[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
I have win 8, 10, Server 2003/2008/2012 I will test on when I get a moment at work. On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Ok on Win7 Ent it seams to be working ok... ty On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Sat, 7 May 2016, Jacob Mcgrath wrote: Ok, let me know when it time for my guinea piging to start lol. The patched script should be useable now. Just download straight from github. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Ok, let me know when it time for my guinea piging to start lol. On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Fri, 6 May 2016, Michael Starks wrote: Good catch and thank you. I don't think the script ever worked, even before the commit. You're right. I vaguely recall (and my recollection is known to be flawed :)) that when I was working on the various IPv6 updates and turned my attention to this script, I noticed it wasn't working locally at all. Windows didn't like setting a gateway of 127.0.0.1 for an IPv4 route and I think there was some kind of synxtax issue as well. I 'fixed' things by using a null address as the next hop for both IPv4 and IPv6. However, I never 'verified' the script from OSSEC manager's point of view (ie. run agent_control on the manager) and assumed that once the script started working locally everything was ok. The other bug was still lurking in the script. Reminds me of the TV series "Seconds from Disaster" - where chains of 'errors' are not detected in time, sometimes some of the errors masking subsequent errors from being detected. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On 2016-05-04 19:36, Antonio Querubin wrote: Actually the script did break and assumed one of parameters was dropped in commit 168cb2f. And the mistake wasn't caught until now. I'll submit a patch shortly. Good catch and thank you. I don't think the script ever worked, even before the commit. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Yes. :) Sent from my iPad > On May 5, 2016, at 16:25, Jacob Mcgrath wrote: > > Is this a patch to Ossec or tot eh script? > >> On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: >> Hi >> >> I cannot get active response to work >> >> how can I debug why active response on Windows agents is not working ? >> >> linux agents are fine - i.e drop/active response is working >> >> I have followed - >> http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html >> >> when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f >> win_nullroute600 -u 002 >> >> it doesn''t block / add a route on the windows agent >> >> tried on Windows 2012/2008 both os's same result. >> >> How can I find out why ? >> >> regards >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Is this a patch to Ossec or tot eh script? On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Thank you Antonio On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Wed, 4 May 2016, Antonio Querubin wrote: Actually the script did break and assumed one of parameters was dropped in commit 168cb2f. And the mistake wasn't caught until now. I'll submit a patch shortly. PR #828. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Wed, 4 May 2016, Antonio Querubin wrote: I've been doing some testing and the script itself is ok. It seems the windows agent is receiving the IP address and since the agent doesn't attempt to run a duplicate request I think it's reasonable to assume it's because the agent has already cached the IP address. So the mystery is how the agent is losing the IP address info before calling route-null.. Actually the script did break and assumed one of parameters was dropped in commit 168cb2f. And the mistake wasn't caught until now. I'll submit a patch shortly. -- Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Wed, 4 May 2016, Jacob Mcgrath wrote: The script works locally at work If I invoke a active response from the ossec server like so /var/ossec/bin/agent_control -b 1.2.3.4 -f win_nullroute600 -u 007 I see that the C:\Program Files (x86)\ossec-agent\active-response\active-responses.log is generated...with this input... Wed 05/04/2016 13:27:16.81 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" add - "-" Wed 05/04/2016 13:41:16.86 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" delete - "-" route print on my windows agent does not show this route added and in turn removed... From what I can tell the script should work if the proper args are received. But the ip to be routed from ossec never get seen in the windows agent...could be the script or the way the arg is passed down from server to agent. I've been doing some testing and the script itself is ok. It seems the windows agent is receiving the IP address and since the agent doesn't attempt to run a duplicate request I think it's reasonable to assume it's because the agent has already cached the IP address. So the mystery is how the agent is losing the IP address info before calling route-null.. -- Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
The script works locally at work If I invoke a active response from the ossec server like so /var/ossec/bin/agent_control -b 1.2.3.4 -f win_nullroute600 -u 007 I see that the C:\Program Files (x86)\ossec-agent\active-response\active-responses.log is generated...with this input... Wed 05/04/2016 13:27:16.81 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" add - "-" Wed 05/04/2016 13:41:16.86 C:\Program Files (x86)\ossec-agent\active-response\bin\"active-response/bin/route-null.cmd" delete - "-" route print on my windows agent does not show this route added and in turn removed... >From what I can tell the script should work if the proper args are received. But the ip to be routed from ossec never get seen in the windows agent...could be the script or the way the arg is passed down from server to agent. On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
Not at work yet but the new one from git repo works "locally". I will test in a couple hours at work :) :: Script to null route an ip address. @ECHO OFF ECHO. :: Set some variables FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DAT=%%A %%B FOR /F "TOKENS=1-3 DELIMS=:" %%A IN ("%TIME%") DO SET TIM=%%A:%%B:%%C :: Check for required arguments IF /I "%1"=="" GOTO ERROR IF /I "%2"=="" GOTO ERROR :: Check for a valid IP ECHO "%2" | %WINDIR%\system32\findstr.exe /R "\." >nul || GOTO ipv6 set prefixlength=32 set gateway=0.0.0.0 goto x :ipv6 set prefixlength=128 set gateway=:: :x IF /I "%1"=="add" GOTO ADD IF /I "%1"=="delete" GOTO DEL :ERROR ECHO Invalid argument(s). ECHO Usage: route-null.cmd ^(ADD^|DELETE^) IP Address ECHO Example: route-null.cmd ADD 1.2.3.4 EXIT /B 1 :: Adding IP to be null-routed. :ADD %WINDIR%\system32\route.exe ADD %2/%prefixlength% %gateway% :: Log it ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >> " %OSSECPATH%active-response\active-responses.log" GOTO EXIT :DEL %WINDIR%\system32\route.exe DELETE %2/%prefixlength% ECHO %DAT%%TIM% %~dp0%0 %1 - %2 >> " %OSSECPATH%active-response\active-responses.log" :EXIT /B 0: On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: 2.8 - Active response on Windows agents not working ?
On Tue, 3 May 2016, Jacob Mcgrath wrote: For me it was the IP checking part of the script on Windows 7 Enterprise... I commented it out for now until I have a little time to rework the checking function... I will post it later when this happens. :: Check for a valid IP ::ECHO "%2" | %WINDIR%\system32\findstr.exe /R "[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*" nul || ECHO Invalid IP && EXIT /B 2 :: Extracts last ip address from ipconfig and routes to this address. Windows will not allow routing to 127.0.0.1 FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^| %WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A) DO SET IPADDR=%%B %WINDIR%\system32\route.exe ADD %2 MASK 255.255.255.255 %IPADDR% That looks like an older version of route-null.cmd. Can you try installing the current version from the git repo and see if that works any better for you? Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
yes I have no life "but" since I am dropping routes on my internal network I can check the first octet.. or to checks in chain style for other subnets... ECHO "%2" | %WINDIR%\system32\findstr.exe /R "10\." >nul || ECHO Invalid IP && EXIT /B 2 On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: 2.8 - Active response on Windows agents not working ?
For me it was the IP checking part of the script on Windows 7 Enterprise... I commented it out for now until I have a little time to rework the checking function... I will post it later when this happens. :: Check for a valid IP ::ECHO "%2" | %WINDIR%\system32\findstr.exe /R "[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*\.[0-2][0-9]*[0-9]*" >nul || ECHO Invalid IP && EXIT /B 2 :: Extracts last ip address from ipconfig and routes to this address. Windows will not allow routing to 127.0.0.1 FOR /F "TOKENS=2* DELIMS=:" %%A IN ('%WINDIR%\system32\ipconfig.exe ^| %WINDIR%\system32\findstr.exe /R /C:"IPv*4* Address"') DO FOR %%B IN (%%A) DO SET IPADDR=%%B %WINDIR%\system32\route.exe ADD %2 MASK 255.255.255.255 %IPADDR% On Wednesday, July 2, 2014 at 11:28:31 AM UTC-5, morgan cox wrote: > > Hi > > I cannot get active response to work > > how can I debug why active response on Windows agents is not working ? > > linux agents are fine - i.e drop/active response is working > > I have followed - > http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html > > when I use the command : - /var/ossec/bin/agent_control -b 2.3.4.5 -f > win_nullroute600 -u 002 > > it doesn''t block / add a route on the windows agent > > tried on Windows 2012/2008 both os's same result. > > How can I find out why ? > > regards > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.