Not at work yet but the new one from git repo works "locally". I will test in a couple hours at work :)
:: Script to null route an ip address. @ECHO OFF ECHO. :: Set some variables FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DAT=%%A %%B FOR /F "TOKENS=1-3 DELIMS=:" %%A IN ("%TIME%") DO SET TIM=%%A:%%B:%%C :: Check for required arguments IF /I "%1"=="" GOTO ERROR IF /I "%2"=="" GOTO ERROR :: Check for a valid IP ECHO "%2" | %WINDIR%\system32\findstr.exe /R "\." >nul || GOTO ipv6 set prefixlength=32 set gateway=0.0.0.0 goto x :ipv6 set prefixlength=128 set gateway=:: :x IF /I "%1"=="add" GOTO ADD IF /I "%1"=="delete" GOTO DEL :ERROR ECHO Invalid argument(s). ECHO Usage: route-null.cmd ^(ADD^|DELETE^) IP Address ECHO Example: route-null.cmd ADD 1.2.3.4 EXIT /B 1 :: Adding IP to be null-routed. :ADD %WINDIR%\system32\route.exe ADD %2/%prefixlength% %gateway% :: Log it ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >> " %OSSECPATH%active-response\active-responses.log" GOTO EXIT :DEL %WINDIR%\system32\route.exe DELETE %2/%prefixlength% ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >> " %OSSECPATH%active-response\active-responses.log" :EXIT /B 0: On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.