Windows Active Response Default Settings

24 views
Skip to first unread message

Abdulvehhab Agin

unread,
Feb 4, 2016, 1:55:42 AM2/4/16
to ossec-list
Hi

Ossec setup which is prepared Windows install ossec.conf file with active response <disabled>yes</disabled> at Default

However in linux there is no active response tag which means that it is ready for active response


Why in windows installation it is default disabled

Pedro S

unread,
Feb 8, 2016, 5:39:15 AM2/8/16
to ossec-list
Hi,

Active-response is only supported by installations: local and server.
Local and server installation only works on Linux so Windows does not have active-response functionality, that's why it is disabled by default on Windows agents.


Regards,

Pedro S.

dan (ddp)

unread,
Feb 8, 2016, 5:44:43 AM2/8/16
to ossec...@googlegroups.com


On Feb 8, 2016 5:39 AM, "Pedro S" <pe...@wazuh.com> wrote:
>
> Hi,
>
> Active-response is only supported by installations: local and server.
> Local and server installation only works on Linux so Windows does not have active-response functionality, that's why it is disabled by default on Windows agents.
>
> Refer to OSSEC documentation: http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html
>

The documentation is weird, you can use active reponse on agents as well. It is supported on Windows, but I don't know why it's disabled by default

> Regards,
>
> Pedro S.
>
>
> On Thursday, February 4, 2016 at 7:55:42 AM UTC+1, Abdulvehhab Agin wrote:
>>
>> Hi
>>
>> Ossec setup which is prepared Windows install ossec.conf file with active response <disabled>yes</disabled> at Default
>>
>> However in linux there is no active response tag which means that it is ready for active response
>>
>>
>> Why in windows installation it is default disabled
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Pedro S

unread,
Feb 8, 2016, 5:50:40 AM2/8/16
to ossec-list
You are totally alright, excuse me.

OSSEC documentation is really weird, you can find here info about windows active response:

http://ossec-docs.readthedocs.org/en/latest/manual/ar/ar-windows.html

About the disabled by default, it is specified here:

https://github.com/ossec/ossec-hids/blob/master/src/win32/ossec.conf#L133

I think OSSEC use that file to compile windows binary, if you change that line and compile the agent, it will have active-response active by default.

Abdulvehhab Agin

unread,
Feb 8, 2016, 9:22:08 AM2/8/16
to ossec-list
Thanks for interest.

We are deploying OSSEC with active response enabled both linux and windows;

Actually, I wonder why different linux and windows configuration of active response are different.

I realized that there is no special reason for disable/enable active response for windows.

And also I think https://github.com/ossec/ossec-hids/blob/master/src/win32/ossec.conf#L133 this configuration file should be changed in github.





8 Şubat 2016 Pazartesi 12:50:40 UTC+2 tarihinde Pedro S yazdı:
Reply all
Reply to author
Forward
0 new messages