Hi Manuel, In my use case , Centos is the manager. I have only one wazuh agent i.e my windows machine, it is my victim. I have another Windows machine as the attacker. I am trying to RDP the machine with wrong password attempts. So in that case AR should get generated along with scrip field , but it is not. Also I tried using <location>local</location> but no success.
On Tue, May 10, 2022 at 1:00 PM Manuel Camona Perez < manuel.carm...@wazuh.com> wrote: > Hi Annie, > > As I can see in the command configuration, you used the *expect* option > with *srcip*. This means that the alert generated that triggered active > response must have a *srcip* field as the *srcip* value will be used in > the script. > > In the active response configuration, you used the *level* option with > value *5*. This means that all the alerts with level equal or higher than > 5 will trigger the active response script. > > Taking these 2 statements into account, the following could be happening: > an event with level>=5 but without srcip field is being generated, and > therefore, the active response script is not being executed. Could you > check this? > > Also, note that you are using *all* in the *location* option. This means > that the active response script will be executed for all agents when AR is > triggered. The *all* option should be used with caution because maybe > this is not the use case you are looking for. If you use *local*, the AR > script is executed on the agent that generated the event. If you use > *server*, the AR script is run on the manager the agent is reporting to. > You can find more information about this option here > <https://documentation.wazuh.com/3.13/user-manual/reference/ossec-conf/active-response.html#location> > . > > On Sunday, May 1, 2022 at 2:20:01 PM UTC+2 annie...@gmail.com wrote: > >> Hi all, >> This is my active response configuration on centos server: >> >> <command> >> <name>win_nullroute</name> >> <executable>route-null.cmd</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <active-response> >> <disabled>no</disabled> >> <command>win_nullroute</command> >> <location>all</location> >> <level>5</level> >> <timeout>60</timeout> >> </active-response> >> >> I have enabled AR on windows agent, but it is not executed when an event >> of level>=5 is fired. >> I am using wazuh 3.13 version, windows 10 >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/4833a5ab-2fce-49e3-9f00-0b2d2755d937n%40googlegroups.com > <https://groups.google.com/d/msgid/ossec-list/4833a5ab-2fce-49e3-9f00-0b2d2755d937n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAD4jYXLnSCtGFo0wG4EqJFESP19a_OwysMVuynQK5_A7DLs6ug%40mail.gmail.com.
