Hi Sahil, I followed the instructions on this site; http://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/
which worked for me. Cheers, Mike ________________________________ From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of sahil sharma Sent: Thursday, June 21, 2012 1:02 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] RedHat RPMS wont configure agent Hi I have extensively searched for it. I didn't get any good result for a beginner. http://www.ossec.net/doc/manual/monitoring/process-monitoring.html Here they have not clearly mentioned where exactly these changes are to be made. Still after extensive search I added a new folder at server as: (1)>shared>agent_config : added <agent_config os="windows"> <localfile> <log_format>full_command</log_format> <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> </localfile> </agent_config> These changes have pushed into client side too. (2)Added following to the local rules: <rule id="140125" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'reg QUERY</match> <check_diff /> <description>New USB device connected</description> </rule> Main problem: I got no GROUP NAME for this rule so I added this rule inside the predefined group <group name="local,syslog,">. Is it right thing to do? OR i need to place it somewhere else in this file. Please help. Kindly tell if I need to make any other change too. Thanks in advance. On Thu, Jun 21, 2012 at 8:04 AM, dan (ddp) <ddp...@gmail.com<mailto:ddp...@gmail.com>> wrote: On Jun 20, 2012 10:31 PM, "sahil sharma" <sharmasahil0...@gmail.com<mailto:sharmasahil0...@gmail.com>> wrote: > > Sorry to interrupt here. Its not related to this issue: No you aren't. > I want to detect USB when I insert USB into my windows agent. > > Where all I need to add the codes? What all changes for each file? This has been answered. Google it. > Do I need to add code only on server side? Nothing at client? > What is pushing of code from server? How do it manually? > > All I can get is to add: > 1)log collection code in agents.conf(server side) > 2)decoder > 3)rule. Also what should be group name for this newly added rule?? > > Kindly help. > Sorry. > > > On Thu, Jun 21, 2012 at 5:42 AM, dan (ddp) > <ddp...@gmail.com<mailto:ddp...@gmail.com>> wrote: >> >> The installer sets up the config for you. >> >> On Jun 20, 2012 8:07 PM, "Brett" >> <cgka...@gmail.com<mailto:cgka...@gmail.com>> wrote: >>> >>> I didn't see the last part of the email. A link in the agent install would >>> be a good place for that info. Since I'm not familiar with the software I'd >>> have no idea to look in "ossec.conf: syntax" >>> >>> Sent from my iPhone >>> >>> On Jun 20, 2012, at 15:21, "dan (ddp)" >>> <ddp...@gmail.com<mailto:ddp...@gmail.com>> wrote: >>> >>>> It's documented. In fact in the real install the config is populated for >>>> you. >>>> >>>> http://www.ossec.net/doc/syntax/head_ossec_config.client.html#element-server-ip >>>> >>>> In /var/ossc/etc/ossec.conf >>>> So something like: >>>> <ossec_config> >>>> <client> >>>> <server-ip>192.168.23.1</server-ip> >>>> >>>> This is all supe basic stuff. What would have made it easier to find in >>>> the documentation? >>>> >>>> On Jun 20, 2012 6:11 PM, "Brett Y" >>>> <cgka...@gmail.com<mailto:cgka...@gmail.com>> wrote: >>>>> >>>>> After installing ossec-hids-client and its dependencies, running >>>>> /var/ossec/bin/ossec-configure, if you select agent, you are not prompted >>>>> for the ip address of the server. And there doesn't seem to be any docs >>>>> on how to manually set that. > >
