Now In Squert i can see this report and or alert...
<https://lh3.googleusercontent.com/-Ooskcm7_A2U/VyIrGUcx9iI/AAAAAAAACWA/CsSu3vRW83Y8kbU89cVAGTV7PgWqSVk8QCLcB/s1600/squert.PNG> On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote: > > Ok, here is my .Bat script I use to Check for & list files contained > within the usb drive. If no drive is detected the output file would not > change there for not causing > an alarm when the drive is removed. > > @echo off > set host=%COMPUTERNAME% > > > for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do ( > for %%c in (%%b) do ( > for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do ( > if %%d equ Removable ( > for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo > %host% %%a %user% > C:\temp\usbstor.txt > echo Drive %%c is Removable (USB^) > dir /s %%c >> C:\temp\usbstor.txt > type C:\temp\usbstor.txt > ) > ) > ) > ) > > > Now in the Windows agent config is have the entry that would run the .Bat > script every so many minutes or seconds ( I have mine set for 30 seconds > for testing but 60 sec would be more > realistic. > > <localfile> > <log_format>full_command</log_format> > <command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command> > <frequency>30</frequency> > <alias>USBDevices</alias> > </localfile> > > On the Ossec server side I have this entry on the local_rules.xml > > <rule id="503002" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'USBDevices'</match> > <check_diff /> > <description>Mounted Device change detected</description> > </rule> > > > After this I restart the Ossec server and agent wait a minute then insert > a usb drive. I get a email alert similar to this: > > OSSEC HIDS Notification. > > 2016 Apr 28 15:11:29 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Drive F:\ is Removable (USB) > > MIS41 10.18.100.24 > > Volume in drive F is OS > > Volume Serial Number is 642E-1FF6 > > Directory of F:\ > > 11/06/2015 01:38 PM 22,908,888 mbam-setup-2.2.0.1024.exe > > 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe > > 2 File(s) 420,707,840 bytes > > Directory of F:\System Volume Information > > 11/05/2015 08:56 AM <DIR> . > > 11/05/2015 08:56 AM <DIR> .. > > 11/05/2015 08:56 AM 76 IndexerVolumeGuid > > 01/13/2016 02:41 PM 12 WPSettings.dat > > 2 File(s) 88 bytes > > Total Files Listed: > > 4 File(s) 420,707,928 bytes > > 2 Dir(s) 3,328,983,040 bytes free > > Previous output: > > ossec: output: 'USBDevices': > > > > > > > > --END OF NOTIFICATION > > In Squert I can see this: > > > > > On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote: >> >> I have a basic Windows agent setting to alert me when a storage device is >> detected using Power shell.. >> >> <localfile> >> <log_format>full_command</log_format> >> <command>powershell.exe -command "gwmi win32_diskdrive | select >> >> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > >> C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" >> </command> >> <frequency>300</frequency> >> <alias>USBDevices</alias> >> </localfile> >> >> >> with the following rule in local_rules.xml >> <rule id="503002" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'USBDevices'</match> >> <check_diff /> >> <description>Mounted Device change detected</description> >> </rule> >> >> >> >> >> Of course I get this alert which is nice for basic logging.. >> >> OSSEC HIDS Notification. >> >> >> >> 2016 Apr 19 18:35:31 >> >> >> >> Received From: (mis41) any->USBDevices >> >> Rule: 503002 fired (level 7) -> "Mounted Device change detected" >> >> Portion of the log(s): >> >> >> >> ossec: output: 'USBDevices': >> >> Model : TOSHIBA DT01ACA100 SCSI Disk Device >> >> InterfaceType : IDE >> >> serialnumber : 359ZMW6MS >> >> Size : 1000202273280 >> >> MediaType : Fixed hard disk media >> >> CapabilityDescriptions : {Random Access, Supports Writing, SMART >> Notification} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA00000000000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> edia} >> >> Model : Verbatim STORE N GO USB Device >> >> InterfaceType : USB >> >> serialnumber : AA00000000000489 >> >> Size : 16022845440 >> >> MediaType : Removable Media >> >> CapabilityDescriptions : {Random Access, Supports Writing, Supports >> Removable M >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> I was playing around with Powershell and have a optional command to print >> out USB storage device files recursively... >> >> >> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter >> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive >> -recurse >> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) >> >> >> this gives me this output in a tmp.txt if ran from a powershell window >> and or run line. >> >> >> Directory: F:\ >> >> >> Mode LastWriteTime Length Name >> >> ---- ------------- ------ ---- >> >> -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe >> >> -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe >> >> >> >> Directory: E:\ >> >> >> Mode LastWriteTime Length Name >> >> ---- ------------- ------ ---- >> >> -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe >> >> -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe >> >> -a--- 03/04/2016 2:46 PM 9524 hijackthis.log >> >> I have been attempting to get the above USB recursive file lists >> into a USB detection report but have not had any success as of yet using >> the above command instead of the first like below. >> >> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume - >> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem >> $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select - >> Skip 2)"</command> >> <frequency>300</frequency> >> <alias>USBDevices</alias> >> </localfile> >> >> >> This gives me a empty C:\temp\test.txt file... >> >> >> Any suggestions would be appreiciated... >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
