Is a local_decoder.xml needed for USB detection ?
26 views
Skip to first unread message
Neeraj Shah
Mar 29, 2018, 9:17:23 PM3/29/18
to ossec-list
Hi all,
I have configured the win_audit_rcl.txt file on my Windows agent to detect USB drive as per this URL : https://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/ . It is working as expected. I can see the message "USB Drive detected" make it to the archive.log file on the OSSEC server.
What do i need to do next to make this msg display as an ALERT in the Web UI ? Do we have to create a local_decoder.xml file or do we have to create a rule in local_rules.xml file ? I am currently using Security Onion which has OSSEC server preinstalled.
Likewise, similarly i am also getting some windows events forwarded from the "Power Shell" event group in Windows Event Viewer. I can see these events make it to the OSSEC server but i need them to show as an ALERT in the web ui. Won't the prebuilt windows related rules/decoders that come along with OSSEC.
Thanks
dan (ddp)
Mar 30, 2018, 7:56:40 AM3/30/18
to ossec...@googlegroups.com
On Thu, Mar 29, 2018 at 9:17 PM, Neeraj Shah <neeraj...@gmail.com> wrote:
> Hi all,
>
> I have configured the win_audit_rcl.txt file on my Windows agent to detect
> USB drive as per this URL :
> https://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/
> . It is working as expected. I can see the message "USB Drive detected"
> make it to the archive.log file on the OSSEC server.
>
> What do i need to do next to make this msg display as an ALERT in the Web UI
> ? Do we have to create a local_decoder.xml file or do we have to create a
> rule in local_rules.xml file ? I am currently using Security Onion which
> has OSSEC server preinstalled.
>
You'll probably have to create a rule. I don't have a Windows install
> Hi all,
>
> I have configured the win_audit_rcl.txt file on my Windows agent to detect
> USB drive as per this URL :
> https://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/
> . It is working as expected. I can see the message "USB Drive detected"
> make it to the archive.log file on the OSSEC server.
>
> What do i need to do next to make this msg display as an ALERT in the Web UI
> ? Do we have to create a local_decoder.xml file or do we have to create a
> rule in local_rules.xml file ? I am currently using Security Onion which
> has OSSEC server preinstalled.
>
handy to get a log sample, so not a lot I can do.
You can use /var/ossec/bin/ossec-logtest to help create a rule though.
> Likewise, similarly i am also getting some windows events forwarded from the
> "Power Shell" event group in Windows Event Viewer. I can see these events
> make it to the OSSEC server but i need them to show as an ALERT in the web
> ui. Won't the prebuilt windows related rules/decoders that come along with
> OSSEC.
>
> Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Neeraj Shah
Mar 30, 2018, 3:39:01 PM3/30/18
to ossec-list
Hi Dan, I went ahead created both, a local_decoder and a corresponding rule in local_rules.xml. I then ran the "/var/ossec/bin/ossec-logtest " command against my log lines, and it passed the test. The output showed Decoder matched and "Alert to be generated" message as shown below. I then restarted the ossec-server after that. Now when i again plugin USB on my windows agent to test, i see the USB detection event make it to archives.log file on the server but it still didnt' create an alert. When i check the alerts.log file it does not have any log entry to my USB event. The ossec-test passed successfully. What am i missing ?
root@securityonion:/var/ossec/logs/alerts# /var/ossec/bin/ossec-logtest
2018/03/30 19:36:01 ossec-testrule: INFO: Reading local decoder file.
2018/03/30 19:36:01 ossec-testrule: INFO: Started (pid: 18771).
ossec-testrule: Type one log per line.
018 Mar 29 21:50:02 (ENGG-WORKSTATION) 172.16.3.10->rootcheck Windows Audit: USB Storage Inserted
**Phase 1: Completed pre-decoding.
full event: '018 Mar 29 21:50:02 (ENGG-WORKSTATION) 172.16.3.10->rootcheck Windows Audit: USB Storage Inserted'
hostname: 'securityonion'
program_name: '(null)'
log: '018 Mar 29 21:50:02 (ENGG-WORKSTATION) 172.16.3.10->rootcheck Windows Audit: USB Storage Inserted'
**Phase 2: Completed decoding.
decoder: 'ICS-lab-detect'
srcip: '172.16.3.10'
**Phase 3: Completed filtering (rules).
Rule id: '110001'
Level: '3'
Description: 'USB drive detected'
**Alert to be generated.
This is a snippet of my local_rules.xml:
<group name="syslog,ICS-lab-detect,">
<rule id="110000" level="0">
<decoded_as>ICS-lab-detect</decoded_as>
<description>ICS Lab custom anomaly detection</description>
</rule>
<rule id="110001" level="3">
<if_sid>110000</if_sid>
<match>USB</match>
<description>USB drive detected</description>
</rule>
<rule id="110002" level="3">
<if_sid>110000</if_sid>
<match>failure</match>
<description>FactoryTalk Administration Console login failure </description>
</rule>
Jacob Mcgrath
Apr 5, 2018, 7:29:49 AM4/5/18
to ossec-list
I have not tested on AD controlled Windows 10 as of yet
He is mine its script base and tails from the sid 530 https://groups.google.com/forum/#!searchin/ossec-list/usb$20detection%7Csort:date/ossec-list/9P1wZM78jj4/CvibL-afAgAJ
you would need this in the Windows agent config.
<localfile> <log_format>full_command</log_format> <command>C:\ossec-tools\usb\usb-audit.bat</command> <frequency>30</frequency> <alias>USBDevices</alias> </localfile>Neeraj Shah
Apr 5, 2018, 9:39:38 AM4/5/18
to ossec...@googlegroups.com
Thank you Jacob. Appreciate your help.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages