Not as of yet, I am still working out some issues with reporting while removable drives are not present.
On Friday, April 22, 2016 at 12:05:13 PM UTC-5, namobud...@gmail.com wrote: > > Can I just throw this into my local rules and it will detect plugged in > USB devices? > > <rule id="503002" level="7"> > <if_sid>530</if_sid> > > <match>ossec: output: 'USB-Audit'</match> > <check_diff /> > <description>USB Connected - Current Session Information</description> > </rule> > > > > On Tuesday, April 19, 2016 at 3:23:39 PM UTC-4, Jacob Mcgrath wrote: >> >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> <localfile> >> <log_format>full_command</log_format> >> <command>powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> </command> >> <frequency>300</frequency> >> <alias>USBDevices</alias> >> </localfile> >> >> >> with the following rule in local_rules.xml >> <rule id="503002" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'USBDevices'</match> >> <check_diff /> >> <description>Mounted Device change detected</description> >> </rule> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber : 359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA00000000000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> edia} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA00000000000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> I was playing around with Powershell and have a optional command to print >> out USB storage device files recursively... >> >> >> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter >> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive >> -recurse >> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) >> >> >> this gives me this output in a tmp.txt if ran from a powershell window >> and or run line. >> >> >> Directory: F:\ >> >> >> Mode LastWriteTime Length Name >> >> ---- ------------- ------ ---- >> >> -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe >> >> -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe >> >> >> >> Directory: E:\ >> >> >> Mode LastWriteTime Length Name >> >> ---- ------------- ------ ---- >> >> -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe >> >> -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe >> >> -a--- 03/04/2016 2:46 PM 9524 hijackthis.log >> >> I have been attempting to get the above USB recursive file lists >> into a USB detection report but have not had any success as of yet using >> the above command instead of the first like below. >> >> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume - >> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem >> $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select - >> Skip 2)"</command> >> <frequency>300</frequency> >> <alias>USBDevices</alias> >> </localfile> >> >> >> This gives me a empty C:\temp\test.txt file... >> >> >> Any suggestions would be appreiciated... >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.