Ok, here is my .Bat script I use to Check for & list files contained within
the usb drive. If no drive is detected the output file would not change
there for not causing
an alarm when the drive is removed. If no drive is present the script
exits causing no change to the usbstor.txt thus no alarm either.
@echo off
set host=%COMPUTERNAME%
for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
for %%c in (%%b) do (
for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
if %%d equ Removable (
for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo %host%
%%a %user% > C:\temp\usbstor.txt
echo Drive %%c is Removable (USB^)
dir /s %%c >> C:\temp\usbstor.txt
type C:\temp\usbstor.txt
)
)
)
)
Now in the Windows agent config is have the entry that would run the .Bat
script every so many minutes or seconds ( I have mine set for 30 seconds
for testing but 60 sec would be more
realistic).
<localfile>
<log_format>full_command</log_format>
<command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command>
<frequency>30</frequency>
<alias>USBDevices</alias>
</localfile>
On the Ossec server side I have this entry on the local_rules.xml
<rule id="503002" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'USBDevices'</match>
<check_diff />
<description>Mounted Device change detected</description>
</rule>
After this I restart the Ossec server and agent wait a minute then insert a
usb drive. I get a email alert similar to this... I have shorten the
output after the "Previous output" since this would include the differences
between the current and last alert.
OSSEC HIDS Notification.
2016 Apr 28 15:11:29
Received From: (mis41) any->USBDevices
Rule: 503002 fired (level 7) -> "Mounted Device change detected"
Portion of the log(s):
ossec: output: 'USBDevices':
Drive F:\ is Removable (USB)
MIS41 10.18.100.24
Volume in drive F is OS
Volume Serial Number is 642E-1FF6
Directory of F:\
11/06/2015 01:38 PM 22,908,888 mbam-setup-2.2.0.1024.exe
12/21/2014 10:27 AM 397,798,952 sp66051_driver-pack.exe
2 File(s) 420,707,840 bytes
Directory of F:\System Volume Information
11/05/2015 08:56 AM <DIR> .
11/05/2015 08:56 AM <DIR> ..
11/05/2015 08:56 AM 76 IndexerVolumeGuid
01/13/2016 02:41 PM 12 WPSettings.dat
2 File(s) 88 bytes
Total Files Listed:
4 File(s) 420,707,928 bytes
2 Dir(s) 3,328,983,040 bytes free
Previous output:
ossec: output: 'USBDevices':
--END OF NOTIFICATION
I do see similar logging in Squert for these events. I do see the alerts
for the events in Elsa but no output like there is in the above in the
Ossec alerts category.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
