent’s ossec.conf:
<active-response>
<disabled>no</disabled>
</active-response>
After that, you need to go to the manager and specify when to run the response. Adding the following to
ossec.conf will enable the responses for alerts above level 6:
<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>win_nullroute</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
With the configuration completed (and the manager restarted), you can test the active response by running
the agent-control script (in this case, I am running it on agent id 185 to block ip 2.3.4.5):
# /var/ossec/bin/agent_control -L
1 of 2 23/04/2009 11:54 AM
Manual: Active Response on Windows http://www.ossec.net/main/manual/manual-active-response-on-windows/
And looking at the agent you should see the new entry in the route table:
C:\>route print
..
Active Routes:
Network Destination Netmask Gateway Interface Metric
2.3.4.5 255.255.255.255 x.y.z x.y.z 1
..
If you run into any issues, look at the ossec.log file (on the agent) for any entry for ossec-execd. If you
enabled it correctly, you will see:
Recent Entries
>Rootcheck updated to v2.0Mar 6
>OSSEC v2.0 releasedFeb 27
>v2.0 - What is comingJan 20
>OSSEC v1.6.1 releasedOct 9
(Archives)
Shortcuts
>Getting Started
>First steps
>Manual | Wiki
>Commercial Support
News/Announcements
>Join OSSEC Linked-in Group
>Join Mailing List
2 of 2 23/04/2009 11:54 AM