<https://lh3.googleusercontent.com/-77P49OfgEuI/VyOAW-JH46I/AAAAAAAACYQ/rWZvCMTOkl0240wJOUI5DtIt46YXC5xfQCLcB/s1600/squert.PNG>
On Friday, April 29, 2016 at 6:48:57 AM UTC-5, Jacob Mcgrath wrote: > > Ok, here is my .Bat script I use to Check for & list files contained > within the usb drive. If no drive is detected the output file would not > change there for not causing > an alarm when the drive is removed. If no drive is present the script > exits causing no change to the usbstor.txt thus no alarm either. > > @echo off > set host=%COMPUTERNAME% > > > for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do ( > for %%c in (%%b) do ( > for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do ( > if %%d equ Removable ( > for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo > %host% %%a %user% > C:\temp\usbstor.txt > echo Drive %%c is Removable (USB^) > dir /s %%c >> C:\temp\usbstor.txt > type C:\temp\usbstor.txt > ) > ) > ) > ) > > > Now in the Windows agent config is have the entry that would run the .Bat > script every so many minutes or seconds ( I have mine set for 30 seconds > for testing but 60 sec would be more > realistic). > > <localfile> > <log_format>full_command</log_format> > <command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command> > <frequency>30</frequency> > <alias>USBDevices</alias> > </localfile> > > On the Ossec server side I have this entry on the local_rules.xml > > <rule id="503002" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'USBDevices'</match> > <check_diff /> > <description>Mounted Device change detected</description> > </rule> > > > After this I restart the Ossec server and agent wait a minute then insert > a usb drive. I get a email alert similar to this... I have shorten the > output after the "Previous output" since this would include the > differences between the current and last alert. > > OSSEC HIDS Notification. > > > > 2016 Apr 28 15:11:29 > > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Drive F:\ is Removable (USB) > > MIS41 10.18.100.24 > > Volume in drive F is OS > > Volume Serial Number is 642E-1FF6 > > Directory of F:\ > > 11/06/2015 01:38 PM 22,908,888 mbam-setup-2.2.0.1024.exe > > 12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe > > 2 File(s) 420,707,840 bytes > > Directory of F:\System Volume Information > > 11/05/2015 08:56 AM <DIR> . > > 11/05/2015 08:56 AM <DIR> .. > > 11/05/2015 08:56 AM 76 IndexerVolumeGuid > > 01/13/2016 02:41 PM 12 WPSettings.dat > > 2 File(s) 88 bytes > > Total Files Listed: > > 4 File(s) 420,707,928 bytes > > 2 Dir(s) 3,328,983,040 bytes free > > Previous output: > > ossec: output: 'USBDevices': > > > > > > > > > > --END OF NOTIFICATION > > I do see similar logging in Squert for these events. I do see the alerts > for the events in Elsa but no output like there is in the above in the > Ossec alerts category. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.