On Thu, Jun 21, 2012 at 12:58 PM, Scott Klauminzer <sklaumin...@gmail.com> wrote: > Dan, > > I too am unable to make use of the ideas here: > http://dcid.me/2010/03/detecting-usb-storage-usage-with-ossec/ > > Using OSSEC HIDS 2.6 - When I have the the command in a local Windows machine > agent.conf I get the following in my log on agent restart. > > > 2012/06/21 09:42:43 ossec-agent: Remote commands are not accepted from the > manager. Ignoring it on the agent.conf > 2012/06/21 09:42:43 ossec-agent(1202): ERROR: Configuration error at > 'shared/agent.conf'. Exiting. > > > the command set is as follows: > > <localfile> > <log_format>full_command</log_format> > <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> > </localfile> > > within my <agent_config os="windows"> section. > > without this command the above error does not log. > > Ideas? was command disabled in 2.6? > >
Seriously? Did you not read the error message? commands do not work from the agent.conf unless you configure the agent to accept them. You have to put them in the agent's ossec.conf. The warning is in the wrong place in the documentation (will fix that momentarily), but this is documented here: http://www.ossec.net/doc/syntax/head_ossec_config.localfile.html > > On Jun 21, 2012, at 7:53 AM, dan (ddp) wrote: > >> On Thu, Jun 21, 2012 at 9:44 AM, sahil sharma <sharmasahil0...@gmail.com> >> wrote: >>>> >>>> ossec.conf or agent.conf depending on how you want to do it. I'll make >>>> sure this is mentioned earlier in the documentation. >>>> >>> I am working on ubuntu server and I have a window client. I want to >>> get log whenever someone inserts USB to the client system. When do >>> we use ossec.conf OR agent.conf to add new definitions? How choose >>> between them? >>> >> >> This is for configuration changes, not rules: >> Your choice. If you want to use the agent.conf change it there. If you >> have a good change management system, changing the ossec.conf might be >> good enough. >> >> The OSSEC server does not use the agent.conf though, so if you're >> setting up something for the OSSEC server it'll have to be in that >> system's ossec.conf. >> >>> >>> >>>> >>>> >>>> And you've restarted the agent's ossec processes? >>>> >>> Yes, after adding the code, I restarted the server -restart and also the >>> client ossec agent. I checked, ossec.agent with the added rule was >>> pushed automatically. Then, I inserted USB into the windows client. >>> But there was no LOG for USB detection or no such message in the Web >>> Interface. >> >> The rule won't be pushed to the agents. The >> /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to >> date on the agent (if it's Windows it's probably c:\program >> files\ossec\shared\agent.conf or something). >> >>> >>> Though web interface was showing alerts whenever I logged-in s >>> successfully to the windows client (it shows they are connected propely). >>> >>> >> >> Do you have email alerts enabled? I not, check the alerts.log file on >> the server. I don't trust the WUI. >> >>> >>>> >>>>> (2)Added following to the local rules: >>>>> >>>>> <rule id="140125" level="7"> >>>>> <if_sid>530</if_sid> >>>>> <match>ossec: output: 'reg QUERY</match> >>>>> <check_diff /> >>>>> <description>New USB device connected</description> >>>>> </rule> >>>>> >> >> In order to check_diff the log message will have to have fired at >> least once before. So if the reg command hadn't been checked before >> you inserted the USB drive nothing would happen. >> >> You can enable the log all option on the OSSEC server, and check for >> the reg log entries. That will give you something to make sure your >> <match> statement is correct (I use aliases for my commands, so I >> don't know what they show up as without the alias). >> >>>>> >>>>> Main problem: I got no GROUP NAME for this rule so I added this rule >>>>> inside >>>>> the predefined group >>>>> <group name="local,syslog,">. Is it right thing to do? >>>> >>>> Did you try it without putting it inside of those group tags? >>>> Yes, it's fine. >>>> >>>>> OR i need to place it somewhere else in this file. Please help. >>>>> >>>>> Kindly tell if I need to make any other change too. >>>>> >>>> >>> >>> Yes I tried it putting outside them, It gives ERROR when I put the -restart >>> command in the terminal. >>> >>> I thought, it was due to missing group name, then I gave it >>> an arbitrary group >>> name >>> >>>> >>>> <group name="USB"> >>> <rule id="140125" level="7"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'reg QUERY</match> >>>> <check_diff /> >>>> <description>New USB device connected</description> >>>> </rule> >>>> </group> >>> >>> Then there was no error, but again no such event was detected even after the >>> restart. >>> >>> Please help. >
