{"id":156,"date":"2008-08-20T21:59:51","date_gmt":"2008-08-20T21:59:51","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=156"},"modified":"2020-07-02T22:00:48","modified_gmt":"2020-07-02T22:00:48","slug":"active-response-on-windows","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2008\/08\/active-response-on-windows\/","title":{"rendered":"Active response on Windows"},"content":{"rendered":"\n<p>Another big feature that we never got around to implement until now. For version 1.6,&nbsp;<a href=\"http:\/\/www.ossec.net\/\">OSSEC<\/a>&nbsp;will come with the&nbsp;<em>route-null.cmd<\/em>&nbsp;script to block an IP address on Windows by modifying the route to it.<\/p>\n\n\n\n<p>To get started, you will need at least the snapshot&nbsp;<a href=\"http:\/\/www.ossec.net\/files\/snapshots\/ossec-win32-080820.exe\">http:\/\/www.ossec.net\/files\/snapshots\/ossec-win32-080820.exe<\/a><br>and the latest snapshot for the management server too.<\/p>\n\n\n\n<p>With that installed, you need to enable active response on Windows (disabled by default). To do that, just add the following to the agent\u2019s ossec.conf:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>&lt;active-response&gt;<br>&lt;disabled&gt;no&lt;\/disabled&gt;<br>&lt;\/active-response&gt;<\/p><\/blockquote>\n\n\n\n<p>After that, you need to go to the manager and specify when to run the response. Adding the following to ossec.conf will enable the responses for alerts above level 6:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>&lt;command&gt;<br>&lt;name&gt;win_nullroute&lt;\/name&gt;<br>&lt;executable&gt;route-null.cmd&lt;\/executable&gt;<br>&lt;expect&gt;srcip&lt;\/expect&gt;<br>&lt;timeout_allowed&gt;yes&lt;\/timeout_allowed&gt;<br>&lt;\/command&gt;<\/p><p>&lt;active-response&gt;<br>&lt;command&gt;win_nullroute&lt;\/command&gt;<br>&lt;location&gt;local&lt;\/location&gt;<br>&lt;level&gt;6&lt;\/level&gt;<br>&lt;timeout&gt;600&lt;\/timeout&gt;<br>&lt;\/active-response&gt;<\/p><\/blockquote>\n\n\n\n<p>With the configuration completed (and the manager restarted), you can test the active response by running the agent-control script (in this case, I am running it on agent id 185 to block ip 2.3.4.5):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>#&nbsp;<strong>\/var\/ossec\/bin\/agent_control -L<\/strong><\/p><p>OSSEC HIDS agent_control. Available active responses:<\/p><p>Response name: host-deny600, command: host-deny.sh<br>Response name: firewall-drop600, command: firewall-drop.sh<br>Response name: win_nullroute600, command: route-null.cmd<\/p><p>#&nbsp;<strong>\/var\/ossec\/bin\/agent_control -b 2.3.4.5 -f win_nullroute600 -u 185<\/strong><\/p><p>OSSEC HIDS agent_control: Running active response \u2018win_nullroute600\u2032 on: 185<\/p><\/blockquote>\n\n\n\n<p>And looking at the agent you should see the new entry in the route table:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><strong>C:&gt;route print<\/strong><br>..<br>Active Routes:<br>Network Destination Netmask Gateway Interface Metric<br>2.3.4.5 255.255.255.255 x.y.z x.y.z 1<br>..<\/p><\/blockquote>\n\n\n\n<p>If you run into any issues, look at the ossec.log file (on the agent) for any entry for ossec-execd. If you enabled it correctly, you will see:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>2008\/08\/20 11:53:49 ossec-execd: INFO: Started (pid: 3896).<\/p><\/blockquote>\n\n\n\n<p>As always, we are very open to suggestions, comments, bug reports, etc.<\/p>\n\n\n\n<p>Thanks,<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Another big feature that we never got around to implement until now. For version 1.6,&nbsp;OSSEC&nbsp;will come with the&nbsp;route-null.cmd&nbsp;script to block an IP address on Windows by modifying the route to it. To get started, you will need at least the snapshot&nbsp;http:\/\/www.ossec.net\/files\/snapshots\/ossec-win32-080820.exeand the latest snapshot for the management server too. With that installed, you need to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,4],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/156"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=156"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/156\/revisions"}],"predecessor-version":[{"id":157,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/156\/revisions\/157"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}