Dan, I too am unable to make use of the ideas here: http://dcid.me/2010/03/detecting-usb-storage-usage-with-ossec/
Using OSSEC HIDS 2.6 - When I have the the command in a local Windows machine agent.conf I get the following in my log on agent restart. 2012/06/21 09:42:43 ossec-agent: Remote commands are not accepted from the manager. Ignoring it on the agent.conf 2012/06/21 09:42:43 ossec-agent(1202): ERROR: Configuration error at 'shared/agent.conf'. Exiting. the command set is as follows: <localfile> <log_format>full_command</log_format> <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> </localfile> within my <agent_config os="windows"> section. without this command the above error does not log. Ideas? was command disabled in 2.6? On Jun 21, 2012, at 7:53 AM, dan (ddp) wrote: > On Thu, Jun 21, 2012 at 9:44 AM, sahil sharma <sharmasahil0...@gmail.com> > wrote: >>> >>> ossec.conf or agent.conf depending on how you want to do it. I'll make >>> sure this is mentioned earlier in the documentation. >>> >> I am working on ubuntu server and I have a window client. I want to >> get log whenever someone inserts USB to the client system. When do >> we use ossec.conf OR agent.conf to add new definitions? How choose >> between them? >> > > This is for configuration changes, not rules: > Your choice. If you want to use the agent.conf change it there. If you > have a good change management system, changing the ossec.conf might be > good enough. > > The OSSEC server does not use the agent.conf though, so if you're > setting up something for the OSSEC server it'll have to be in that > system's ossec.conf. > >> >> >>> >>> >>> And you've restarted the agent's ossec processes? >>> >> Yes, after adding the code, I restarted the server -restart and also the >> client ossec agent. I checked, ossec.agent with the added rule was >> pushed automatically. Then, I inserted USB into the windows client. >> But there was no LOG for USB detection or no such message in the Web >> Interface. > > The rule won't be pushed to the agents. The > /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to > date on the agent (if it's Windows it's probably c:\program > files\ossec\shared\agent.conf or something). > >> >> Though web interface was showing alerts whenever I logged-in s >> successfully to the windows client (it shows they are connected propely). >> >> > > Do you have email alerts enabled? I not, check the alerts.log file on > the server. I don't trust the WUI. > >> >>> >>>> (2)Added following to the local rules: >>>> >>>> <rule id="140125" level="7"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'reg QUERY</match> >>>> <check_diff /> >>>> <description>New USB device connected</description> >>>> </rule> >>>> > > In order to check_diff the log message will have to have fired at > least once before. So if the reg command hadn't been checked before > you inserted the USB drive nothing would happen. > > You can enable the log all option on the OSSEC server, and check for > the reg log entries. That will give you something to make sure your > <match> statement is correct (I use aliases for my commands, so I > don't know what they show up as without the alias). > >>>> >>>> Main problem: I got no GROUP NAME for this rule so I added this rule >>>> inside >>>> the predefined group >>>> <group name="local,syslog,">. Is it right thing to do? >>> >>> Did you try it without putting it inside of those group tags? >>> Yes, it's fine. >>> >>>> OR i need to place it somewhere else in this file. Please help. >>>> >>>> Kindly tell if I need to make any other change too. >>>> >>> >> >> Yes I tried it putting outside them, It gives ERROR when I put the -restart >> command in the terminal. >> >> I thought, it was due to missing group name, then I gave it >> an arbitrary group >> name >> >>> >>> <group name="USB"> >> <rule id="140125" level="7"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'reg QUERY</match> >>> <check_diff /> >>> <description>New USB device connected</description> >>> </rule> >>> </group> >> >> Then there was no error, but again no such event was detected even after the >> restart. >> >> Please help.