[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Windows Active response
From:       Daniel Cid <daniel.cid () gmail ! com>
Date:       2010-02-19 14:25:45
Message-ID: b92e6f201002190625h52be7d9fwe5da68283fbabe07 () mail ! gmail ! com
[Download RAW message or body]

Hi Pete,

That's a very good idea. We have an active response on Windows using the
route command (to redirect to a null route), but having one using netsh
would be great. Btw, do you know which versions of Windows come with
netsh by default?

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On Wed, Feb 17, 2010 at 10:51 PM, Pete F <fahlenkp@gmail.com> wrote:
> I love OSSEC on linux, just wish I had the same functionality in window
> $. I read an older post about windows Ipsec possibilities for active
> response. I have the netsh commands all worked out to add and then
> delete an IP. I'm about to go home, I guess I'm soliciting direction
> on what to tackle next. I posted the netsh to block my page ip and
> slashdot, then unblock my page here: http://windowsnerd.com/2010/02/17/windows-and-ossec-ipsec-blocks/
>
> I chose just a straight IP block vs doing a port because if someone is
> attacking, I'd rather go ahead and block the whole source IP than the
> individual port or service. I can modify the netsh fun if you want it
> per port etc. Anyhow I hope this can help with any sort of development
> work. I'm sure it won't be too hard to change the IP dynamically based
> on parsing logs. I'll be more than happy to help out as much as I can
> on OSSEC for windows. I'm not a coder, but I can go bug the dev guys
> down the hall if you give me tasks.
>
> Thanks,
>
> Pete Fahlenkamp
>
>
[prev in list] [next in list] [prev in thread] [next in thread]