[ossec-list] Re: Ossec Active Response support windows machine nr linux machine??

Hi, Sure, it supports both Windows and Linux machines. You can check here the default script for each SO. Also, for further information, I will leave here a lin

Re: [ossec-list] Re: ossec-active response, how to refere files? [Linux]

On Wed, Feb 8, 2017 at 2:06 PM, Nil wrote: > so i can't interact with the file that triggered the alert? seems kinda > pointless then > Feel free to submit a pull request adding the functionality. > > El martes, 7 de febrero de 2017, 18:45:39 (UTC+1), Nil escribió: >> >> Hi, I would like to know

[ossec-list] Re: ossec-active response, how to refere files? [Linux]

so i can't interact with the file that triggered the alert? seems kinda pointless then El martes, 7 de febrero de 2017, 18:45:39 (UTC+1), Nil escribió: > > Hi, I would like to know how can i reference the file that triggered an > alert in order to use it with the commands > i.e If file X were

Re: [ossec-list] Re: Ossec active response on agent

I just tried this on my OpenBSD systems (running MASTER from github), and it's working fine: ##AGENT# In the agent's ossec.conf: full_command /usr/sbin/rcctl check ntpd 60 ntpcheck Script on the agent: # more /var/ossec/active-res

Re: [ossec-list] Re: Ossec active response on agent

On Wed, Jul 27, 2016 at 12:05 PM, wrote: > Hi, > > Did anyone ever find a solution to this? I am having the same exact problem. > Can you provide more details? > > Thanks, > Patrick > > > On Wednesday, November 18, 2015 at 4:53:30 PM UTC-5, Gaetan Noel wrote: >> >> Hi all, >> >> I am having the

[ossec-list] Re: Ossec active response on agent

Hi, Did anyone ever find a solution to this? I am having the same exact problem. Thanks, Patrick On Wednesday, November 18, 2015 at 4:53:30 PM UTC-5, Gaetan Noel wrote: > > Hi all, > > I am having the exact same issue the only difference is my client is > running on Windows. > > I ran the same

[ossec-list] Re: Ossec active response on agent

Hi all, I am having the exact same issue the only difference is my client is running on Windows. I ran the same tests as what is described or asked above but nothing works, nothing gets fired on the client side and the active-response.log on the server is empty. I have enabled debug on both c

Re: [ossec-list] Re: Ossec active response on agent

On Tue, Oct 13, 2015 at 8:17 AM, Kévin Printz wrote: > Yes, I created it with the same owner / rights that the default active > response scripts : > > > [root@myagent etc]# ls -l /var/ossec/active-response/bin/restart.sh > -r-xr-x--- 1 root ossec 59 Oct 8 08:49 > /var/ossec/active-response/bin/re

Re: [ossec-list] Re: Ossec active response on agent

Yes, I created it with the same owner / rights that the default active response scripts : [root@myagent etc]# ls -l /var/ossec/active-response/bin/restart.sh -r-xr-x--- 1 root ossec 59 Oct 8 08:49 /var/ossec/active-response/bin/restart.sh Does some others config files or logs can help to d

Re: [ossec-list] Re: Ossec active response on agent

On Tue, Oct 13, 2015 at 4:57 AM, Kévin Printz wrote: > Hello @dan > > Thank you for your answer. > > Yes, it seems that ossec-execd is running on my agent : > [root@hostname etc]# ps -edf | grep ossec-exec[d] > root 20235 1 0 08:36 ?00:00:00 /var/ossec/bin/ossec-execd > > And yes,

Re: [ossec-list] Re: Ossec active response on agent

Hello @dan Thank you for your answer. Yes, it seems that ossec-execd is running on my agent : [root@hostname etc]# ps -edf | grep ossec-exec[d] root 20235 1 0 08:36 ?00:00:00 /var/ossec/bin/ossec-execd And yes, the restart.sh is listed on the agent : [root@hostname etc]# cat

Re: [ossec-list] Re: Ossec active response on agent

On Thu, Oct 8, 2015 at 5:31 AM, Kévin Printz wrote: > Hello (again) > > I made other tests to try to understand why it's not working. If I setup the > section into my server ossec.conf file, and I try to stop the > NTPD process on my server, the rule is fired, and the active response is > execute

[ossec-list] Re: Ossec active response on agent

Hello (again) I made other tests to try to understand why it's not working. If I setup the section into my server ossec.conf file, and I try to stop the NTPD process on my server, the rule is fired, and the active response is executed in my server. But, when the rules is fired by the agent, t

Re: [ossec-list] Re: OSSEC Active Response

Also, check the file permission and ownership. Mine is: -r--r- 1 root ossec 153 Mar 28 18:18 ar.conf On Thursday, April 4, 2013 7:38:17 AM UTC-7, dan (ddpbsd) wrote: > > On Thu, Apr 4, 2013 at 9:29 AM, Mike Gibson > > > wrote: > > My file contains the following. > > > > restart-osse

Re: [ossec-list] Re: OSSEC Active Response

On Thu, Apr 4, 2013 at 9:29 AM, Mike Gibson wrote: > My file contains the following. > > restart-ossec0 - restart-ossec.sh - 0 > restart-ossec0 - restart-ossec.cmd - 0 > host-deny600 - host-deny.sh - 600 > firewall-drop600 - firewall-drop.sh - 600 > win_nullroute600 - route-null.cmd - 600 > > Mike

Re: [ossec-list] Re: OSSEC Active Response

My file contains the following. restart-ossec0 - restart-ossec.sh - 0 restart-ossec0 - restart-ossec.cmd - 0 host-deny600 - host-deny.sh - 600 firewall-drop600 - firewall-drop.sh - 600 win_nullroute600 - route-null.cmd - 600 Mike On Wed, Apr 3, 2013 at 10:28 PM, Jb Cheng wrote: > agent_contro

[ossec-list] Re: OSSEC Active Response

agent_control -L checks the content of the file shared/ar.conf. What is the content of this file on your OSSEC server? On Wednesday, April 3, 2013 4:58:40 PM UTC-7, MDG wrote: > > Hello, > > I am trying to get Active Response working and having a bit of > difficulty. I have followed the instruc

Re: [ossec-list] Re: OSSEC Active Response - "dstip"

Hi, Another approach would be to use granular email for the specific event(s) and configure Postfix (or the MTA of your choice) to execute your script for mailbox delivery to that specific user. The email contains the entire log message, so no need to grep in the alert log. I admit it's a bi

Re: [ossec-list] Re: OSSEC Active Response - "dstip"

Hi, The docs (http://www.ossec.net/doc/manual/ar/ar-custom.html) mention 6 parameters that are passed to an active response command 1. action (delete or add) 2. user name (or - if not set) 3. src ip (or - if not set) 4. Alert id (uniq for every alert) 5. Rule id 6. Agent name/ho

[ossec-list] Re: OSSEC Active Response - "dstip"

For now I've had to use "user" and "srcip" as those appear to be the only flags that can be passed through... For example, I'm using "user" to display what the hostname is and "srcip" what the dstip would be. After reading around, it looks like you can't pass dstip. It would be *awesome* if passing