I need help with impelmenting a new OSSEC monitoring process for USB drive insertion

[pmsearle90]

I have worked with OSSEC in the past and taken over in the last three months our OSSEC infrastructure, so have mercy...

 

I am following up after reading this thread and trying to implement USB thumb drive insertion monitoring :

 

https://groups.google.com/d/topic/ossec-list/eL2DTKSXnhI/discussion

 

and trying to follow the 2.7.1 documentation from Daniel Cid on USB storage detection example for using the <check_diff /> feature:

 

http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage

 

I do not get the server to add the directory to the "/diff/" subdirectory:

 

Next create a local rule for that command:

<rule id="140125" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'reg QUERY</match>
    <check_diff />
    <description>New USB device connected</description>
</rule>

Now after a few minutes you will see a directory at /var/ossec/queue/diff/[agent_name]/[rule_id] with the current snapshot of this command

 

I get the following excerpt on my client side log (from service restart) and  then nothing on my alert log on the server:

 

2014/06/04 13:10:11 ossec-agent: Exiting...

2014/06/04 13:10:11 ossec-agent: Remote commands are not accepted from the manager. Ignoring it on the agent.conf

2014/06/04 13:10:11 ossec-agent(1202): ERROR: Configuration error at 'shared/agent.conf'. Exiting.

2014/06/04 13:10:11 ossec-execd(1350): INFO: Active response disabled. Exiting.

2014/06/04 13:10:11 ossec-agent(1410): INFO: Reading authentication keys file.

2014/06/04 13:10:11 ossec-agent: INFO: Assigning counter for agent AZS1901RG03: '99746:8391'.

2014/06/04 13:10:11 ossec-agent: INFO: Assigning sender counter: 7:4371

2014/06/04 13:10:11 ossec-agent: INFO: Trying to connect to server (10.1.16.26:1514).

2014/06/04 13:10:11 ossec-agent: INFO: Using IPv4 for: 10.1.16.26 .

2014/06/04 13:10:11 ossec-agent: Starting syscheckd thread.

2014/06/04 13:10:11 ossec-rootcheck: INFO: Started (pid: 4924).

Thanks for any help in advance,

Paul

[dan (ddp)]

What's the question?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[pmsearle90]

Thanks for following up Dan. I apologize for not being clear...

 

I am not getting the alert log on the server to recognize the insertion or removal.

I am not getting what Daniel said I should see on the server file structure.

what could I do to further troubleshoot??

 

However, FYI>>

I have just followed your suggestion from another post and changed my set-up. instead of using agent.config , I placed the command in the windows agent ossec.conf file and used the alias' that you suggested:

https://groups.google.com/d/msg/ossec-list/1t6dnbzMZzM/WwQ0RXOB3ycJ

now I get some sign on the client side but nothing on the server side that  I can see in  'alets.log' on the ossec server:

 

client log:

2014/06/04 13:53:57 ossec-agent(4102): INFO: Connected to the server (10.1.16.26:1514).

2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: 'Application'.

2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: 'Security'.

2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: 'System'.

2014/06/04 13:53:57 ossec-agent: INFO: Monitoring full output of command(360): reg QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

2014/06/04 13:53:57 ossec-agent: INFO: Started (pid: 5832).

I just turned debugging on in the client internal_options

syscheck.debug=1

What other debugging should I use or newbie mistake might I fix???

thanks in advance again,

Paul

[dan (ddp)]

On Jun 4, 2014 5:06 PM, "pmsearle90" <pmsea...@gmail.com> wrote:
>
> Thanks for following up Dan. I apologize for not being clear...
>  
> I am not getting the alert log on the server to recognize the insertion or removal.
> I am not getting what Daniel said I should see on the server file structure.
> what could I do to further troubleshoot??
>  
> However, FYI>>
> I have just followed your suggestion from another post and changed my set-up. instead of using agent.config , I placed the command in the windows agent ossec.conf file and used the alias' that you suggested:
>>

Commands should go in the ossec.conf, not agent.conf. putting it in the agent.conf requires aditional configuration on the agent.

[pmsearle90]

Oh and I am using version 2.6 on the client and the server.

On Wednesday, June 4, 2014 3:26:42 PM UTC-5, pmsearle90 wrote:

[dan (ddp)]

This isn't a syscheck thing.

> What other debugging should I use or newbie mistake might I fix???

Turn on the log all option on the manager. You can then monitor the
archives.log file for instances of the output from your command. That
will help you determine whether the match in your rule is incorrect,
or if there are other issues.

[dan (ddp)]

On Wed, Jun 4, 2014 at 5:21 PM, pmsearle90 <pmsea...@gmail.com> wrote:
> Oh and I am using version 2.6 on the client and the server.
>

That makes things significantly harder to troubleshoot. I haven't used
that version in a long time, and have no test infrastructure.

[Paul Searle]

Dan, could you point me to any upgrade / migration notes or articles...
Thanks,
Paul

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/QyRQ-luU7XI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Thu, Jun 5, 2014 at 9:35 AM, Paul Searle <pmsea...@gmail.com> wrote:
> Dan, could you point me to any upgrade / migration notes or articles...
> Thanks,
> Paul
>

There's nothing official that I'm aware of.