On Sat, Jan 5, 2019 at 11:06 AM ram sri <ramsri13...@gmail.com> wrote:
> On Saturday, January 5, 2019 at 8:26:16 PM UTC+5:30, dan (ddpbsd) wrote: > > On Sat, Jan 5, 2019 at 1:07 AM ram sri <ramsr...@gmail.com> wrote: > > On Saturday, January 5, 2019 at 11:20:21 AM UTC+5:30, dan (ddpbsd) wrote: > > > > > On Fri, Jan 4, 2019 at 5:54 PM ram sri <ramsr...@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > .cmd files won’t run on linux, it’s a windows script. > > > > > > > > > > > > > > > > > > > > Yes, but how can i run script for windows machine? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > How do you have active response configured? > > > > > Same , i configured in ossec.conf (ossec server). > > > > > > > > > > > > > > > > > > > > Which active response command are you trying to run? > > > > > > > > > > I tried restart-ossec.cmd, firewall-drop.cmd, winroute-nul.cmd . These > three command trigger bt not action. as you said .cmd file won't run linux > means why ossec specified this example > https://ossec-docs.readthedocs.io/en/latest/manual/ar/ar-windows.html. > please give me a solution. > > > > > > > > > > > > > > > > > > > > Can you check the ownership and permissions of the script? > > > > > Initially i give file permission to execute the windows script(.cmd > file). > > > > > > > > > > > > > > > > > > > > > > > > > I want to know, is the ossec active response is applicable for windows > machine(not windows agent) and linux machine ( i am not asking about ossec > server and ossec agent) . > > > > > > > > > > > > > > > > > > > > If you can write a script to remotely run the commands from an ossec > agent on a non-ossec agent system it can work. We don’t support running > active reponse on non-ossec systems. > > > > > > > > > > > > > > Okay.if i write a script for remotely execute command means we give that > non-oesec agent system user credentials to remote script??? > > > > > > > > > > > > > > > The script runs on an ossec system. It will probably have to > authenticate to the non-ossec system somehow. > > > Okay, can you explain why winroute-null.cmd not working in ossec agent > .where i will configure that winroute-null.cmd file , because its .cmd > file. I configure like this > https://ossec-docs.readthedocs.io/en/latest/manual/ar/ar-windows.html, > but its not working. > > > > > Not without troubleshooting. I also don’t have much experience with the windows side of things. Is active response enabled on the windows agent? Were the ossec processes restarted after enabling it? Anything in the ossec.log on the agent or server? > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > --- > > > > > > > > > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > > > > > > > > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > > > > > > > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > -- > > > > > > > > --- > > > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
