Not as of yet, I am still working out some issues with reporting while
removable drives are not present.
On Friday, April 22, 2016 at 12:05:13 PM UTC-5, namobud...@gmail.com wrote:
>
> Can I just throw this into my local rules and it will detect plugged in
> USB devices?
>
> <rule id="503002" level="7">
> <if_sid>530</if_sid>
>
> <match>ossec: output: 'USB-Audit'</match>
> <check_diff />
> <description>USB Connected - Current Session Information</description>
> </rule>
>
>
>
> On Tuesday, April 19, 2016 at 3:23:39 PM UTC-4, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert me when a storage device is
>> detected using Power shell..
>>
>> <localfile>
>> <log_format>full_command</log_format>
>> <command>powershell.exe -command "gwmi win32_diskdrive | select
>>
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions >
>> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> </command>
>> <frequency>300</frequency>
>> <alias>USBDevices</alias>
>> </localfile>
>>
>>
>> with the following rule in local_rules.xml
>> <rule id="503002" level="7">
>> <if_sid>530</if_sid>
>> <match>ossec: output: 'USBDevices'</match>
>> <check_diff />
>> <description>Mounted Device change detected</description>
>> </rule>
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>
>>
>> 2016 Apr 19 18:35:31
>>
>>
>>
>> Received From: (mis41) any->USBDevices
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>>
>> Portion of the log(s):
>>
>>
>>
>> ossec: output: 'USBDevices':
>>
>> Model : TOSHIBA DT01ACA100 SCSI Disk Device
>>
>> InterfaceType : IDE
>>
>> serialnumber : 359ZMW6MS
>>
>> Size : 1000202273280
>>
>> MediaType : Fixed hard disk media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART
>> Notification}
>>
>> Model : Verbatim STORE N GO USB Device
>>
>> InterfaceType : USB
>>
>> serialnumber : AA00000000000489
>>
>> Size : 16022845440
>>
>> MediaType : Removable Media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports
>> Removable M
>>
>> edia}
>>
>> Model : Verbatim STORE N GO USB Device
>>
>> InterfaceType : USB
>>
>> serialnumber : AA00000000000489
>>
>> Size : 16022845440
>>
>> MediaType : Removable Media
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports
>> Removable M
>>
>>
>>
>>
>>
>>
>>
>> --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter
>> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive
>> -recurse
>> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>>
>>
>> this gives me this output in a tmp.txt if ran from a powershell window
>> and or run line.
>>
>>
>> Directory: F:\
>>
>>
>> Mode LastWriteTime Length Name
>>
>> ---- ------------- ------ ----
>>
>> -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe
>>
>> -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe
>>
>>
>>
>> Directory: E:\
>>
>>
>> Mode LastWriteTime Length Name
>>
>> ---- ------------- ------ ----
>>
>> -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe
>>
>> -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe
>>
>> -a--- 03/04/2016 2:46 PM 9524 hijackthis.log
>>
>> I have been attempting to get the above USB recursive file lists
>> into a USB detection report but have not had any success as of yet using
>> the above command instead of the first like below.
>>
>>
>>
>> <localfile>
>> <log_format>full_command</log_format>
>> <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -
>> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem
>> $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -
>> Skip 2)"</command>
>> <frequency>300</frequency>
>> <alias>USBDevices</alias>
>> </localfile>
>>
>>
>> This gives me a empty C:\temp\test.txt file...
>>
>>
>> Any suggestions would be appreiciated...
>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
