Detect USB Storage on Linux
703 views
Skip to first unread message
jonas...@gmail.com
Jun 18, 2013, 4:24:27 AM6/18/13
to ossec...@googlegroups.com
There are a number of articles (and even a section in the official ossec documentation) on how to make ossec detect USB Storage connected to a Windows system, but I've been unable to find a way to make it detect connection of USB storage to a Linux system.
This page http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage in the official documentation describes the windows part.
In CentOS (or RedHat) the default place for the log to be written seems to be in /var/log/kernel. The only decoder that I can find that reads anything in that file is the 'iptables'-decoder.
Can I just create a rule that creates an alert if there's a matching entry in /var/log/kernel (given that that file is actually monitored on the client systems), or do I need to 'hack' the decoder as well?
I tried creating this in local_rules.xml:
<rule id="100341" level="8">
<decoded_as>iptables</decoded_as>
<program_name>kernel</program_name>
<regex>^usb \S* new</regex>
<description>Unknown USB device attached</description>
</rule>
But I haven't been able to get it to generate the alert.
The log file entry looks like this:
Jun 18 09:56:23 localhost kernel: usb 1-5.2: new high speed USB device number 10 using ehci_hcd
Jun 18 09:56:23 localhost kernel: usb 1-5.2: New USB device found, idVendor=0951, idProduct=1607
Jun 18 09:56:23 localhost kernel: usb 1-5.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jun 18 09:56:23 localhost kernel: usb 1-5.2: Product: DataTraveler 2.0
Jun 18 09:56:23 localhost kernel: usb 1-5.2: Manufacturer: Kingston
Jun 18 09:56:23 localhost kernel: usb 1-5.2: SerialNumber: 001D0F0CAAC55A891B1400E4
Jun 18 09:56:23 localhost kernel: usb 1-5.2: configuration #1 chosen from 1 choice
Jun 18 09:56:23 localhost kernel: scsi9 : SCSI emulation for USB Mass Storage devices
Jun 18 09:56:23 localhost kernel: usb-storage: device found at 10
Jun 18 09:56:23 localhost kernel: usb-storage: waiting for device to settle before scanning
Jun 18 09:56:24 localhost kernel: usb-storage: device scan complete
Jun 18 09:56:24 localhost kernel: scsi 9:0:0:0: Direct-Access Kingston DataTraveler 2.0 1.00 PQ: 0 ANSI: 2
Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: Attached scsi generic sg6 type 0
Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] 15679488 512-byte logical blocks: (8.02 GB/7.47 GiB)
Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Write Protect is off
Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Mode Sense: 23 00 00 00
Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: write through
Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: write through
Jun 18 09:56:24 localhost kernel: sdd: sdd1
Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: write through
Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Attached SCSI removable disk
Jun 18 09:56:27 localhost kernel: usb 1-5.2: USB disconnect, device number 10
I've made sure that the file /var/log/kernel is checked, both in ossec.conf on the server and in agent.conf on the client. I've restarted both server and client and tried to insert my USB drive. The log entry is created but no alert.
Anyone looked at this and got it to work?
dan (ddp)
Jun 19, 2013, 9:25:46 AM6/19/13
to ossec...@googlegroups.com
On Tue, Jun 18, 2013 at 4:24 AM, <jonas...@gmail.com> wrote:
> There are a number of articles (and even a section in the official ossec
> documentation) on how to make ossec detect USB Storage connected to a
> Windows system, but I've been unable to find a way to make it detect
> connection of USB storage to a Linux system.
>
> This page
> http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage
> in the official documentation describes the windows part.
>
> In CentOS (or RedHat) the default place for the log to be written seems to
> be in /var/log/kernel. The only decoder that I can find that reads anything
> in that file is the 'iptables'-decoder.
>
> Can I just create a rule that creates an alert if there's a matching entry
> in /var/log/kernel (given that that file is actually monitored on the client
> systems), or do I need to 'hack' the decoder as well?
>
> I tried creating this in local_rules.xml:
>
> <rule id="100341" level="8">
> <decoded_as>iptables</decoded_as>
> <program_name>kernel</program_name>
> <regex>^usb \S* new</regex>
> <description>Unknown USB device attached</description>
> </rule>
>
I got this to work with ossec-logtest:
> There are a number of articles (and even a section in the official ossec
> documentation) on how to make ossec detect USB Storage connected to a
> Windows system, but I've been unable to find a way to make it detect
> connection of USB storage to a Linux system.
>
> This page
> http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage
> in the official documentation describes the windows part.
>
> In CentOS (or RedHat) the default place for the log to be written seems to
> be in /var/log/kernel. The only decoder that I can find that reads anything
> in that file is the 'iptables'-decoder.
>
> Can I just create a rule that creates an alert if there's a matching entry
> in /var/log/kernel (given that that file is actually monitored on the client
> systems), or do I need to 'hack' the decoder as well?
>
> I tried creating this in local_rules.xml:
>
> <rule id="100341" level="8">
> <decoded_as>iptables</decoded_as>
> <program_name>kernel</program_name>
> <regex>^usb \S* new</regex>
> <description>Unknown USB device attached</description>
> </rule>
>
<rule id="500007" level="10">
<decoded_as>iptables</decoded_as>
<match>^usb</match>
<regex>^usb \S+: New</regex>
<description>XXX</description>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
jonas...@gmail.com
Jun 20, 2013, 7:33:47 AM6/20/13
to ossec...@googlegroups.com
On Wednesday, June 19, 2013 3:25:46 PM UTC+2, dan (ddpbsd) wrote:
On Tue, Jun 18, 2013 at 4:24 AM, <jonas...@gmail.com> wrote:
> I tried creating this in local_rules.xml:
>
> <rule id="100341" level="8">
> <decoded_as>iptables</decoded_as>
> <program_name>kernel</program_name>
> <regex>^usb \S* new</regex>
> <description>Unknown USB device attached</description>
> </rule>
>
I got this to work with ossec-logtest:
<rule id="500007" level="10">
<decoded_as>iptables</decoded_as>
<match>^usb</match>
<regex>^usb \S+: New</regex>
<description>XXX</description>
</rule>
My example above, also works with ossec-logtest, but not when inserting a USB-device in a server. It doesn't generate any alert. Does yours?
dan (ddp)
Jun 20, 2013, 8:26:20 AM6/20/13
to ossec...@googlegroups.com
wazu...@gmail.com
Dec 15, 2018, 8:58:23 AM12/15/18
to ossec-list
Hello This Guruji
i need rules that are used to detect the transfer data from One system USB.
regards,,
Guruji
dan (ddp)
Dec 16, 2018, 4:13:51 PM12/16/18
to ossec...@googlegroups.com
On Sat, Dec 15, 2018 at 8:58 AM <wazu...@gmail.com> wrote:
>
> Hello This Guruji
>
> i need rules that are used to detect the transfer data from One system USB.
>
Alerting when a USB device (maybe even umass) is plugged in should be easy.
>
> Hello This Guruji
>
> i need rules that are used to detect the transfer data from One system USB.
>
I'm not sure what facilities would provide information on when data is
copied to that device.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
sunitha s
Jul 18, 2019, 1:57:20 AM7/18/19
to ossec-list
Hi All,
For the USB Detection I just Include the "linux_usbdetect_rules.xm" and "ms1016_usbdetect_rules.xml" Rules from the /var/ossec/rules in OSSEC Configuration file.
For Testing I remove the mouse, and again plugin the cable into the port.
Then I Got an Alert for USB Detection.
Reply all
Reply to author
Forward
0 new messages