Hello, I am trying a very basic active response which would terminate a powershell process when it is created on a host (Windows 10) machine.
I have a standalone SO configuration, with 3 OSSEC agents (V2.9) connected, all Windows machines. I have verified that the script shutdown_powershell.cmd works, independent of OSSEC active response. My ossec.conf file looks like this: <command> <name>shutdown_powershell</name> <executable>shutdown_powershell.cmd</executable> <expect></expect> </command> <active-response> <command>shutdown_powershell</command> <rules_id>100051</rules_id> <location>defined-agent</location> <agent_id>003</agent_id> </active-response> I have verified that my rule 100051 (powershell_process_creation) works, it populates in Sguil every time I open Powershell on any agent. I have restarted OSSEC on my server and agent several times and opening Powershell on agent 003. I have recieved varying error messages in my agent log: SET 1) 2018/07/17 15:35:33 ossec-execd: INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system. 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not present: 'active-response/bin/host-deny.sh'. Not using it on this system. 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not present: 'active-response/bin/firewall-drop.sh'. Not using it on this system. 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not present: 'active-response/bin/shutdown_powershell.cmd'. Not using it on this system. SET 2) 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system. 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not present: 'active-response/bin/host-deny.sh'. Not using it on this system. 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not present: 'active-response/bin/firewall-drop.sh'. Not using it on this system. SET 3) 2018/07/18 10:37:31 ossec-execd: ERROR: Unable to create active response process. 2018/07/18 10:43:45 ossec-execd: ERROR: Unable to create active response process. 2018/07/18 11:08:55 ossec-execd: ERROR: Unable to create active response process. I seem to be having less and less success every time. Each set corresponds to a time when I have opened Powershell, so the rule is definitely working and my ossec.conf seems to have configured the active response correctly, but ultimately the script is not running. Question: 1) For active response... do I need to place the active response script in the folder C:\Program Files (x86)\ossec-agent\active-response\bin on the host machine or in /var/ossec/active-response/bin on the server machine? I have tried placing it in both. OSSEC documentation seems unclear on this point Thanks, Clark -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
