Hi Tanishk, The active response scripts should exist on the systems (agents and servers) they need to be run on.
On Fri, Apr 22, 2011 at 4:17 PM, Tanishk Lakhaani <[email protected]> wrote: > Hey martin, > See, the active response related scripts will be placed at the server side, > executed at the server/client side (depending upon the way it is configured > in ossec.conf using the location tab) and the commands written in these > scripts will actually take an action on the agent side. This is the basic of > active response. > Sent from BlackBerry® on Airtel > > -----Original Message----- > From: Martin Gottlieb <[email protected]> > Sender: [email protected] > Date: Fri, 22 Apr 2011 16:04:14 > To: <[email protected]> > Reply-To: [email protected] > Subject: Re: [ossec-list] Active Response on Windows events > > > Thanks, Tanishk. I'm really surprised nothing has been written for > windows yet. Am I correct > in assuming the script would reside on the Windows agent machine? > > Obviously, the windows agent communicates with the Linux server. Is it > not possible to have > an active response script triggered on the server side as happens with > Linux agents? > > Thanks. > > Martin > > On 4/22/2011 3:28 PM, Tanishk Lakhaani wrote: >> Hey martin, >> All these default active response scripts are written for a specific event. >> Read these scripts to understand these scripts. >> >> For the event of ur interest -- multiple logon failures...for linux, there >> is a default active response script -- for locking the account. But for >> windows there is no such script. What u can do is that u can create your own >> customised script and use it for active response purposes. >> >> Regards >> Tanishk lakhaani >> Sent from BlackBerry® on Airtel >> >> -----Original Message----- >> From: Martin Gottlieb<[email protected]> >> Sender: [email protected] >> Date: Fri, 22 Apr 2011 08:22:37 >> To:<[email protected]> >> Reply-To: [email protected] >> Subject: [ossec-list] Active Response on Windows events >> >> Hi, >> >> Is OSSEC capable of triggering an active response on Windows events? In >> particular, I am frequently >> seeing event 18152, "Multiple Windows Logon Failures", but no active >> response is ever triggered. >> There are 2 (at least) different variations on the events, 1 for Windows >> log-in failures and another >> for SQL Server log-in failures. >> >> I added the null_cmd command mentioned in the docs, but I'd be happy if >> it just triggered the firewall drop script. >> >> Am I missing something in the configuration? >> >> thanks. >> >> Martin > >
