Hey martin, See, the active response related scripts will be placed at the server side, executed at the server/client side (depending upon the way it is configured in ossec.conf using the location tab) and the commands written in these scripts will actually take an action on the agent side. This is the basic of active response. Sent from BlackBerry® on Airtel
-----Original Message----- From: Martin Gottlieb <mar...@axion-it.net> Sender: ossec-list@googlegroups.com Date: Fri, 22 Apr 2011 16:04:14 To: <ossec-list@googlegroups.com> Reply-To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Active Response on Windows events Thanks, Tanishk. I'm really surprised nothing has been written for windows yet. Am I correct in assuming the script would reside on the Windows agent machine? Obviously, the windows agent communicates with the Linux server. Is it not possible to have an active response script triggered on the server side as happens with Linux agents? Thanks. Martin On 4/22/2011 3:28 PM, Tanishk Lakhaani wrote: > Hey martin, > All these default active response scripts are written for a specific event. > Read these scripts to understand these scripts. > > For the event of ur interest -- multiple logon failures...for linux, there is > a default active response script -- for locking the account. But for windows > there is no such script. What u can do is that u can create your own > customised script and use it for active response purposes. > > Regards > Tanishk lakhaani > Sent from BlackBerry® on Airtel > > -----Original Message----- > From: Martin Gottlieb<mar...@axion-it.net> > Sender: ossec-list@googlegroups.com > Date: Fri, 22 Apr 2011 08:22:37 > To:<ossec-list@googlegroups.com> > Reply-To: ossec-list@googlegroups.com > Subject: [ossec-list] Active Response on Windows events > > Hi, > > Is OSSEC capable of triggering an active response on Windows events? In > particular, I am frequently > seeing event 18152, "Multiple Windows Logon Failures", but no active > response is ever triggered. > There are 2 (at least) different variations on the events, 1 for Windows > log-in failures and another > for SQL Server log-in failures. > > I added the null_cmd command mentioned in the docs, but I'd be happy if > it just triggered the firewall drop script. > > Am I missing something in the configuration? > > thanks. > > Martin