I think I resolved it. Sorry for so many emails. So, it goes like this. if everything as far as the connection is al right, one has to check also the "ar.conf" In my case I had there entries like:
host-deny2147483647 - host-deny.sh - 2147483647 firewall-drop2147483647 - firewall-drop.sh - 2147483647 win_nullroute2147483647 - win_nullroute.cmd - 2147483647 so actually i was executing a wrong command. The command which has to be executed (to be executed correctly) is the one specified in 'ar.conf'. Now, issuing this: /var/ossec/bin/agent_control -b 1.2.3.5 -f win_nullroute2147483647 -u 002 will do the trick. Anyway to sum it up , thanks for developers making the configuration "self-explanatory" :) and obviously thanks Dan for a helping hand! Cheers, P. On Dec 22, 10:19 pm, go <piotr.skurc...@gmail.com> wrote: > One more (maybe crucial) information. > > My installation (and also system) drive is E, hence the agent is > installed under: > E:\Program Files\ossec-agent\ > > On Dec 22, 9:45 pm, Peter Skurczak <piotr.skurc...@gmail.com> wrote: > > > > > > > > > On the agent, in ossec.conf I've got the following section: > > > (...) > > <active-response> > > <disabled>no</disabled> > > </active-response> > > > </ossec_config> > > > I actually followed the manual > > onhttp://www.ossec.net/main/manual/manual-active-response-on-windows > > > I will turn on windows debug and let you know what it says when I execute > > "remote ip ban" > > # Windows debug (used by the windows agent) > > windows.debug=2 > > > On Thu, Dec 22, 2011 at 9:00 PM, dan (ddp) <ddp...@gmail.com> wrote: > > > Is AR enabled on the agent? > > > > On Thu, Dec 22, 2011 at 2:56 PM, Peter Skurczak > > > <piotr.skurc...@gmail.com> wrote: > > > > Hello everyone, > > > > > Although I read a lot on the internet about it, still I can't get why do > > > I > > > > have these kind of errors on the agent side (below). > > > > Every time I'm trying to fire up: /var/ossec/bin/agent_control -b > > > 1.2.3.5 -f > > > > win_nullroute -u 002 I get: > > > > > 2011/12/22 20:22:09 ossec-execd(1311): ERROR: Invalid command name > > > > 'win_nullroute' provided. > > > > 2011/12/22 20:22:16 ossec-execd(1311): ERROR: Invalid command name > > > > 'win_nullroute' provided. > > > > 2011/12/22 20:22:23 ossec-execd(1311): ERROR: Invalid command name > > > > 'win_nullroute' provided. > > > > > on the master server in ossec.conf I've got: > > > > > <name>win_nullroute</name> > > > > <executable>win_nullroute.cmd</executable> > > > > <expect>srcip</expect> > > > > <timeout_allowed>yes</timeout_allowed> > > > > </command> > > > > > on the agent side I also have got "win_nulroute.cmd" file ready to > > > fire-up. > > > > > I have also checked ar.conf on both sides the agent and the master - > > > > they > > > > are identically the same. At the beginning I was thinking that maybe the > > > > agent does not have the latest version from the master but this is not > > > the > > > > case. I am trying everything but nothing helps.... anyone any idea? > > > > > Pete
