Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
Hi When I change config at client side, the OSSEC Agent Manager at client's status is always :stopped. I tried re-installing, restarting it numerous times. Please help. On Mon, Jun 25, 2012 at 1:40 AM, dan (ddp) ddp...@gmail.com wrote: On Jun 24, 2012 3:36 PM, sahil sharma sharmasahil0...@gmail.com wrote: On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) ddp...@gmail.com wrote: On Jun 22, 2012 6:16 AM, sahil sharma sharmasahil0...@gmail.com wrote: This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. (1)I have added following code to varossecetcsharedagent.conf As is documented in the full_command documentation, this has to go in the agent's ossec.conf. I apologize, I forgot about this restriction. Please, clarify on this, I have to add the following code in agent's ossec.conf i.e I have a win7 agent so I must add it to cprog_files(x86)ossecossec(config) If yes, then do I need to put agent_config os=Windows at start or not? I guess that's the file. I don't do much with Windows. You do not need to add thar, since this isn't the agent.conf 1) Do I need to remove this code from varossecetcsharedagent.conf where I had previously added it? There's no good reason to have it there. 2) Changing config at client side gives unusual problem in client's ossec agent which then display (check config:warning) when I try to start/stop/restart the client ossec agent. What did you add? Where did you add it? Cryptically telling me you got an error doesn't do anyone any good. Maybe you should consult a sysadmin, or someone else with technical skills. 3) Whats diff in adding in these two different files? agent_config os=Windows localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command aliasusb-check/alias /localfile /agent_config Regards,Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
On Jun 26, 2012 6:30 AM, sahil sharma sharmasahil0...@gmail.com wrote: Hi When I change config at client side, the OSSEC Agent Manager at client's status is always :stopped. I tried re-installing, restarting it numerous times. Please help. How? You didn't provide the error messages or configuration. Without those 2 things all I can do to help is tell you to fix your configuration. Why are you making this so difficult? On Mon, Jun 25, 2012 at 1:40 AM, dan (ddp) ddp...@gmail.com wrote: On Jun 24, 2012 3:36 PM, sahil sharma sharmasahil0...@gmail.com wrote: On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) ddp...@gmail.com wrote: On Jun 22, 2012 6:16 AM, sahil sharma sharmasahil0...@gmail.com wrote: This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. (1)I have added following code to varossecetcsharedagent.conf As is documented in the full_command documentation, this has to go in the agent's ossec.conf. I apologize, I forgot about this restriction. Please, clarify on this, I have to add the following code in agent's ossec.conf i.e I have a win7 agent so I must add it to cprog_files(x86)ossecossec(config) If yes, then do I need to put agent_config os=Windows at start or not? I guess that's the file. I don't do much with Windows. You do not need to add thar, since this isn't the agent.conf 1) Do I need to remove this code from varossecetcsharedagent.conf where I had previously added it? There's no good reason to have it there. 2) Changing config at client side gives unusual problem in client's ossec agent which then display (check config:warning) when I try to start/stop/restart the client ossec agent. What did you add? Where did you add it? Cryptically telling me you got an error doesn't do anyone any good. Maybe you should consult a sysadmin, or someone else with technical skills. 3) Whats diff in adding in these two different files? agent_config os=Windows localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command aliasusb-check/alias /localfile /agent_config Regards,Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
Ok, I guess you are very right. I guess I am a bit confused of terminology,
now getting step by step.
All I have is :
1) a central sever: ubuntu virtual machine.
2)a client : windows
I want to:
1)Detect when someone inserts USB into the client system.
I am badly confused where to make changes to implement this.
I have 3 places :-
(1) On client's ossec itself: C/Prog file(x86)ossecossec
config : Seems to be bad option to add instruction at a client which itself
has to be
monitored. So
I guess its wrong and once I add anythig to this file, I am unable to
START/RESTART agent at win.
(2) ossec at server: var/ossec (don't remember exact path).
Adding changing to this, restarting the server I see no USB alert.
Sorry, but I don't know why its not working, if you say I can attach the
exact files where I have made the changes.
Would be a great help.
On Tue, Jun 26, 2012 at 4:02 PM, dan (ddp) ddp...@gmail.com wrote:
On Jun 26, 2012 6:30 AM, sahil sharma sharmasahil0...@gmail.com wrote:
Hi
When I change config at client side, the OSSEC Agent Manager at client's
status is always :stopped.
I tried re-installing, restarting it numerous times.
Please help.
How? You didn't provide the error messages or configuration. Without those
2 things all I can do to help is tell you to fix your configuration.
Why are you making this so difficult?
On Mon, Jun 25, 2012 at 1:40 AM, dan (ddp) ddp...@gmail.com wrote:
On Jun 24, 2012 3:36 PM, sahil sharma sharmasahil0...@gmail.com
wrote:
On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) ddp...@gmail.com wrote:
On Jun 22, 2012 6:16 AM, sahil sharma sharmasahil0...@gmail.com
wrote:
This is for configuration changes, not rules:
Your choice. If you want to use the agent.conf change it there.
If you
have a good change management system, changing the ossec.conf
might be
good enough.
The OSSEC server does not use the agent.conf though, so if you're
setting up something for the OSSEC server it'll have to be in that
system's ossec.conf.
(1)I have added following code to
varossecetcsharedagent.conf
As is documented in the full_command documentation, this has to go
in the agent's ossec.conf. I apologize, I forgot about this restriction.
Please, clarify on this, I have to add the following code in agent's
ossec.conf i.e I have a win7 agent so I must add it to
cprog_files(x86)ossecossec(config) If yes, then do I need to put
agent_config os=Windows at start or not?
I guess that's the file. I don't do much with Windows. You do not need
to add thar, since this isn't the agent.conf
1) Do I need to remove this code from
varossecetcsharedagent.conf where I had previously added it?
There's no good reason to have it there.
2) Changing config at client side gives unusual problem in client's
ossec agent which then display (check config:warning) when I
try to start/stop/restart the client ossec agent.
What did you add? Where did you add it? Cryptically telling me you got
an error doesn't do anyone any good. Maybe you should consult a sysadmin,
or someone else with technical skills.
3) Whats diff in adding in these two different files?
agent_config os=Windows
localfile
log_formatfull_command/log_format
commandreg QUERY
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command
aliasusb-check/alias
/localfile
/agent_config
Regards,Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
This will be my last email in this thread. I'm not interested in
trying to help someone who is making that task as difficult as
possible. You are unwilling to troubleshoot or apply any thought to
the problem, or help me help you fix the problem.
Good luck!
On Tue, Jun 26, 2012 at 2:32 PM, sahil sharma sharmasahil0...@gmail.com wrote:
Ok, I guess you are very right. I guess I am a bit confused of terminology,
now getting step by step.
All I have is :
1) a central sever: ubuntu virtual machine.
2)a client : windows
I want to:
1)Detect when someone inserts USB into the client system.
I am badly confused where to make changes to implement this.
I have 3 places :-
(1) On client's ossec itself: C/Prog file(x86)ossecossec
config : Seems to be bad option to add instruction at a client which itself
has to be
monitored. So I
guess its wrong and once I add anythig to this file, I am unable to
START/RESTART agent at win.
I have answered this. The changes need to be made in the agent's
ossec.conf. There should be no confusion at this point.
(2) ossec at server: var/ossec (don't remember exact path).
Adding changing to this, restarting the server I see no USB alert.
Sorry, but I don't know why its not working, if you say I can attach the
exact files where I have made the changes.
I told you what I would have needed to help you. Hopefully someone
else with more patience will be willing to do the job of your
administrator.
Would be a great help.
On Tue, Jun 26, 2012 at 4:02 PM, dan (ddp) ddp...@gmail.com wrote:
On Jun 26, 2012 6:30 AM, sahil sharma sharmasahil0...@gmail.com wrote:
Hi
When I change config at client side, the OSSEC Agent Manager at client's
status is always :stopped.
I tried re-installing, restarting it numerous times.
Please help.
How? You didn't provide the error messages or configuration. Without those
2 things all I can do to help is tell you to fix your configuration.
Why are you making this so difficult?
On Mon, Jun 25, 2012 at 1:40 AM, dan (ddp) ddp...@gmail.com wrote:
On Jun 24, 2012 3:36 PM, sahil sharma sharmasahil0...@gmail.com
wrote:
On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) ddp...@gmail.com wrote:
On Jun 22, 2012 6:16 AM, sahil sharma sharmasahil0...@gmail.com
wrote:
This is for configuration changes, not rules:
Your choice. If you want to use the agent.conf change it there.
If you
have a good change management system, changing the ossec.conf
might be
good enough.
The OSSEC server does not use the agent.conf though, so if you're
setting up something for the OSSEC server it'll have to be in
that
system's ossec.conf.
(1) I have added following code to
varossecetcsharedagent.conf
As is documented in the full_command documentation, this has to go
in the agent's ossec.conf. I apologize, I forgot about this
restriction.
Please, clarify on this, I have to add the following code in agent's
ossec.conf i.e I have a win7 agent so I must add it to
cprog_files(x86)ossecossec(config) If yes, then do I need to
put
agent_config os=Windows at start or not?
I guess that's the file. I don't do much with Windows. You do not need
to add thar, since this isn't the agent.conf
1) Do I need to remove this code from
varossecetcsharedagent.conf where I had previously added it?
There's no good reason to have it there.
2) Changing config at client side gives unusual problem in client's
ossec agent which then display (check config:warning) when I
try to start/stop/restart the client ossec agent.
What did you add? Where did you add it? Cryptically telling me you got
an error doesn't do anyone any good. Maybe you should consult a sysadmin,
or
someone else with technical skills.
3) Whats diff in adding in these two different files?
agent_config os=Windows
localfile
log_formatfull_command/log_format
commandreg QUERY
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command
aliasusb-check/alias
/localfile
/agent_config
Regards,Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
Sorry, anyways its ok. Thanks for the help. Bye! On Wed, Jun 27, 2012 at 12:09 AM, dan (ddp) ddp...@gmail.com wrote: This will be my last email in this thread. I'm not interested in trying to help someone who is making that task as difficult as possible. You are unwilling to troubleshoot or apply any thought to the problem, or help me help you fix the problem. Good luck! On Tue, Jun 26, 2012 at 2:32 PM, sahil sharma sharmasahil0...@gmail.com wrote: Ok, I guess you are very right. I guess I am a bit confused of terminology, now getting step by step. All I have is : 1) a central sever: ubuntu virtual machine. 2)a client : windows I want to: 1)Detect when someone inserts USB into the client system. I am badly confused where to make changes to implement this. I have 3 places :- (1) On client's ossec itself: C/Prog file(x86)ossecossec config : Seems to be bad option to add instruction at a client which itself has to be monitored. So I guess its wrong and once I add anythig to this file, I am unable to START/RESTART agent at win. I have answered this. The changes need to be made in the agent's ossec.conf. There should be no confusion at this point. (2) ossec at server: var/ossec (don't remember exact path). Adding changing to this, restarting the server I see no USB alert. Sorry, but I don't know why its not working, if you say I can attach the exact files where I have made the changes. I told you what I would have needed to help you. Hopefully someone else with more patience will be willing to do the job of your administrator. Would be a great help. On Tue, Jun 26, 2012 at 4:02 PM, dan (ddp) ddp...@gmail.com wrote: On Jun 26, 2012 6:30 AM, sahil sharma sharmasahil0...@gmail.com wrote: Hi When I change config at client side, the OSSEC Agent Manager at client's status is always :stopped. I tried re-installing, restarting it numerous times. Please help. How? You didn't provide the error messages or configuration. Without those 2 things all I can do to help is tell you to fix your configuration. Why are you making this so difficult? On Mon, Jun 25, 2012 at 1:40 AM, dan (ddp) ddp...@gmail.com wrote: On Jun 24, 2012 3:36 PM, sahil sharma sharmasahil0...@gmail.com wrote: On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) ddp...@gmail.com wrote: On Jun 22, 2012 6:16 AM, sahil sharma sharmasahil0...@gmail.com wrote: This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. (1)I have added following code to varossecetcsharedagent.conf As is documented in the full_command documentation, this has to go in the agent's ossec.conf. I apologize, I forgot about this restriction. Please, clarify on this, I have to add the following code in agent's ossec.conf i.e I have a win7 agent so I must add it to cprog_files(x86)ossecossec(config) If yes, then do I need to put agent_config os=Windows at start or not? I guess that's the file. I don't do much with Windows. You do not need to add thar, since this isn't the agent.conf 1) Do I need to remove this code from varossecetcsharedagent.conf where I had previously added it? There's no good reason to have it there. 2) Changing config at client side gives unusual problem in client's ossec agent which then display (check config:warning) when I try to start/stop/restart the client ossec agent. What did you add? Where did you add it? Cryptically telling me you got an error doesn't do anyone any good. Maybe you should consult a sysadmin, or someone else with technical skills. 3) Whats diff in adding in these two different files? agent_config os=Windows localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command aliasusb-check/alias /localfile /agent_config Regards,Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) ddp...@gmail.com wrote: On Jun 22, 2012 6:16 AM, sahil sharma sharmasahil0...@gmail.com wrote: This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. (1)I have added following code to varossecetcsharedagent.conf As is documented in the full_command documentation, this has to go in the agent's ossec.conf. I apologize, I forgot about this restriction. Please, clarify on this, I have to add the following code in agent's ossec.conf i.e I have a win7 agent so I must add it to cprog_files(x86)ossecossec(config) If yes, then do I need to put agent_config os=Windows at start or not? 1) Do I need to remove this code from varossecetcsharedagent.conf where I had previously added it? 2) Changing config at client side gives unusual problem in client's ossec agent which then display (check config:warning) when I try to start/stop/restart the client ossec agent. 3) Whats diff in adding in these two different files? agent_config os=Windows localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command aliasusb-check/alias /localfile /agent_config Regards,Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
On Jun 24, 2012 3:36 PM, sahil sharma sharmasahil0...@gmail.com wrote: On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) ddp...@gmail.com wrote: On Jun 22, 2012 6:16 AM, sahil sharma sharmasahil0...@gmail.com wrote: This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. (1)I have added following code to varossecetcsharedagent.conf As is documented in the full_command documentation, this has to go in the agent's ossec.conf. I apologize, I forgot about this restriction. Please, clarify on this, I have to add the following code in agent's ossec.conf i.e I have a win7 agent so I must add it to cprog_files(x86)ossecossec(config) If yes, then do I need to put agent_config os=Windows at start or not? I guess that's the file. I don't do much with Windows. You do not need to add thar, since this isn't the agent.conf 1) Do I need to remove this code from varossecetcsharedagent.conf where I had previously added it? There's no good reason to have it there. 2) Changing config at client side gives unusual problem in client's ossec agent which then display (check config:warning) when I try to start/stop/restart the client ossec agent. What did you add? Where did you add it? Cryptically telling me you got an error doesn't do anyone any good. Maybe you should consult a sysadmin, or someone else with technical skills. 3) Whats diff in adding in these two different files? agent_config os=Windows localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command aliasusb-check/alias /localfile /agent_config Regards,Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. (1)I have added following code to varossecetcsharedagent.conf agent_config os=Windows localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command aliasusb-check/alias /localfile /agent_config (2) Created following rule in varossecruleslocal_rules.xml : rule id=140125 level=7 if_sid530/if_sid matchossec: output: 'usb-check':/match check_diff / descriptionNew USB device connected/description /rule Resouce:-http://www.ossec.net/doc/faq/alerts.html (nothing here has been clearly mentioned hat where we have to make the changes actually. Please update) The rule won't be pushed to the agents. The /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to date on the agent (if it's Windows it's probably c:\program files\ossec\shared\agent.conf or something). Do you have email alerts enabled? I not, check the alerts.log file on the server. I don't trust the WUI. /var/ossec/etc/shared/agent.conf has been correctly pushed to windows client. Both client and server has total 12 files(after adding above 2 changes) in /var/ossec/etc/shared/ folder and contents are same too. Hence, they are update. No problems in that. No, I don't have email alerts enabled. Checked the alerts.log file, its same as WUI, (only logon success alerts are being displayed). Though few problems I am getting in ossec.log: WARN: Message from x.x.x.x. not allowed. ERROR: Error executing query 'INSERT INTO data(id,..) ERROR: Connecting to database 'localhost' Regards Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
On Jun 22, 2012 6:16 AM, sahil sharma sharmasahil0...@gmail.com wrote: This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. (1)I have added following code to varossecetcsharedagent.conf As is documented in the full_command documentation, this has to go in the agent's ossec.conf. I apologize, I forgot about this restriction. agent_config os=Windows localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command aliasusb-check/alias /localfile /agent_config (2) Created following rule in varossecruleslocal_rules.xml : rule id=140125 level=7 if_sid530/if_sid matchossec: output: 'usb-check':/match check_diff / descriptionNew USB device connected/description /rule Resouce:-http://www.ossec.net/doc/faq/alerts.html (nothing here has been clearly mentioned hat where we have to make the changes actually. Please update) The documentation about full_command mentions ossec.conf. I don't think this needs to be repeated. The rule won't be pushed to the agents. The /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to date on the agent (if it's Windows it's probably c:\program files\ossec\shared\agent.conf or something). Do you have email alerts enabled? I not, check the alerts.log file on the server. I don't trust the WUI. /var/ossec/etc/shared/agent.conf has been correctly pushed to windows client. Both client and server has total 12 files(after adding above 2 changes) in /var/ossec/etc/shared/ folder and contents are same too. Hence, they are update. No problems in that. No, I don't have email alerts enabled. Checked the alerts.log file, its same as WUI, (only logon success alerts are being displayed). Though few problems I am getting in ossec.log: WARN: Message from x.x.x.x. not allowed. ERROR: Error executing query 'INSERT INTO data(id,..) ERROR: Connecting to database 'localhost' Regards Sahil.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
Dan, I too am unable to make use of the ideas here: http://dcid.me/2010/03/detecting-usb-storage-usage-with-ossec/ Using OSSEC HIDS 2.6 - When I have the the command in a local Windows machine agent.conf I get the following in my log on agent restart. 2012/06/21 09:42:43 ossec-agent: Remote commands are not accepted from the manager. Ignoring it on the agent.conf 2012/06/21 09:42:43 ossec-agent(1202): ERROR: Configuration error at 'shared/agent.conf'. Exiting. the command set is as follows: localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command /localfile within my agent_config os=windows section. without this command the above error does not log. Ideas? was command disabled in 2.6? On Jun 21, 2012, at 7:53 AM, dan (ddp) wrote: On Thu, Jun 21, 2012 at 9:44 AM, sahil sharma sharmasahil0...@gmail.com wrote: ossec.conf or agent.conf depending on how you want to do it. I'll make sure this is mentioned earlier in the documentation. I am working on ubuntu server and I have a window client. I want to get log whenever someone inserts USB to the client system. When do we use ossec.conf OR agent.conf to add new definitions? How choose between them? This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. And you've restarted the agent's ossec processes? Yes, after adding the code, I restarted the server -restart and also the client ossec agent. I checked, ossec.agent with the added rule was pushed automatically. Then, I inserted USB into the windows client. But there was no LOG for USB detection or no such message in the Web Interface. The rule won't be pushed to the agents. The /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to date on the agent (if it's Windows it's probably c:\program files\ossec\shared\agent.conf or something). Though web interface was showing alerts whenever I logged-in s successfully to the windows client (it shows they are connected propely). Do you have email alerts enabled? I not, check the alerts.log file on the server. I don't trust the WUI. (2)Added following to the local rules: rule id=140125 level=7 if_sid530/if_sid matchossec: output: 'reg QUERY/match check_diff / descriptionNew USB device connected/description /rule In order to check_diff the log message will have to have fired at least once before. So if the reg command hadn't been checked before you inserted the USB drive nothing would happen. You can enable the log all option on the OSSEC server, and check for the reg log entries. That will give you something to make sure your match statement is correct (I use aliases for my commands, so I don't know what they show up as without the alias). Main problem: I got no GROUP NAME for this rule so I added this rule inside the predefined group group name=local,syslog,. Is it right thing to do? Did you try it without putting it inside of those group tags? Yes, it's fine. OR i need to place it somewhere else in this file. Please help. Kindly tell if I need to make any other change too. Yes I tried it putting outside them, It gives ERROR when I put the -restart command in the terminal. I thought, it was due to missing group name, then I gave it an arbitrary group name group name=USB rule id=140125 level=7 if_sid530/if_sid matchossec: output: 'reg QUERY/match check_diff / descriptionNew USB device connected/description /rule /group Then there was no error, but again no such event was detected even after the restart. Please help.
Re: USB alerts (was: Re: [ossec-list] RedHat RPMS wont configure agent)
On Thu, Jun 21, 2012 at 12:58 PM, Scott Klauminzer sklaumin...@gmail.com wrote: Dan, I too am unable to make use of the ideas here: http://dcid.me/2010/03/detecting-usb-storage-usage-with-ossec/ Using OSSEC HIDS 2.6 - When I have the the command in a local Windows machine agent.conf I get the following in my log on agent restart. 2012/06/21 09:42:43 ossec-agent: Remote commands are not accepted from the manager. Ignoring it on the agent.conf 2012/06/21 09:42:43 ossec-agent(1202): ERROR: Configuration error at 'shared/agent.conf'. Exiting. the command set is as follows: localfile log_formatfull_command/log_format commandreg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR/command /localfile within my agent_config os=windows section. without this command the above error does not log. Ideas? was command disabled in 2.6? Seriously? Did you not read the error message? commands do not work from the agent.conf unless you configure the agent to accept them. You have to put them in the agent's ossec.conf. The warning is in the wrong place in the documentation (will fix that momentarily), but this is documented here: http://www.ossec.net/doc/syntax/head_ossec_config.localfile.html On Jun 21, 2012, at 7:53 AM, dan (ddp) wrote: On Thu, Jun 21, 2012 at 9:44 AM, sahil sharma sharmasahil0...@gmail.com wrote: ossec.conf or agent.conf depending on how you want to do it. I'll make sure this is mentioned earlier in the documentation. I am working on ubuntu server and I have a window client. I want to get log whenever someone inserts USB to the client system. When do we use ossec.conf OR agent.conf to add new definitions? How choose between them? This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. And you've restarted the agent's ossec processes? Yes, after adding the code, I restarted the server -restart and also the client ossec agent. I checked, ossec.agent with the added rule was pushed automatically. Then, I inserted USB into the windows client. But there was no LOG for USB detection or no such message in the Web Interface. The rule won't be pushed to the agents. The /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to date on the agent (if it's Windows it's probably c:\program files\ossec\shared\agent.conf or something). Though web interface was showing alerts whenever I logged-in s successfully to the windows client (it shows they are connected propely). Do you have email alerts enabled? I not, check the alerts.log file on the server. I don't trust the WUI. (2)Added following to the local rules: rule id=140125 level=7 if_sid530/if_sid matchossec: output: 'reg QUERY/match check_diff / descriptionNew USB device connected/description /rule In order to check_diff the log message will have to have fired at least once before. So if the reg command hadn't been checked before you inserted the USB drive nothing would happen. You can enable the log all option on the OSSEC server, and check for the reg log entries. That will give you something to make sure your match statement is correct (I use aliases for my commands, so I don't know what they show up as without the alias). Main problem: I got no GROUP NAME for this rule so I added this rule inside the predefined group group name=local,syslog,. Is it right thing to do? Did you try it without putting it inside of those group tags? Yes, it's fine. OR i need to place it somewhere else in this file. Please help. Kindly tell if I need to make any other change too. Yes I tried it putting outside them, It gives ERROR when I put the -restart command in the terminal. I thought, it was due to missing group name, then I gave it an arbitrary group name group name=USB rule id=140125 level=7 if_sid530/if_sid matchossec: output: 'reg QUERY/match check_diff / descriptionNew USB device connected/description /rule /group Then there was no error, but again no such event was detected even after the restart. Please help.
