Hi
I have extensively searched for it. I didn't get any good result for a
beginner.
http://www.ossec.net/doc/manual/monitoring/process-monitoring.html
Here they have not clearly mentioned where exactly these changes are to be
made.
Still after extensive search I added a new folder at server as:
(1)>shared>agent_config : added
<agent_config os="windows">
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
</localfile></agent_config>
These changes have pushed into client side too.
(2)Added following to the local rules:
<rule id="140125" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'reg QUERY</match>
<check_diff />
<description>New USB device connected</description></rule>
Main problem: I got no GROUP NAME for this rule so I added this rule inside
the predefined group
<group name="local,syslog,">. Is it right thing to do?
OR i need to place it somewhere else in this file. Please help.
Kindly tell if I need to make any other change too.
Thanks in advance.
On Thu, Jun 21, 2012 at 8:04 AM, dan (ddp) <ddp...@gmail.com> wrote:
>
> On Jun 20, 2012 10:31 PM, "sahil sharma" <sharmasahil0...@gmail.com>
> wrote:
> >
> > Sorry to interrupt here. Its not related to this issue:
>
> No you aren't.
>
> > I want to detect USB when I insert USB into my windows agent.
> >
> > Where all I need to add the codes? What all changes for each file?
>
> This has been answered. Google it.
>
> > Do I need to add code only on server side? Nothing at client?
> > What is pushing of code from server? How do it manually?
> >
> > All I can get is to add:
> > 1)log collection code in agents.conf(server side)
> > 2)decoder
> > 3)rule. Also what should be group name for this newly added rule??
> >
> > Kindly help.
> > Sorry.
> >
> >
> > On Thu, Jun 21, 2012 at 5:42 AM, dan (ddp) <ddp...@gmail.com> wrote:
> >>
> >> The installer sets up the config for you.
> >>
> >> On Jun 20, 2012 8:07 PM, "Brett" <cgka...@gmail.com> wrote:
> >>>
> >>> I didn't see the last part of the email. A link in the agent install
> would be a good place for that info. Since I'm not familiar with the
> software I'd have no idea to look in "ossec.conf: syntax"
> >>>
> >>> Sent from my iPhone
> >>>
> >>> On Jun 20, 2012, at 15:21, "dan (ddp)" <ddp...@gmail.com> wrote:
> >>>
> >>>> It's documented. In fact in the real install the config is populated
> for you.
> >>>>
> >>>>
> http://www.ossec.net/doc/syntax/head_ossec_config.client.html#element-server-ip
> >>>>
> >>>> In /var/ossc/etc/ossec.conf
> >>>> So something like:
> >>>> <ossec_config>
> >>>> <client>
> >>>> <server-ip>192.168.23.1</server-ip>
> >>>>
> >>>> This is all supe basic stuff. What would have made it easier to find
> in the documentation?
> >>>>
> >>>> On Jun 20, 2012 6:11 PM, "Brett Y" <cgka...@gmail.com> wrote:
> >>>>>
> >>>>> After installing ossec-hids-client and its dependencies, running
> /var/ossec/bin/ossec-configure, if you select agent, you are not prompted
> for the ip address of the server. And there doesn't seem to be any docs on
> how to manually set that.
> >
> >
>
