<https://lh3.googleusercontent.com/-77P49OfgEuI/VyOAW-JH46I/AAAAAAAACYQ/rWZvCMTOkl0240wJOUI5DtIt46YXC5xfQCLcB/s1600/squert.PNG>
On Friday, April 29, 2016 at 6:48:57 AM UTC-5, Jacob Mcgrath wrote:
>
> Ok, here is my .Bat script I use to Check for & list files contained
> within the usb drive. If no drive is detected the output file would not
> change there for not causing
> an alarm when the drive is removed. If no drive is present the script
> exits causing no change to the usbstor.txt thus no alarm either.
>
> @echo off
> set host=%COMPUTERNAME%
>
>
> for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
> for %%c in (%%b) do (
> for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
> if %%d equ Removable (
> for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo
> %host% %%a %user% > C:\temp\usbstor.txt
> echo Drive %%c is Removable (USB^)
> dir /s %%c >> C:\temp\usbstor.txt
> type C:\temp\usbstor.txt
> )
> )
> )
> )
>
>
> Now in the Windows agent config is have the entry that would run the .Bat
> script every so many minutes or seconds ( I have mine set for 30 seconds
> for testing but 60 sec would be more
> realistic).
>
> <localfile>
> <log_format>full_command</log_format>
> <command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command>
> <frequency>30</frequency>
> <alias>USBDevices</alias>
> </localfile>
>
> On the Ossec server side I have this entry on the local_rules.xml
>
> <rule id="503002" level="7">
> <if_sid>530</if_sid>
> <match>ossec: output: 'USBDevices'</match>
> <check_diff />
> <description>Mounted Device change detected</description>
> </rule>
>
>
> After this I restart the Ossec server and agent wait a minute then insert
> a usb drive. I get a email alert similar to this... I have shorten the
> output after the "Previous output" since this would include the
> differences between the current and last alert.
>
> OSSEC HIDS Notification.
>
>
>
> 2016 Apr 28 15:11:29
>
>
>
>
> Received From: (mis41) any->USBDevices
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>
> Portion of the log(s):
>
>
>
> ossec: output: 'USBDevices':
>
> Drive F:\ is Removable (USB)
>
> MIS41 10.18.100.24
>
> Volume in drive F is OS
>
> Volume Serial Number is 642E-1FF6
>
> Directory of F:\
>
> 11/06/2015 01:38 PM 22,908,888 mbam-setup-2.2.0.1024.exe
>
> 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe
>
> 2 File(s) 420,707,840 bytes
>
> Directory of F:\System Volume Information
>
> 11/05/2015 08:56 AM <DIR> .
>
> 11/05/2015 08:56 AM <DIR> ..
>
> 11/05/2015 08:56 AM 76 IndexerVolumeGuid
>
> 01/13/2016 02:41 PM 12 WPSettings.dat
>
> 2 File(s) 88 bytes
>
> Total Files Listed:
>
> 4 File(s) 420,707,928 bytes
>
> 2 Dir(s) 3,328,983,040 bytes free
>
> Previous output:
>
> ossec: output: 'USBDevices':
>
>
>
>
>
>
>
>
>
> --END OF NOTIFICATION
>
> I do see similar logging in Squert for these events. I do see the alerts
> for the events in Elsa but no output like there is in the above in the
> Ossec alerts category.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
