USB Monitoring
440 views
Skip to first unread message
M Jones
May 10, 2021, 4:10:29 PM5/10/21
to Wazuh mailing list
Hi,
I can see past articles on USB monitoring but i can't get it too alert. Im using the rule;
<rule id="100002" level="5">
<if_sid>18104</if_sid>
<id>^6416$</id>
<description>Windows: PNP device connected.</description>
</rule>
<if_sid>18104</if_sid>
<id>^6416$</id>
<description>Windows: PNP device connected.</description>
</rule>
but this isn't working. I can see the logs in my archive attached below but nothing is alerting to it. Used logtest but gets to decoder as Json and stops working. Can Anyone help?
2021 May 10 20:05:07 (Redacted) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-05-10T20:05:06.9042167Z","eventRecordID":"1123465","processID":"4","threadID":"26436","channel":"Security","computer":"redacted","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\t\r\n\tAccount Name:\t\tredacted\r\n\tAccount Domain:\t\tRedacted\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tUSB\\VID_1D57&PID_AD17\\5&7993a9c&0&2\r\n\r\nDevice Name:\tUSB Input Device\r\n\r\nClass ID:\t\t{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\r\n\r\nClass Name:\tHIDClass\r\n\r\nVendor IDs:\t\r\n\t\tUSB\\VID_1D57&PID_AD17&REV_0105\r\n\t\tUSB\\VID_1D57&PID_AD17\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tUSB\\Class_03&SubClass_01&Prot_02\r\n\t\tUSB\\Class_03&SubClass_01\r\n\t\tUSB\\Class_03\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tPort_#0002.Hub_#0002\r\n\t\t\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"Redacted","subjectDomainName":"Redacted","subjectLogonId":"0x3e7","deviceId":"USB\\\\VID_1D57&PID_AD17\\\\5&7993a9c&0&2","deviceDescription":"USB Input Device","classId":"{745a17a0-74d3-11d0-b6fe-00a0c90f57da}","className":"HIDClass","vendorIds":" USB\\\\VID_1D57&PID_AD17&REV_0105 USB\\\\VID_1D57&PID_AD17","compatibleIds":" USB\\\\Class_03&SubClass_01&Prot_02 USB\\\\Class_03&SubClass_01 USB\\\\Class_03","locationInformation":" Port_#0002.Hub_#0002"}}}
Rafael Antonio Rodriguez Otero
May 10, 2021, 4:19:58 PM5/10/21
to M Jones, Wazuh mailing list
Can you place the rule 18104, to visualize it? and the associated decoder?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ce6307c6-fee1-475a-95b6-7836d49a683en%40googlegroups.com.
M Jones
May 10, 2021, 4:51:56 PM5/10/21
to Wazuh mailing list
Hi Rafael,
Not sure what you mean but here's rule 18104-
Also I remember now that the decoder would not work so I had to change the regex and tested it and it worked in a regex tester. have attached it below-
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<prematch>\s</prematch>
<regex offset="after_parent">^(\.+): (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>type, status, id, extra_data, user, system_name</order>
</decoder>
So it looks like the decoder isn't working but when I tried to use the one in the blog is just get an error - Error saving file: 3013 - Wazuh Internal Error
Not sure whats happening.
Rafael Antonio Rodriguez Otero
May 10, 2021, 7:18:57 PM5/10/21
to M Jones, Wazuh mailing list
Hello
Well, let me explain, I don't know what version of wazuh you have, but you have to perform a test with the following log:
Well, let me explain, I don't know what version of wazuh you have, but you have to perform a test with the following log:
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-05-10T20:05:06.9042167Z","eventRecordID":"1123465","processID":"4","threadID":"26436","channel":"Security","computer":"redacted","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity
ID:\t\t\r\n\tAccount Name:\t\tredacted\r\n\tAccount
Domain:\t\tRedacted\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice
ID:\tUSB\\VID_1D57&PID_AD17\\5&7993a9c&0&2\r\n\r\nDevice Name:\tUSB Input Device\r\n\r\nClass ID:\t\t{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\r\n\r\nClass Name:\tHIDClass\r\n\r\nVendor IDs:\t\r\n\t\tUSB\\VID_1D57&PID_AD17&REV_0105\r\n\t\tUSB\\VID_1D57&PID_AD17\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tUSB\\Class_03&SubClass_01&Prot_02\r\n\t\tUSB\\Class_03&SubClass_01\r\n\t\tUSB\\Class_03\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tPort_#0002.Hub_#0002\r\n\t\t\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"Redacted","subjectDomainName":"Redacted","subjectLogonId":"0x3e7","deviceId":"USB\\\\VID_1D57&PID_AD17\\\\5&7993a9c&0&2","deviceDescription":"USB Input Device","classId":"{745a17a0-74d3-11d0-b6fe-00a0c90f57da}","className":"HIDClass","vendorIds":" USB\\\\VID_1D57&PID_AD17&REV_0105 USB\\\\VID_1D57&PID_AD17","compatibleIds":" USB\\\\Class_03&SubClass_01&Prot_02 USB\\\\Class_03&SubClass_01 USB\\\\Class_03","locationInformation":" Port_#0002.Hub_#0002"}}}
you can test with the binary /var/ossec/bin/
ossec-logtest,, you have to run the binary and then you put the log.
Now if you realize, by default this command is a decoder called:
json (In my case this was the decoder I take)
So, you have to make some criteria for that. you can use the tag "match" or create a dedofitador based on the "json".
ossec-logtest,, you have to run the binary and then you put the log.
Now if you realize, by default this command is a decoder called:
json (In my case this was the decoder I take)
So, you have to make some criteria for that. you can use the tag "match" or create a dedofitador based on the "json".
If you want send me a screenshot of the test with the binary and tell me what it is decoding and rules.
i can't see rules with this log. . try whit the binari. and tell me.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/15569179-3f8c-42c6-b47d-948293b8d8b0n%40googlegroups.com.
Rafael Antonio Rodriguez Otero
May 10, 2021, 7:43:41 PM5/10/21
to M Jones, Wazuh mailing list
you can do this:
<rule id = "0000000" level = "000000">
<decoded_as> json </decoded_as>
<match> win.system.eventID: '6416' </match>
<rule id = "0000000" level = "000000">
<decoded_as> json </decoded_as>
<match> win.system.eventID: '6416' </match>
<description> Windows: PNP device connected. </description>
</rule>
I think it should work for you. the ID and the level you must change it for the one you want. Answer me if it works for you.
Rafael Antonio Rodriguez Otero
May 10, 2021, 7:44:32 PM5/10/21
to M Jones, Wazuh mailing list
be careful with the spaces
Rafael Antonio Rodriguez Otero
May 10, 2021, 7:56:29 PM5/10/21
to M Jones, Wazuh mailing list
sorry, i test this:
<rule id="100002" level="6">
<decoded_as>json</decoded_as><match>"eventID":"6416"</match>
<description>Windows: PNP device connected.</description>
</rule>
and work me. try with this please.
Rafael Antonio Rodriguez Otero
May 10, 2021, 7:59:07 PM5/10/21
to M Jones, Wazuh mailing list
and work good to me . try with this please.
M Jones
May 11, 2021, 4:45:43 AM5/11/21
to Wazuh mailing list
Hi Rafaell,
Still doesn't work, so when i test using the logtester it works and says an alert will be generated but when I test it out and go to the wazuh dashboard and I know there is logs in the archive that should show but when I look there isn't anything there. I have attached what it looks like in my archive, when I test I take out the first 8 words as I thought it doesn't use it but I'm not sure.
Rafael Antonio Rodriguez Otero
May 11, 2021, 5:49:32 PM5/11/21
to M Jones, Wazuh mailing list
Generally, after doing that, you should do the following:
1.) Clear the index cache from the elastic manager.
2.) Update the fields from manager kibana.
3.) Refresh the indexes or the index that was generated from the elastic manager.
1.) Clear the index cache from the elastic manager.
2.) Update the fields from manager kibana.
3.) Refresh the indexes or the index that was generated from the elastic manager.
When new rules or new fields are generated this must be done. because the index must be updated in the template.
If the alert is already triggered in the Test, then it is a matter of carrying out these steps.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9a8c836a-2b09-4a79-abd9-9f11f5e510e2n%40googlegroups.com.
M Jones
May 12, 2021, 9:52:40 AM5/12/21
to Wazuh mailing list
Hi Rafaell,
Still isnt working, Im hoping you can explain this to me, in the archive the log reads like this:
2021 May 12 09:36:40 (COMPUTER) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-05-12T09:36:39.3659822Z","eventRecordID":"1132615","processID":"4","threadID":"11220","channel":"Security","computer":" COMPUTER.DOMAIN.local","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t COMPUTER$\r\n\tAccount Domain:\t\tDOMAIN\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSWD\\MMDEVAPI\\{0.0.0.00000000}.{f0c69991-87d9-4459-b312-5906e8723565}\r\n\r\nDevice Name:\tSAMSUNG (Intel(R) Display Audio)\r\n\r\nClass ID:\t\t{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}\r\n\r\nClass Name:\tAudioEndpoint\r\n\r\nVendor IDs:\t\r\n\t\tMMDEVAPI\\AudioEndpoints\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tGenericAudioEndpoint\r\n\t\tSWD\\GenericRaw\r\n\t\tSWD\\Generic\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t-\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"COMPUTER","subjectDomainName":"DOMAIN","subjectLogonId":"0x3e7","deviceId":"SWD\\\\MMDEVAPI\\\\{0.0.0.00000000}.{f0c69991-87d9-4459-b312-5906e8723565}","deviceDescription":"SAMSUNG (Intel(R) Display Audio)","classId":"{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}","className":"AudioEndpoint","vendorIds":" MMDEVAPI\\\\AudioEndpoints","compatibleIds":" GenericAudioEndpoint SWD\\\\GenericRaw SWD\\\\Generic"}}}
2021 May 12 09:36:40 (COMPUTER) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-05-12T09:36:39.3659822Z","eventRecordID":"1132615","processID":"4","threadID":"11220","channel":"Security","computer":" COMPUTER.DOMAIN.local","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t COMPUTER$\r\n\tAccount Domain:\t\tDOMAIN\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSWD\\MMDEVAPI\\{0.0.0.00000000}.{f0c69991-87d9-4459-b312-5906e8723565}\r\n\r\nDevice Name:\tSAMSUNG (Intel(R) Display Audio)\r\n\r\nClass ID:\t\t{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}\r\n\r\nClass Name:\tAudioEndpoint\r\n\r\nVendor IDs:\t\r\n\t\tMMDEVAPI\\AudioEndpoints\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tGenericAudioEndpoint\r\n\t\tSWD\\GenericRaw\r\n\t\tSWD\\Generic\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t-\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"COMPUTER","subjectDomainName":"DOMAIN","subjectLogonId":"0x3e7","deviceId":"SWD\\\\MMDEVAPI\\\\{0.0.0.00000000}.{f0c69991-87d9-4459-b312-5906e8723565}","deviceDescription":"SAMSUNG (Intel(R) Display Audio)","classId":"{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}","className":"AudioEndpoint","vendorIds":" MMDEVAPI\\\\AudioEndpoints","compatibleIds":" GenericAudioEndpoint SWD\\\\GenericRaw SWD\\\\Generic"}}}
So when using logtester, it does not work with the red included but does work when the red is taken out. Is this reason it's not working and showing up my dashboard.? Apologies for the ongoing nature of this. There is also nothing in my alerts log.
Rafael Antonio Rodriguez Otero
May 13, 2021, 2:07:37 PM5/13/21
to M Jones, Wazuh mailing list
Hello, forgive me for not answering you quickly. I've been very busy.
First.
In the log section:
First.
In the log section:
2021 May 12 09:36:40 (COMPUTER) any-> EventChannel
In this session of the log it is always implicit so that the initial scrutiny of the alarte is created. Please try one thing.
<rule id = "100002" level = "6">
<rule id = "100002" level = "6">
<match> "eventID": "6416" </match>
<description> Windows: PNP device connected. </description>
</rule>
With this rule you can detect when the event ID is the one you ask for. I was testing it as json format, that's why I put the json decoder, but in this case since it has this segment "any-> EventChannel" in the log, it won't recognize it as json format.
With the tag "match" you can detect this ID and you can have the rule. If it does not load you remember that you must carry out the prugado to the indexes.
With the tag "match" you can detect this ID and you can have the rule. If it does not load you remember that you must carry out the prugado to the indexes.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7550baa9-1609-4946-a3b0-ee1c4d15a15dn%40googlegroups.com.
M Jones
May 17, 2021, 2:50:23 AM5/17/21
to Wazuh mailing list
Hi Raf,
Sorry still not working, Ive added the new rule but still nothing. Please see the ruletest below: I have refreshed my indexes but is there anything else I need to do?
ossec-testrule: Type one log per line.
2021 May 10 20:05:07 (Redacted) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-05-10T20:05:06.9042167Z","eventRecordID":"1123465","processID":"4","threadID":"26436","channel":"Security","computer":"redacted","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\t\r\n\tAccount Name:\t\tredacted\r\n\tAccount Domain:\t\tRedacted\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tUSB\\VID_1D57&PID_AD17\\5&7993a9c&0&2\r\n\r\nDevice Name:\tUSB Input Device\r\n\r\nClass ID:\t\t{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\r\n\r\nClass Name:\tHIDClass\r\n\r\nVendor IDs:\t\r\n\t\tUSB\\VID_1D57&PID_AD17&REV_0105\r\n\t\tUSB\\VID_1D57&PID_AD17\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tUSB\\Class_03&SubClass_01&Prot_02\r\n\t\tUSB\\Class_03&SubClass_01\r\n\t\tUSB\\Class_03\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tPort_#0002.Hub_#0002\r\n\t\t\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"Redacted","subjectDomainName":"Redacted","subjectLogonId":"0x3e7","deviceId":"USB\\\\VID_1D57&PID_AD17\\\\5&7993a9c&0&2","deviceDescription":"USB Input Device","classId":"{745a17a0-74d3-11d0-b6fe-00a0c90f57da}","className":"HIDClass","vendorIds":" USB\\\\VID_1D57&PID_AD17&REV_0105 USB\\\\VID_1D57&PID_AD17","compatibleIds":" USB\\\\Class_03&SubClass_01&Prot_02 USB\\\\Class_03&SubClass_01 USB\\\\Class_03","locationInformation":" Port_#0002.Hub_#0002"}}}
**Phase 1: Completed pre-decoding.
full event: '2021 May 10 20:05:07 (Redacted) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-05-10T20:05:06.9042167Z","eventRecordID":"1123465","processID":"4","threadID":"26436","channel":"Security","computer":"redacted","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\t\r\n\tAccount Name:\t\tredacted\r\n\tAccount Domain:\t\tRedacted\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tUSB\\VID_1D57&PID_AD17\\5&7993a9c&0&2\r\n\r\nDevice Name:\tUSB Input Device\r\n\r\nClass ID:\t\t{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\r\n\r\nClass Name:\tHIDClass\r\n\r\nVendor IDs:\t\r\n\t\tUSB\\VID_1D57&PID_AD17&REV_0105\r\n\t\tUSB\\VID_1D57&PID_AD17\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tUSB\\Class_03&SubClass_01&Prot_02\r\n\t\tUSB\\Class_03&SubClass_01\r\n\t\tUSB\\Class_03\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tPort_#0002.Hub_#0002\r\n\t\t\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"Redacted","subjectDomainName":"Redacted","subjectLogonId":"0x3e7","deviceId":"USB\\\\VID_1D57&PID_AD17\\\\5&7993a9c&0&2","deviceDescription":"USB Input Device","classId":"{745a17a0-74d3-11d0-b6fe-00a0c90f57da}","className":"HIDClass","vendorIds":" USB\\\\VID_1D57&PID_AD17&REV_0105 USB\\\\VID_1D57&PID_AD17","compatibleIds":" USB\\\\Class_03&SubClass_01&Prot_02 USB\\\\Class_03&SubClass_01 USB\\\\Class_03","locationInformation":" Port_#0002.Hub_#0002"}}}'
timestamp: '2021 May 10 20:05:07'
hostname: '(Redacted)'
program_name: '(null)'
log: 'any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"6416","version":"1","level":"0","task":"13316","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-05-10T20:05:06.9042167Z","eventRecordID":"1123465","processID":"4","threadID":"26436","channel":"Security","computer":"redacted","severityValue":"AUDIT_SUCCESS","message":"\"A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\t\r\n\tAccount Name:\t\tredacted\r\n\tAccount Domain:\t\tRedacted\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tUSB\\VID_1D57&PID_AD17\\5&7993a9c&0&2\r\n\r\nDevice Name:\tUSB Input Device\r\n\r\nClass ID:\t\t{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\r\n\r\nClass Name:\tHIDClass\r\n\r\nVendor IDs:\t\r\n\t\tUSB\\VID_1D57&PID_AD17&REV_0105\r\n\t\tUSB\\VID_1D57&PID_AD17\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tUSB\\Class_03&SubClass_01&Prot_02\r\n\t\tUSB\\Class_03&SubClass_01\r\n\t\tUSB\\Class_03\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tPort_#0002.Hub_#0002\r\n\t\t\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"Redacted","subjectDomainName":"Redacted","subjectLogonId":"0x3e7","deviceId":"USB\\\\VID_1D57&PID_AD17\\\\5&7993a9c&0&2","deviceDescription":"USB Input Device","classId":"{745a17a0-74d3-11d0-b6fe-00a0c90f57da}","className":"HIDClass","vendorIds":" USB\\\\VID_1D57&PID_AD17&REV_0105 USB\\\\VID_1D57&PID_AD17","compatibleIds":" USB\\\\Class_03&SubClass_01&Prot_02 USB\\\\Class_03&SubClass_01 USB\\\\Class_03","locationInformation":" Port_#0002.Hub_#0002"}}}'
**Phase 2: Completed decoding.
No decoder matched.
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules.
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5757 - Bad DNS mapping.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 64000 - Grouping of cisco-ASA rules
Trying rule: 65500 - Mcafee EPO2
Trying rule: 88200 - NextCloud messages grouped.
Trying rule: 88201 - NextCloud messages grouped.
Trying rule: 67100 - Junos IDS
Trying rule: 67102 - Junos RT Flow
Trying rule: 64200 - PANDA Antivirus event.
Trying rule: 64220 - Checkpoint events.
Trying rule: 64250 - Grouping macos sshd rules.
Trying rule: 65000 - GCP alert.
Trying rule: 64500 - SYSTEM Palo Alto logs type
Trying rule: 64507 - TRAFFIC paloalto logs type
Trying rule: 255001 - Sysmon - rundll32.exe
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
*Rule 1003 matched.
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
Trying rule: 5902 - New user added to the system.
Trying rule: 5904 - Information from the user was changed.
Trying rule: 5758 - Maximum authentication attempts exceeded.
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Windows: Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 5134 - RNGD failure
Trying rule: 30200 - Modsecurity alert.
Trying rule: 100092 - Windows: PNP device connected.
*Rule 100092 matched.
**Phase 3: Completed filtering (rules).
Rule id: '100092'
Level: '6'
Description: 'Windows: PNP device connected.'
**Alert to be generated.
Juan Carlos
May 17, 2021, 9:12:51 AM5/17/21
to Wazuh mailing list
Hi M Jones,
I believe that this is the blog post from which you based your original implementation: https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
This was written in 2017, back then the default log collection for Windows was done using the Eventlog. In 2019 the default was changed to EventChannel, but we still support EventLog. Because of this, the rules for decoding information using Eventlog as still present and rule 18104 is one of them.
The events you have shown are matching rule 60103 instead, so the child rule to be created is instead:
<rule id="666000" level="6">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^6416$</field>
<field name="win.eventdata.deviceId">^USB\\</field>
<description>An external $(win.eventdata.deviceDescription) was connected to the system</description>
</rule>
One of the benefits of using the EventChannel is that data is collected with the structured format where each value is identified by a key, hence eliminating the need to create a decoder and being able to ingest more organized data for each event.
It is also true that due to the way these logs are processed, the log testing capabilities don't work out of the box, which is why there was a discrepancy between the output of ossec-logtest and the observed alerts. There is a workaround explained here by one of my colleages: https://groups.google.com/g/wazuh/c/48mI_69jBuE/m/Fe1OV6bIAQAJ but we are working to provide better testing capabilities for windows logs.
Let me know if you have any more questions.
Best Regards,
Juan Carlos Tello
Reply all
Reply to author
Forward
0 new messages