Windows active response not working
378 views
Skip to first unread message
netkey
Apr 7, 2011, 11:04:37 PM4/7/11
to ossec-list
Hi,
I am running on windows 2003 server agent 2.5.1 and linux (centos 5.4)
server
same version.
I get the e-mail level 10 but agent not reponse. It not in the
white_list
(on server ossec.conf)
ossec.conf client:
<active-response>
<disabled>no</disabled>
</active-response>
ossec.conf server:
<command>
<name>win-nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>win-nullroute</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
then I restarted the ossec agent and the ossec server
on the server,
[root@localhost ~]# /app/ossec/bin/agent_control -L
OSSEC HIDS agent_control. Available active responses:
Response name: win-nullroute600, command: route-null.cmd
Response name: host-deny600, command: host-deny.sh
Response name: firewall-drop600, command: firewall-drop.sh
[root@localhost ~]# /app/ossec/bin/agent_control -r -u 008 -b 2.3.4.5 -
f win-nullroute600
OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 008
but it seems not add the 2.3.4.5 into the route table in the client
I have C:\Program Files\ossec-agent\active-response/bin/route-
null.cmd but
see no active-responses.log file.
in C:\Program Files\ossec-agent\shared\ar.conf
Now i can see
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
win-nullroute600 - route-null.cmd - 600
host-deny600 - host-deny.sh - 600
firewall-drop600 - firewall-drop.sh - 600
Sorry for my bad english.
Best regards,
Netkey
I am running on windows 2003 server agent 2.5.1 and linux (centos 5.4)
server
same version.
I get the e-mail level 10 but agent not reponse. It not in the
white_list
(on server ossec.conf)
ossec.conf client:
<active-response>
<disabled>no</disabled>
</active-response>
ossec.conf server:
<command>
<name>win-nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>win-nullroute</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
then I restarted the ossec agent and the ossec server
on the server,
[root@localhost ~]# /app/ossec/bin/agent_control -L
OSSEC HIDS agent_control. Available active responses:
Response name: win-nullroute600, command: route-null.cmd
Response name: host-deny600, command: host-deny.sh
Response name: firewall-drop600, command: firewall-drop.sh
[root@localhost ~]# /app/ossec/bin/agent_control -r -u 008 -b 2.3.4.5 -
f win-nullroute600
OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 008
but it seems not add the 2.3.4.5 into the route table in the client
I have C:\Program Files\ossec-agent\active-response/bin/route-
null.cmd but
see no active-responses.log file.
in C:\Program Files\ossec-agent\shared\ar.conf
Now i can see
restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
win-nullroute600 - route-null.cmd - 600
host-deny600 - host-deny.sh - 600
firewall-drop600 - firewall-drop.sh - 600
Sorry for my bad english.
Best regards,
Netkey
netkey
Apr 8, 2011, 1:58:25 AM4/8/11
to ossec-list
i solve this,now on the server
[root@localhost rules]# /app/ossec/bin/agent_control -u 008 -b 2.3.4.5
-f win_nullroute600
OSSEC HIDS agent_control: Running active response 'win_nullroute600'
on: 008
and on the client,the active-response.log is:
星期五 12:10 "active-response/bin/route-null.cmd" delete "-" "3.3.3.4"
"(from_the_server) (no_rule_id)"
my client's language is chinese.it seems work。
but when someone try to get my administrator's password,I received
some email alerts with level 10,but the active response doesn't work。
some email alert like this:
===============================================================
eceived From: (Name-53-xxx) xxx.xxx.53.xxx->WinEvtLog
Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures."
Portion of the log(s):
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT
AUTHORITY: ZJTG53-xxx: 登录失败: 原因: 用户名未知或密码错误 用户名:
administrator 域: ZYC 登录类型: 3 登录进程: NtLmSsp 身份验证数据包:
NTLM 工作站名称: ZYC 调用方用户名: - 调用方域: - 调用方登录 ID: - 调用方进
程 ID: - 传递服务: - 源网络地址: 122.xxx.xxx.11 源端口: 1318
===============================================================
I think because my event log is in Chinese,so the decoder can't get
the srcip。isn't it?
Best reguards。
Netkey
[root@localhost rules]# /app/ossec/bin/agent_control -u 008 -b 2.3.4.5
-f win_nullroute600
OSSEC HIDS agent_control: Running active response 'win_nullroute600'
on: 008
and on the client,the active-response.log is:
星期五 12:10 "active-response/bin/route-null.cmd" delete "-" "3.3.3.4"
"(from_the_server) (no_rule_id)"
my client's language is chinese.it seems work。
but when someone try to get my administrator's password,I received
some email alerts with level 10,but the active response doesn't work。
some email alert like this:
===============================================================
eceived From: (Name-53-xxx) xxx.xxx.53.xxx->WinEvtLog
Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures."
Portion of the log(s):
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT
AUTHORITY: ZJTG53-xxx: 登录失败: 原因: 用户名未知或密码错误 用户名:
administrator 域: ZYC 登录类型: 3 登录进程: NtLmSsp 身份验证数据包:
NTLM 工作站名称: ZYC 调用方用户名: - 调用方域: - 调用方登录 ID: - 调用方进
程 ID: - 传递服务: - 源网络地址: 122.xxx.xxx.11 源端口: 1318
===============================================================
I think because my event log is in Chinese,so the decoder can't get
the srcip。isn't it?
Best reguards。
Netkey
dan (ddp)
Apr 11, 2011, 2:58:20 PM4/11/11
to ossec...@googlegroups.com
You can use ossec-logtest to see how ossec decodes an event in another language.
dan (ddp)
Aug 10, 2012, 9:02:18 AM8/10/12
to ossec...@googlegroups.com
On Fri, Aug 10, 2012 at 8:44 AM, Deerwalker
<sysa...@system.deerwalk.com> wrote:
> hello All,
>
> Good day,
>
> We have configured active-response for windows machine as suggested in
> http://www.ossec.net/doc/manual/ar/ar-windows.html
>
> while executing agent_control -b 1.2.3.6 -f win_nullroute600 -u 001 we are
> getting response below and we are also getting the null route added for the
> ip address 1.2.3.6 in target machine
>
> agent_control -b 1.2.3.6 -f win_nullroute600 -u 001
>
> OSSEC HIDS agent_control: Running active response 'win_nullroute600' on: 001
>
> However, when someone trying to make unauthorized access then at that time
> the active response seems not working because we are still getting multiple
> login failure message with following details.
> Microsoft-Windows-Security-Auditing: (no user): no domain: ip-0A00FD07: An
> account failed to log on. Subject: Security ID: S-1-5-18 Account Name:
> IP-0A00FD07$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10
> Account For Which Logon Failed: Security ID: S-1-0-0 Account Name:
> administrator Account Domain: IP-0A00FD07 Failure Information: Failure
> Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process
> Information: Caller Process ID: 0x77c Caller Process Name:
> C:\Windows\System32\winlogon.exe Network Information: Workstation Name:
> IP-0A00FD07 Source Network Address: 115.236.163.106 Source Port: 55909
> Detailed Authentication Information: Logon Process: User32
> Authentication Package: Negotiate Transited Services: - Package Name (NTLM
> only): - Key Length: 0 This event is generated when a logon request
> fails. It is generated on the computer where access was attempted.
>
> any clue ?
>
> is there other way to know if active response is working or not ?
>
> thanks
>
On non-windows platforms there's an active response log file. Check to
see if one exists for Windows.
Also, double check to make sure that AR is enabled on the agent, and
that your test actually works (check on the agent).
<sysa...@system.deerwalk.com> wrote:
> hello All,
>
> Good day,
>
> We have configured active-response for windows machine as suggested in
> http://www.ossec.net/doc/manual/ar/ar-windows.html
>
> while executing agent_control -b 1.2.3.6 -f win_nullroute600 -u 001 we are
> getting response below and we are also getting the null route added for the
> ip address 1.2.3.6 in target machine
>
> agent_control -b 1.2.3.6 -f win_nullroute600 -u 001
>
> OSSEC HIDS agent_control: Running active response 'win_nullroute600' on: 001
>
> However, when someone trying to make unauthorized access then at that time
> the active response seems not working because we are still getting multiple
> login failure message with following details.
>
> Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures."
> Portion of the log(s):
>
> WinEvtLog: Security: AUDIT_FAILURE(4625):
> Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures."
> Portion of the log(s):
>
> Microsoft-Windows-Security-Auditing: (no user): no domain: ip-0A00FD07: An
> account failed to log on. Subject: Security ID: S-1-5-18 Account Name:
> IP-0A00FD07$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10
> Account For Which Logon Failed: Security ID: S-1-0-0 Account Name:
> administrator Account Domain: IP-0A00FD07 Failure Information: Failure
> Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process
> Information: Caller Process ID: 0x77c Caller Process Name:
> C:\Windows\System32\winlogon.exe Network Information: Workstation Name:
> IP-0A00FD07 Source Network Address: 115.236.163.106 Source Port: 55909
> Detailed Authentication Information: Logon Process: User32
> Authentication Package: Negotiate Transited Services: - Package Name (NTLM
> only): - Key Length: 0 This event is generated when a logon request
> fails. It is generated on the computer where access was attempted.
>
> any clue ?
>
> is there other way to know if active response is working or not ?
>
> thanks
>
On non-windows platforms there's an active response log file. Check to
see if one exists for Windows.
Also, double check to make sure that AR is enabled on the agent, and
that your test actually works (check on the agent).
Reply all
Reply to author
Forward
0 new messages