Detecting USB drives

[Peter Fraser]

Hi All
I have read the manual and set things up as I understand them. My
problem is that although I am seeing a file in diff, I am still not
getting an alert.

This is what I did

In the local windows agent, I entered
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
</localfile>

And in the local_rules.xml, I put the following:

<rule id="140121" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'reg QUERY</match>
<check_diff />
<description>New USB device connected</description>
</rule>

I am seeing a file called last-entry in
/usr/local/ossec-hids/queue/diff/laptop/140121

but no alert, help please anyone?

[dan (ddp)]

If the values aren't changing you won't see an alert.

[Peter Fraser]

Afterwards, I tested by plugging in a USB key but I still didn't get
an alert. Sorry, I forgot to mention that.

[dan (ddp)]

It works for me. Here's what I have:

/var/ossec/rules/local_rules.xml:

<rule id="510016" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'hkeyusbcheck'</match>
<check_diff />
<description>usb stuff has changed.</description>
</rule>

ossec.conf on windows machine:

<localfile>
<log_format>full_command</log_format>
<command>reg QUERY

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<alias>hkeyusbcheck</alias>
</localfile>

The alias makes things a lot easier/cleaner to deal with in the rules.