that i my decode and rule for dectect usb <!--pre-coder--> <decoder name="USB"> <program_name>^kernel</program_name> </decoder>
<decoder name="USB-En"> <parent>USB</parent> <prematch>^sd \S+</prematch> <regex>^sd \S+ [sdb] (\S+) SCSI (\.+)</regex> <order>action,status</order> </decoder> <decoder name="USB-Dis"> <parent>USB</parent> <prematch>^usb 1-1: USB \S+</prematch> <regex>^usb 1-1: USB (\S+)</regex> <order>action</order> </decoder> <!--Rule--> <group name="syslog,iptables"> <rule id="300020" level="0"> <decoded_as>USB</decoded_as> <description>Have USB USB attached</description> </rule> <rule id="300021" level="8"> <if_sid>300020</if_sid> <status>removable disk</status> <description>USB attached</description> </rule> <rule id="300022" level="8"> <if_sid>300020</if_sid> <action>disconnect,</action> <description>USB disconnection</description> </rule> </group> <!-- EOF --> Vào 02:25:45 UTC+7 Thứ bảy, ngày 17 tháng năm năm 2014, Ashok đã viết: > > I tried to overwrite the predefined external storage detection code by > including the following in local_rules.xml > > <rule id="532" level="0" overwrite="yes" > > <if_sid>531</if_sid> > <match>cdrom|/media|usb|/mount|floppy|dvd</match> > <description>Detected external medias.</description> > </rule> > > > But its not detecting usb storage.. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
