USB monitoring, regex not working.
61 views
Skip to first unread message
andrzej oto
Dec 1, 2022, 4:11:32 AM12/1/22
to Wazuh mailing list
Hi
I want to monitor USB devices
I use these decoders
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>USBSTOR#Disk\pVen_(\S*)\pProd_(\S*)\pRev_(\.*)#(\S*)\p0#\S*\s</regex>
<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>
</decoder>
I can see the event, but the regex doesn't work
I have read these articles
https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
https://groups.google.com/g/wazuh/c/sFlNML0civk
https://groups.google.com/g/wazuh/c/sFXdMYgjYac
I created a rule
<rule id="100002" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^6416$</field>
<description>Windows: Authorized PNP device connected.</description>
</rule>
<rule id="100003" level="7">
<if_sid>100002</if_sid>
<list field="win.eventdata.deviceId" lookup="not_match_key">etc/lists/usb-devices</list>
<description>Windows: Unauthorized PNP device connected.</description>
</rule>
but i need to modify my list of usb devices
and add everything
SWD\\WPDBUSENUM\\_??_USBSTOR#Disk&Ven__USB&Prod__SanDisk_3.2Gen1&Rev_1.00#04015a8bb9603e5aeb35e50824b8c53a38f847e56adb9976c247ca7b9dcc163#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:Andrzej_USB
STORAGE\\Volume\\_??_USBSTOR#Disk&Ven__USB&Prod__SanDisk_3.2Gen1&Rev_1.00#04015a8bb9603e5aeb35e50824b8c53a38f847e56adb9976c247ca7b9dcc163#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:Andrzej_USB
I think it's because of the regex problem, do you have an idea what could be causing this?
I want to monitor USB devices
I use these decoders
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>USBSTOR#Disk\pVen_(\S*)\pProd_(\S*)\pRev_(\.*)#(\S*)\p0#\S*\s</regex>
<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>
</decoder>
I can see the event, but the regex doesn't work
I have read these articles
https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
https://groups.google.com/g/wazuh/c/sFlNML0civk
https://groups.google.com/g/wazuh/c/sFXdMYgjYac
I created a rule
<rule id="100002" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^6416$</field>
<description>Windows: Authorized PNP device connected.</description>
</rule>
<rule id="100003" level="7">
<if_sid>100002</if_sid>
<list field="win.eventdata.deviceId" lookup="not_match_key">etc/lists/usb-devices</list>
<description>Windows: Unauthorized PNP device connected.</description>
</rule>
but i need to modify my list of usb devices
and add everything
SWD\\WPDBUSENUM\\_??_USBSTOR#Disk&Ven__USB&Prod__SanDisk_3.2Gen1&Rev_1.00#04015a8bb9603e5aeb35e50824b8c53a38f847e56adb9976c247ca7b9dcc163#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:Andrzej_USB
STORAGE\\Volume\\_??_USBSTOR#Disk&Ven__USB&Prod__SanDisk_3.2Gen1&Rev_1.00#04015a8bb9603e5aeb35e50824b8c53a38f847e56adb9976c247ca7b9dcc163#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:Andrzej_USB
I think it's because of the regex problem, do you have an idea what could be causing this?
Chantal Belen Kelm
Dec 1, 2022, 5:32:44 AM12/1/22
to Wazuh mailing list
Hello, how are you? I will review the information you sent and make some checks.
Chantal Belen Kelm
Dec 2, 2022, 11:21:42 AM12/2/22
to Wazuh mailing list
can you share with me the log that arrives to the wazuh manager?
andrzej oto
Dec 20, 2022, 7:10:10 AM12/20/22
to Chantal Belen Kelm, Wazuh mailing list
Yes please,
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/EcyCshOnwKI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/144f297d-9677-46cf-9b12-2e5d9e6e1e24n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages