Another big feature that we never got around to implement until now. For version 1.6, OSSEC will come with the route-null.cmd script to block an IP address on Windows by modifying the route to it.
To get started, you will need at least the snapshot http://www.ossec.net/files/snapshots/ossec-win32-080820.exe
and the latest snapshot for the management server too.
With that installed, you need to enable active response on Windows (disabled by default). To do that, just add the following to the agent’s ossec.conf:
After that, you need to go to the manager and specify when to run the response. Adding the following to ossec.conf will enable the responses for alerts above level 6:
With the configuration completed (and the manager restarted), you can test the active response by running the agent-control script (in this case, I am running it on agent id 185 to block ip 184.108.40.206):
# /var/ossec/bin/agent_control -L
OSSEC HIDS agent_control. Available active responses:
Response name: host-deny600, command: host-deny.sh
Response name: firewall-drop600, command: firewall-drop.sh
Response name: win_nullroute600, command: route-null.cmd
# /var/ossec/bin/agent_control -b 220.127.116.11 -f win_nullroute600 -u 185
OSSEC HIDS agent_control: Running active response ‘win_nullroute600′ on: 185
And looking at the agent you should see the new entry in the route table:
Network Destination Netmask Gateway Interface Metric
18.104.22.168 255.255.255.255 x.y.z x.y.z 1
If you run into any issues, look at the ossec.log file (on the agent) for any entry for ossec-execd. If you enabled it correctly, you will see:
2008/08/20 11:53:49 ossec-execd: INFO: Started (pid: 3896).
As always, we are very open to suggestions, comments, bug reports, etc.