Re: [ossec-list] windows active response logic
On Wed, Apr 13, 2016 at 2:49 PM, Rob B wrote: > Thanks, that gave me the food for thought I needed... > I will push my packages with updated .conf files for agents in an automated > "update like" fashion. > > Will test the directory that ossec agent needs to fire my package from. ( > Do you all know what I should run and look for to see the verbose > information? ie: debug mode / debug log location?) > Create an active response that prints the current directory to a file, then trigger it? > Off to testing now.. =) > > Thanks! --Rob > > On Wednesday, April 13, 2016 at 7:27:53 AM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Apr 12, 2016 at 4:52 PM, Rob B wrote: >> > Hello Folks, >> > >> > Could someone help me wrap my head around the windows active response >> > mechanism? >> > >> > If I understand correctly, the active response / bin folder on the >> > server >> > will house my .CMD file containing my windows response actions.? >> > >> >> I'm not totally sure on Windows, but I think so. >> >> > What I would like to do is have active response fire on an event such >> > as: >> > >> > 18100 >> > >> > Which would then run my .cmd file, where I want to run an executable >> > that I >> > have already packaged. >> > >> > My question here is: what is the logic to run my packaged executable >> > from >> > the .cmd file? Where do I store my packaged executable, how does it get >> > to >> >> It should be on the agent you want to run it. >> >> > the client agent to fire? Where will it fire from, so that I may have >> > the >> > correct syntax in my .cmd file? Can the package be pushed from the >> > server to >> >> That's a good question, I would assume either the ossec directory, or >> the ar/bin directory. It shouldn't be too hard to test though. >> >> > all windows agents once they refresh somehow? >> > >> >> What package? The AR configuration should be pushed, but it's up to >> you to put your executable in place. >> >> > I do understand the basics as to how to setup active response in the >> > .conf >> > file on the server ossec.conf file and where to turn it ON in the agent >> > side >> > .conf file. How can I turn ON all the agents active response from the >> > server? (Currently i only know how to manually update the file at each >> > client.) >> > >> >> It's possible the agent.conf can be used for this, but if not your >> configuration management solution should be able to handle pushing new >> ossec.confs to the agents. >> >> > Any pointers from the Gurus would be greatly appreciated. =) >> > >> > Thanks much Guys!! >> > >> > >> > Rob >> > >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] windows active response logic
Thanks, that gave me the food for thought I needed... I will push my packages with updated .conf files for agents in an automated "update like" fashion. Will test the directory that ossec agent needs to fire my package from. ( Do you all know what I should run and look for to see the verbose information? ie: debug mode / debug log location?) Off to testing now.. =) Thanks! --Rob On Wednesday, April 13, 2016 at 7:27:53 AM UTC-4, dan (ddpbsd) wrote: > > On Tue, Apr 12, 2016 at 4:52 PM, Rob B > > wrote: > > Hello Folks, > > > > Could someone help me wrap my head around the windows active response > > mechanism? > > > > If I understand correctly, the active response / bin folder on the > server > > will house my .CMD file containing my windows response actions.? > > > > I'm not totally sure on Windows, but I think so. > > > What I would like to do is have active response fire on an event such > as: > > > > 18100 > > > > Which would then run my .cmd file, where I want to run an executable > that I > > have already packaged. > > > > My question here is: what is the logic to run my packaged executable > from > > the .cmd file? Where do I store my packaged executable, how does it get > to > > It should be on the agent you want to run it. > > > the client agent to fire? Where will it fire from, so that I may have > the > > correct syntax in my .cmd file? Can the package be pushed from the > server to > > That's a good question, I would assume either the ossec directory, or > the ar/bin directory. It shouldn't be too hard to test though. > > > all windows agents once they refresh somehow? > > > > What package? The AR configuration should be pushed, but it's up to > you to put your executable in place. > > > I do understand the basics as to how to setup active response in the > .conf > > file on the server ossec.conf file and where to turn it ON in the agent > side > > .conf file. How can I turn ON all the agents active response from the > > server? (Currently i only know how to manually update the file at each > > client.) > > > > It's possible the agent.conf can be used for this, but if not your > configuration management solution should be able to handle pushing new > ossec.confs to the agents. > > > Any pointers from the Gurus would be greatly appreciated. =) > > > > Thanks much Guys!! > > > > > > Rob > > > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] windows active response logic
On Tue, Apr 12, 2016 at 4:52 PM, Rob B wrote: > Hello Folks, > > Could someone help me wrap my head around the windows active response > mechanism? > > If I understand correctly, the active response / bin folder on the server > will house my .CMD file containing my windows response actions.? > I'm not totally sure on Windows, but I think so. > What I would like to do is have active response fire on an event such as: > > 18100 > > Which would then run my .cmd file, where I want to run an executable that I > have already packaged. > > My question here is: what is the logic to run my packaged executable from > the .cmd file? Where do I store my packaged executable, how does it get to It should be on the agent you want to run it. > the client agent to fire? Where will it fire from, so that I may have the > correct syntax in my .cmd file? Can the package be pushed from the server to That's a good question, I would assume either the ossec directory, or the ar/bin directory. It shouldn't be too hard to test though. > all windows agents once they refresh somehow? > What package? The AR configuration should be pushed, but it's up to you to put your executable in place. > I do understand the basics as to how to setup active response in the .conf > file on the server ossec.conf file and where to turn it ON in the agent side > .conf file. How can I turn ON all the agents active response from the > server? (Currently i only know how to manually update the file at each > client.) > It's possible the agent.conf can be used for this, but if not your configuration management solution should be able to handle pushing new ossec.confs to the agents. > Any pointers from the Gurus would be greatly appreciated. =) > > Thanks much Guys!! > > > Rob > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] windows active response logic
Hello Folks, Could someone help me wrap my head around the windows active response mechanism? If I understand correctly, the active response / bin folder on the server will house my .CMD file containing my windows response actions.? What I would like to do is have active response fire on an event such as: 18100 Which would then run my .cmd file, where I want to run an executable that I have already packaged. My question here is: what is the logic to run my packaged executable from the .cmd file? Where do I store my packaged executable, how does it get to the client agent to fire? Where will it fire from, so that I may have the correct syntax in my .cmd file? Can the package be pushed from the server to all windows agents once they refresh somehow? I do understand the basics as to how to setup active response in the .conf file on the server ossec.conf file and where to turn it ON in the agent side .conf file. How can I turn ON all the agents active response from the server? (Currently i only know how to manually update the file at each client.) Any pointers from the Gurus would be greatly appreciated. =) Thanks much Guys!! Rob -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.