Ok, here is my .Bat script I use to Check for & list files contained within the usb drive. If no drive is detected the output file would not change there for not causing an alarm when the drive is removed.
@echo off set host=%COMPUTERNAME% for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do ( for %%c in (%%b) do ( for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do ( if %%d equ Removable ( for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo %host% %%a %user% > C:\temp\usbstor.txt echo Drive %%c is Removable (USB^) dir /s %%c >> C:\temp\usbstor.txt type C:\temp\usbstor.txt ) ) ) ) Now in the Windows agent config is have the entry that would run the .Bat script every so many minutes or seconds ( I have mine set for 30 seconds for testing but 60 sec would be more realistic. <localfile> <log_format>full_command</log_format> <command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command> <frequency>30</frequency> <alias>USBDevices</alias> </localfile> On the Ossec server side I have this entry on the local_rules.xml <rule id="503002" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'USBDevices'</match> <check_diff /> <description>Mounted Device change detected</description> </rule> After this I restart the Ossec server and agent wait a minute then insert a usb drive. I get a email alert similar to this: OSSEC HIDS Notification. 2016 Apr 28 15:11:29 Received From: (mis41) any->USBDevices Rule: 503002 fired (level 7) -> "Mounted Device change detected" Portion of the log(s): ossec: output: 'USBDevices': Drive F:\ is Removable (USB) MIS41 10.18.100.24 Volume in drive F is OS Volume Serial Number is 642E-1FF6 Directory of F:\ 11/06/2015 01:38 PM 22,908,888 mbam-setup-2.2.0.1024.exe 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe 2 File(s) 420,707,840 bytes Directory of F:\System Volume Information 11/05/2015 08:56 AM <DIR> . 11/05/2015 08:56 AM <DIR> .. 11/05/2015 08:56 AM 76 IndexerVolumeGuid 01/13/2016 02:41 PM 12 WPSettings.dat 2 File(s) 88 bytes Total Files Listed: 4 File(s) 420,707,928 bytes 2 Dir(s) 3,328,983,040 bytes free Previous output: ossec: output: 'USBDevices': --END OF NOTIFICATION In Squert I can see this: On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: > > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > <localfile> > <log_format>full_command</log_format> > <command>powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > </command> > <frequency>300</frequency> > <alias>USBDevices</alias> > </localfile> > > > with the following rule in local_rules.xml > <rule id="503002" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'USBDevices'</match> > <check_diff /> > <description>Mounted Device change detected</description> > </rule> > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber : 359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA00000000000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA00000000000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive > -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > Mode LastWriteTime Length Name > > ---- ------------- ------ ---- > > -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe > > -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe > > > > Directory: E:\ > > > Mode LastWriteTime Length Name > > ---- ------------- ------ ---- > > -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe > > -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe > > -a--- 03/04/2016 2:46 PM 9524 hijackthis.log > > I have been attempting to get the above USB recursive file lists > into a USB detection report but have not had any success as of yet using > the above command instead of the first like below. > > > > <localfile> > <log_format>full_command</log_format> > <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - > recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" > </command> > <frequency>300</frequency> > <alias>USBDevices</alias> > </localfile> > > > This gives me a empty C:\temp\test.txt file... > > > Any suggestions would be appreiciated... > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.