Windows: Active Response Configuration

To start, you need to enable active response on Windows (disabled by default). To do that, just add the following to the agent’s ossec.conf:


After that, you need to go to the manager and specify when to run the response. Adding the following to ossec.conf will enable the responses for alerts above level 6:



With the configuration completed (and the manager restarted), you can test the active response by running the agent-control script (in this case, I am running it on agent id 185 to block ip

# /var/ossec/bin/agent_control -L

OSSEC HIDS agent_control. Available active responses:

Response name: host-deny600, command:
Response name: firewall-drop600, command:
Response name: win_nullroute600, command: route-null.cmd

# /var/ossec/bin/agent_control -b -f win_nullroute600 -u 185

OSSEC HIDS agent_control: Running active response "win_nullroute600′ "n: 185

And looking at the agent you should see the new entry in the route table:

C:\>route print
Active Routes:
Network Destination Netmask Gateway Interface Metric x.y.z x.y.z 1

If you run into any issues, look at the ossec.log file (on the agent) for any entry for ossec-execd. If you enabled it correctly, you will see:

2008/08/20 11:53:49 ossec-execd: INFO: Started (pid: 3896).