Hi Daniel, Thanks for the reply.
I will post these to the Bugzilla later on. I think #3/#4 were my mistake, so ignore them! :p I have had more time to play and things are working well with both these features. With regards to #2 I though active response only worked on Linux? Or am I mistaken? I had a go on windows and nothing happened, what i'm suggesting is that the agent runs a command script on the windows box, that it gets from the linux server when a rule is fired, allowing us not just to log but to interact with the client. Many thanks for the help, Best Regards Scott > Hi Scott, > > Thanks for the suggestions. Make sure you post any suggestion you have > (including these) in our bugzilla > ( http://www.ossec.net/bugs/ ), so we can consider them for our next release. > > As far as #2, we can do that using the active-responses, where any > script can be run > when a rule is fired (by default we can block ip addresses in the > firewall, or disable > user accounts). #3 is also easily done with the rules, where you can > ignore or increase the severity > based on the agent that generated it. > > For #4, I couldn't understand what you mean... We already do md5+sha1 > of the registry and system > files... > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Fri, May 9, 2008 at 4:05 AM, Scott Minns <[EMAIL PROTECTED]> wrote: > >> Dear all, >> >> I have just started testing ossec for deployment at work to our client >> machines, and we are very impressed so far. There are however a few >> useful features lacking from/that I can't find in the Windows agent that >> would be very handy. Does anyone know if they are available or planned >> for future releases? >> >> 1. The ability to run the agent hidden and prevent the process from >> being closed so we can run it on an unprivileged user and be sure it's >> running. >> 2. The ability to get the agent to fire not just an e-mail, but also to >> run a remote script on the client if an event is triggered, for example >> agent detects skype.exe running, it sends an e-mail to our helpdesk and >> runs a script to tell the user and close skype. This also allows for >> quick fixes to stop a user running a vulnerable application, active >> response, if you like. >> 3. Exceptions, so that we can exempt certain servers/clients from some >> rules. >> 4. md5 file checking, to aid registry version checking. We sometimes >> md5sum the exe of a program we have installed if it doesn't leave a good >> reg key behind to check. It is also handy to checksum so exe's to make >> sure that they haven't been tampered with. >> >> Thanks for all the great work, >> >> Best Regards >> Scott Minns >> -- >> This e-mail and any attachments are intended for the addressee only and may >> be confidential. If you are not the intended recipient, please advise the >> sender as soon as practicable and delete the e-mail from your system. >> >> The University of Chichester is a company limited by guarantee, registered >> in England and Wales. Registration number 4740553. The registered office is >> College Lane, Chichester, West Sussex, PO19 6PE. >> >> -- This e-mail and any attachments are intended for the addressee only and may be confidential. If you are not the intended recipient, please advise the sender as soon as practicable and delete the e-mail from your system. The University of Chichester is a company limited by guarantee, registered in England and Wales. Registration number 4740553. The registered office is College Lane, Chichester, West Sussex, PO19 6PE.
