Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-03 Thread Antonio Querubin 

On Tue, 3 May 2016, Jacob Mcgrath wrote:


For me it was the IP checking part of the script on Windows 7 Enterprise...
I commented it out for now until I have a little time to rework the
checking function...  I will post it later when this happens.

:: Check for a valid IP
::ECHO "%2" | %WINDIR%\system32\findstr.exe /R
"[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*"

nul || ECHO Invalid IP && EXIT /B 2

:: Extracts last ip address from ipconfig and routes to this address.
Windows will not allow routing to 127.0.0.1
FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^|
%WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A)
DO SET IPADDR=%%B
%WINDIR%\system32\route.exe ADD %2 MASK 255.255.255.255 %IPADDR%


That looks like an older version of route-null.cmd.  Can you try 
installing the current version from the git repo and see if that works any 
better for you?



Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

[ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-03 Thread Jacob Mcgrath 
yes I have no life "but" since I am dropping routes on my internal network 
I can check the first octet..  or to checks in chain style for other 
subnets...  

ECHO "%2" | %WINDIR%\system32\findstr.exe /R "10\." >nul || ECHO Invalid IP 
&& EXIT /B 2 



On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote:
>
> Hi
>
> I cannot get active response to work 
>
>  how can I debug why active response on Windows agents is not working ?
>
> linux agents are fine - i.e drop/active response is working
>
> I have followed - 
> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html
>
> when I use the command : -  /var/ossec/bin/agent_control -b 2.3.4.5 -f 
> win_nullroute600 -u 002 
>
> it doesn''t block / add a route on the windows agent
>
> tried on Windows 2012/2008 both os's same result.
>
> How can I find out why ?
>
> regards
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: 2.8 - Active response on Windows agents not working ?

2016-05-03 Thread Jacob Mcgrath 
For me it was the IP checking part of the script on Windows 7 Enterprise... 
 I commented it out for now until I have a little time to rework the 
checking function...  I will post it later when this happens.

:: Check for a valid IP
::ECHO "%2" | %WINDIR%\system32\findstr.exe /R 
"[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*" 
>nul || ECHO Invalid IP && EXIT /B 2 
:: Extracts last ip address from ipconfig and routes to this address. 
Windows will not allow routing to 127.0.0.1
FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^| 
%WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A) 
DO SET IPADDR=%%B
%WINDIR%\system32\route.exe ADD %2 MASK 255.255.255.255 %IPADDR%



On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote:
>
> Hi
>
> I cannot get active response to work 
>
>  how can I debug why active response on Windows agents is not working ?
>
> linux agents are fine - i.e drop/active response is working
>
> I have followed - 
> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html
>
> when I use the command : -  /var/ossec/bin/agent_control -b 2.3.4.5 -f 
> win_nullroute600 -u 002 
>
> it doesn''t block / add a route on the windows agent
>
> tried on Windows 2012/2008 both os's same result.
>
> How can I find out why ?
>
> regards
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Anti replay feature

2016-05-03 Thread Zekicker 
Thanks to you two !!!

:) 


Le mardi 3 mai 2016 17:15:08 UTC+2, Santiago Bassett a écrit :
>
> Yes, and on the agents too. I know the agents do not run remoted but they 
> also use this variable to check counters. 
>
> Santiago Bassett 
> @santiagobassett 
>
> > On May 3, 2016, at 7:36 AM, dan (ddp) > 
> wrote: 
> > 
> >> On Tue, May 3, 2016 at 10:26 AM, Zekicker  > wrote: 
> >> Hi, 
> >> 
> >> Is it possible to disable the anti-replay feature of OSSEC ? 
> >> 
> >> I need to deploy and delete some VMs on demand. All must be automatic. 
> >> 
> >> Do you have an idea to di it simple ? 
> > 
> > I believe you can set "remoted.verify_msg_id" to 0 in 
> > /var/ossec/etc/internal_options.conf on the manager. 
> > 
> >> regards, 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> Groups 
> >> "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >> email to ossec-list+...@googlegroups.com . 
> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Anti replay feature

2016-05-03 Thread Santiago Bassett 
Yes, and on the agents too. I know the agents do not run remoted but they also 
use this variable to check counters.

Santiago Bassett
@santiagobassett

> On May 3, 2016, at 7:36 AM, dan (ddp)  wrote:
> 
>> On Tue, May 3, 2016 at 10:26 AM, Zekicker  wrote:
>> Hi,
>> 
>> Is it possible to disable the anti-replay feature of OSSEC ?
>> 
>> I need to deploy and delete some VMs on demand. All must be automatic.
>> 
>> Do you have an idea to di it simple ?
> 
> I believe you can set "remoted.verify_msg_id" to 0 in
> /var/ossec/etc/internal_options.conf on the manager.
> 
>> regards,
>> 
>> --
>> 
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Anti replay feature

2016-05-03 Thread dan (ddp) 
On Tue, May 3, 2016 at 10:26 AM, Zekicker  wrote:
> Hi,
>
> Is it possible to disable the anti-replay feature of OSSEC ?
>
> I need to deploy and delete some VMs on demand. All must be automatic.
>
> Do you have an idea to di it simple ?
>

I believe you can set "remoted.verify_msg_id" to 0 in
/var/ossec/etc/internal_options.conf on the manager.

> regards,
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Anti replay feature

2016-05-03 Thread Zekicker 
Hi,

Is it possible to disable the anti-replay feature of OSSEC ?

I need to deploy and delete some VMs on demand. All must be automatic.

Do you have an idea to di it simple ?

regards, 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec & Windows mass deployment and server based agent config?

2016-05-03 Thread Jacob Mcgrath 
Thanks peps for the info,  digging into it as we speak

On Thursday, April 28, 2016 at 6:57:30 AM UTC-5, Jacob Mcgrath wrote:
>
> I have a 200-300 workstation network and roughly 60-80 servers in either 
> heavy metal or virtual clusters.
>
>
> From what I read I can use a .cvs file with hostnames to assign Ossec keys 
> to agents in large volumes.  Has any done this / or had issues with this 
> method? 
>
> Passing down windows agent config's from the Ossec server.  Is this a real 
> world possibility?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec & Windows mass deployment and server based agent config?

2016-05-03 Thread Jesus Linares 
Hi,

it seems that* full command* cannot be used in the agent.conf:

   - command and full_command cannot be used in the agent.conf, and must be 
   configured in each system’s ossec.conf. (Documentation 
   

   ).
   
I'll check it.

Regards.
Jesus Linares.

On Sunday, May 1, 2016 at 1:52:31 AM UTC+2, Robert Bardo wrote:
>
> Couple things I noticed..
>
> I would use a .cmd, not .bat as I seem to vaguely remember a .cmd must be 
> used..  it works now for me.
>
> Next, the shared command executable must be put in the server /shared 
> directory and will be replicated to the correct client side folder.
>
> Lastly, why not use "auto OSSEC"?  I had used it with much success.
>
> Cheers.  Rob
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Disk usage monitor not working in RHEL5

2016-05-03 Thread Robert Micallef 
Good to know for next time maybe. Thanks a lot.

On Monday, May 2, 2016 at 5:14:39 PM UTC+2, dan (ddpbsd) wrote:

>
> The steps to submit the PR should basically be the following: 
> 1. Fork the repository on github (fork button in the top right of the 
> page) 
> 2. Clone your fork (git clone https://github.com/USER/ossec-hids.git) 
> 3. OPTIONAL: Create a branch for your changes (git checkout -b df_issue) 
> 4. Make your changes (modify install.sh and etc/rules/ossec_rules.xml) 
> 5. Add and commit your changes (git add install.sh 
> etc/rules/ossec_rules.xml && git commit) 
> 6. Push your changes to a new branch on your fork on github (git push 
> --set-upstream origin df_issue) 
> 7. Open a pull request on the ossec/ossec-hids repo. 
>   a. Click "New pull request" at https://github.com/ossec/ossec-hids 
>   b. Click "compare across forks" link 
>   c. Ensure the left hand drop down boxes say "base fork: 
> ossec/ossec-hids" and "base: master" 
>   d. In the right hand drop boxes select "head fork: 
> USERNAME/ossec-hids" and "compare: BRANCH" 
>   e. Review the changes and write a brief title and comment 
>   f. Click "Create pull request" 
>
> I've opened #822 with the proposed change as kind of a demonstration 
> (since I made did the above steps while documenting them). 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.