Hi, Got this one randomly searching for USB Detection. I guess I have a fix for this problem, but I don't have clear idea why is working ?
https://groups.google.com/forum/?fromgroups#!topic/ossec-list/1t6dnbzMZzM I had a similar problem, but once I added this to local_rules.xml, everything was worrking fine, I was getting the alert for USB detection. <group name="local,win7,"> <rule id="530" level="4" overwrite="yes"> <if_sid>500</if_sid> <match>^ossec: output: </match> <description>OSSEC process monitoring rules.</description> <group>process_monitor,</group> </rule> <rule id="510016" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'hkeyusbcheck'</match> <check_diff /> <description>usb stuff has changed.</description> </rule> </group> Nowhere, it was mentioned to overwrite rule id-530 to localfile, I just did it randomly and it was successful.. Now my PROBLEM is that alert its showing is ::::: 2012 Jul 10 02:04:49 Rule Id: 530 level: 4 Location: (win7base) 192.168.1.10->hkeyusbcheck Src IP: utput: 'hkeyusbcheck': OSSEC process monitoring rules. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v165w&Rev_0.00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v210w&Rev_1100 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_6.16 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_PMAP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_1.00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.01 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.20 HKEY_LOCAL_MACHINE There was no mention of RULE I added in the alerts i.e. rule id="510016" level="7" ?????????? Please Help.
