Hello This Guruji i need rules that are used to detect the transfer data from One system USB.
regards,, Guruji On Tuesday, June 18, 2013 at 1:54:27 PM UTC+5:30, jonas...@gmail.com wrote: > > There are a number of articles (and even a section in the official ossec > documentation) on how to make ossec detect USB Storage connected to a > Windows system, but I've been unable to find a way to make it detect > connection of USB storage to a Linux system. > > This page > http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage > > in the official documentation describes the windows part. > > In CentOS (or RedHat) the default place for the log to be written seems to > be in /var/log/kernel. The only decoder that I can find that reads anything > in that file is the 'iptables'-decoder. > > Can I just create a rule that creates an alert if there's a matching entry > in /var/log/kernel (given that that file is actually monitored on the > client systems), or do I need to 'hack' the decoder as well? > > I tried creating this in local_rules.xml: > > <rule id="100341" level="8"> > <decoded_as>iptables</decoded_as> > <program_name>kernel</program_name> > <regex>^usb \S* new</regex> > <description>Unknown USB device attached</description> > </rule> > > But I haven't been able to get it to generate the alert. > > The log file entry looks like this: > > Jun 18 09:56:23 localhost kernel: usb 1-5.2: new high speed USB device > number 10 using ehci_hcd > Jun 18 09:56:23 localhost kernel: usb 1-5.2: New USB device found, > idVendor=0951, idProduct=1607 > Jun 18 09:56:23 localhost kernel: usb 1-5.2: New USB device strings: > Mfr=1, Product=2, SerialNumber=3 > Jun 18 09:56:23 localhost kernel: usb 1-5.2: Product: DataTraveler 2.0 > Jun 18 09:56:23 localhost kernel: usb 1-5.2: Manufacturer: Kingston > Jun 18 09:56:23 localhost kernel: usb 1-5.2: SerialNumber: > 001D0F0CAAC55A891B1400E4 > Jun 18 09:56:23 localhost kernel: usb 1-5.2: configuration #1 chosen from > 1 choice > Jun 18 09:56:23 localhost kernel: scsi9 : SCSI emulation for USB Mass > Storage devices > Jun 18 09:56:23 localhost kernel: usb-storage: device found at 10 > Jun 18 09:56:23 localhost kernel: usb-storage: waiting for device to > settle before scanning > Jun 18 09:56:24 localhost kernel: usb-storage: device scan complete > Jun 18 09:56:24 localhost kernel: scsi 9:0:0:0: Direct-Access Kingston > DataTraveler 2.0 1.00 PQ: 0 ANSI: 2 > Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: Attached scsi generic sg6 > type 0 > Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] 15679488 512-byte > logical blocks: (8.02 GB/7.47 GiB) > Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Write Protect is off > Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Mode Sense: 23 00 00 00 > Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: > write through > Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: > write through > Jun 18 09:56:24 localhost kernel: sdd: sdd1 > Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: > write through > Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Attached SCSI > removable disk > Jun 18 09:56:27 localhost kernel: usb 1-5.2: USB disconnect, device number > 10 > > I've made sure that the file /var/log/kernel is checked, both in > ossec.conf on the server and in agent.conf on the client. I've restarted > both server and client and tried to insert my USB drive. The log entry is > created but no alert. > > Anyone looked at this and got it to work? > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
