Hello Folks, I am wondering why active response on an OSSEC client which happens to be an MS Windows 2008 Server is not being triggered. What is frustrating is that it was working this morning while I was troubleshooting it.
To start: (1) The OSSEC server is properly configured: OSSEC HIDS agent_control. Available active responses: Response name: firewall-drop600, command: firewall-drop.sh Response name: firewall-drop3600, command: firewall-drop.sh Response name: win_nullroute600, command: route-null.cmd Response name: win_nullroute3600, command: route-null.cmd [r...@wiggum alerts]# (2) The OSSEC server is talking to the OSSEC agent, a shown below: [r...@wiggum alerts]# agent_control -i 114 OSSEC HIDS agent_control. Agent information: Agent ID: 114 Agent Name: reports.capitalplan.org IP address: 100.100.100.100 Status: Active Operating system: Microsoft Windows Server 2008 Enterprise Edition (fu.. Client version: OSSEC HIDS v2.3 / c9bc807c7443d9ac069afac46a9d2635 Last keep alive: Mon Sep 20 15:04:47 2010 Syscheck last started at: Mon Sep 20 14:49:54 2010 Rootcheck last started at: Mon Sep 20 14:50:26 2010 (3) active response is configured to be triggered from the OSSEC server: [r...@wiggum alerts]# agent_control -b 100.100.100.100 -f win_nullroute600 -u 114 OSSEC HIDS agent_control: Running active response 'win_nullroute600' on: 114 [r...@wiggum alerts]# The problem is that the active-responses.log has shown no updated entry since 1230 PM EST (add 3 hours to the time that you are reading) 09/20/2010 07:00 "active-response/bin/route-null.cmd" add "-" "2.3.4.5" "(from_the_server) (no_rule_id)" 09/20/2010 07:06 "active-response/bin/route-null.cmd" add "-" "224.224.224.224" "(from_the_server) (no_rule_id)" 09/20/2010 07:08 "active-response/bin/route-null.cmd" add "-" "100.100.100.100" "(from_the_server) (no_rule_id)" 09/20/2010 07:10 "active-response/bin/route-null.cmd" delete "-" "2.3.4.5" "(from_the_server) (no_rule_id)" 09/20/2010 07:18 "active-response/bin/route-null.cmd" delete "-" "224.224.224.224" "(from_the_server) (no_rule_id)" 09/20/2010 07:29 "active-response/bin/route-null.cmd" add "-" "100.100.100.100" "(from_the_server) (no_rule_id)" 09/20/2010 07:41 "active-response/bin/route-null.cmd" add "-" "100.100.100.100" "(from_the_server) (no_rule_id)" 09/20/2010 07:49 "active-response/bin/route-null.cmd" add "-" "100.100.100.100" "(from_the_server) (no_rule_id)" 09/20/2010 07:57 "active-response/bin/route-null.cmd" add "-" "100.100.100.100" "(from_the_server) (no_rule_id)" 09/20/2010 08:49 "active-response/bin/route-null.cmd" add "-" "100.100.100.100" "(from_the_server) (no_rule_id)" 09/20/2010 09:08 "active-response/bin/route-null.cmd" add "-" "100.100.100.100" "(from_the_server) (no_rule_id)" 64.62.138.162(Preferred) 09/20/2010 09:20 "active-response/bin/route-null.cmd" add "-" "100.100.100.100" "(from_the_server) (no_rule_id)" 64.62.138.162(Preferred) Note that the module responsible for active response on the OSSEC agent is up and operational 2010/09/20 11:47:15 ossec-execd: INFO: Started (pid: 8568) If I were to deliberately screw up the syntax of the agent_control command: OSSEC HIDS agent_control: Running active response 'win_nulroute600' on: 114 I'd get on the OSSEC server: OSSEC HIDS agent_control: Running active response 'win_nulroute600' on: 114 [r...@wiggum alerts]# And I'd get on the ossec.log of the OSSEC agent: 9/20 12:25:52 ossec-execd(1311): ERROR: Invalid command name 'win_nulroute600' provided. (I had to restart OSSEC on the agent to get this feedback line) However, the active-response log doesn't get updated with new entries. For reference, I had to edit the route-null.cmd script on the OSSEC agent (it's buggy for Windows Server 2008): :: Simple script to null route an ip address. @ECHO OFF ECHO. :: Logging it all FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DATE=%%B FOR /F "TOKENS=1* DELIMS= " %%A IN ('TIME/T') DO SET TIME=%%A IF "%1"=="add" GOTO ADD IF "%1"=="delete" GOTO DEL :ERROR ECHO "Invalid argument. %1" GOTO Exit; :: Adding to the blocked. :ADD :: Extracts last ip address from ipconfig. FOR /F "TOKENS=2* DELIMS=:" %%A IN ('IPCONFIG | FIND "IPv4"') DO FOR % %B IN (%%A) DO SET IPADDR=%%B <-- I made the change here # route add %3 mask 255.255.255.255 %IPADDR% route add %3 mask 255.255.255.255 150.150.150.150 <-- I made the change here ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 %IPADDR% >> active- response\active-responses.log GOTO Exit; :DEL route delete %3 :Exit Questions: Why is active response no longer working? Regards, Vietnhi Phuvan