Dan,
I too am unable to make use of the ideas here:
http://dcid.me/2010/03/detecting-usb-storage-usage-with-ossec/
Using OSSEC HIDS 2.6 - When I have the the command in a local Windows machine
agent.conf I get the following in my log on agent restart.
2012/06/21 09:42:43 ossec-agent: Remote commands are not accepted from the
manager. Ignoring it on the agent.conf
2012/06/21 09:42:43 ossec-agent(1202): ERROR: Configuration error at
'shared/agent.conf'. Exiting.
the command set is as follows:
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
</localfile>
within my <agent_config os="windows"> section.
without this command the above error does not log.
Ideas? was command disabled in 2.6?
On Jun 21, 2012, at 7:53 AM, dan (ddp) wrote:
> On Thu, Jun 21, 2012 at 9:44 AM, sahil sharma <[email protected]>
> wrote:
>>>
>>> ossec.conf or agent.conf depending on how you want to do it. I'll make
>>> sure this is mentioned earlier in the documentation.
>>>
>> I am working on ubuntu server and I have a window client. I want to
>> get log whenever someone inserts USB to the client system. When do
>> we use ossec.conf OR agent.conf to add new definitions? How choose
>> between them?
>>
>
> This is for configuration changes, not rules:
> Your choice. If you want to use the agent.conf change it there. If you
> have a good change management system, changing the ossec.conf might be
> good enough.
>
> The OSSEC server does not use the agent.conf though, so if you're
> setting up something for the OSSEC server it'll have to be in that
> system's ossec.conf.
>
>>
>>
>>>
>>>
>>> And you've restarted the agent's ossec processes?
>>>
>> Yes, after adding the code, I restarted the server -restart and also the
>> client ossec agent. I checked, ossec.agent with the added rule was
>> pushed automatically. Then, I inserted USB into the windows client.
>> But there was no LOG for USB detection or no such message in the Web
>> Interface.
>
> The rule won't be pushed to the agents. The
> /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to
> date on the agent (if it's Windows it's probably c:\program
> files\ossec\shared\agent.conf or something).
>
>>
>> Though web interface was showing alerts whenever I logged-in s
>> successfully to the windows client (it shows they are connected propely).
>>
>>
>
> Do you have email alerts enabled? I not, check the alerts.log file on
> the server. I don't trust the WUI.
>
>>
>>>
>>>> (2)Added following to the local rules:
>>>>
>>>> <rule id="140125" level="7">
>>>> <if_sid>530</if_sid>
>>>> <match>ossec: output: 'reg QUERY</match>
>>>> <check_diff />
>>>> <description>New USB device connected</description>
>>>> </rule>
>>>>
>
> In order to check_diff the log message will have to have fired at
> least once before. So if the reg command hadn't been checked before
> you inserted the USB drive nothing would happen.
>
> You can enable the log all option on the OSSEC server, and check for
> the reg log entries. That will give you something to make sure your
> <match> statement is correct (I use aliases for my commands, so I
> don't know what they show up as without the alias).
>
>>>>
>>>> Main problem: I got no GROUP NAME for this rule so I added this rule
>>>> inside
>>>> the predefined group
>>>> <group name="local,syslog,">. Is it right thing to do?
>>>
>>> Did you try it without putting it inside of those group tags?
>>> Yes, it's fine.
>>>
>>>> OR i need to place it somewhere else in this file. Please help.
>>>>
>>>> Kindly tell if I need to make any other change too.
>>>>
>>>
>>
>> Yes I tried it putting outside them, It gives ERROR when I put the -restart
>> command in the terminal.
>>
>> I thought, it was due to missing group name, then I gave it
>> an arbitrary group
>> name
>>
>>>
>>> <group name="USB">
>> <rule id="140125" level="7">
>>> <if_sid>530</if_sid>
>>> <match>ossec: output: 'reg QUERY</match>
>>> <check_diff />
>>> <description>New USB device connected</description>
>>> </rule>
>>> </group>
>>
>> Then there was no error, but again no such event was detected even after the
>> restart.
>>
>> Please help.
