Hi, Nice commands, very useful, thanks for sharing.
Both commands are working on my labs, the second one prints the full list of files at the terminal and writes into C:\temp\test.txt file (watch out the last *" *quotes before </comand>). I am not sure if you need to merge the two commands output into the same alert, in that case, I can't only think about combine both and running just one <localfile>. Regards, Pedro S. On Tue, Apr 19, 2016 at 9:23 PM, Jacob Mcgrath <jacob.xtrememe...@gmail.com> wrote: > I have a basic Windows agent setting to alert me when a storage device is > detected using Power shell.. > > <localfile> > <log_format>full_command</log_format> > <command>powershell.exe -command "gwmi win32_diskdrive | select > Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > > > C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)" > </command> > <frequency>300</frequency> > <alias>USBDevices</alias> > </localfile> > > > with the following rule in local_rules.xml > <rule id="503002" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'USBDevices'</match> > <check_diff /> > <description>Mounted Device change detected</description> > </rule> > > > > > Of course I get this alert which is nice for basic logging.. > > OSSEC HIDS Notification. > > > > 2016 Apr 19 18:35:31 > > > > Received From: (mis41) any->USBDevices > > Rule: 503002 fired (level 7) -> "Mounted Device change detected" > > Portion of the log(s): > > > > ossec: output: 'USBDevices': > > Model : TOSHIBA DT01ACA100 SCSI Disk Device > > InterfaceType : IDE > > serialnumber : 359ZMW6MS > > Size : 1000202273280 > > MediaType : Fixed hard disk media > > CapabilityDescriptions : {Random Access, Supports Writing, SMART > Notification} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA00000000000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > edia} > > Model : Verbatim STORE N GO USB Device > > InterfaceType : USB > > serialnumber : AA00000000000489 > > Size : 16022845440 > > MediaType : Removable Media > > CapabilityDescriptions : {Random Access, Supports Writing, Supports > Removable M > > > > > > > > --END OF NOTIFICATION > > > > I was playing around with Powershell and have a optional command to print > out USB storage device files recursively... > > > powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive -recurse > > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2) > > > this gives me this output in a tmp.txt if ran from a powershell window and > or run line. > > > Directory: F:\ > > > Mode LastWriteTime Length Name > ---- ------------- ------ ---- > -a--- 11/06/2015 12:38 PM 22908888 mbam-setup-2.2.0.1024.exe > -a--- 12/21/2014 9:27 AM 397798952 sp66051_driver-pack.exe > > > Directory: E:\ > > > Mode LastWriteTime Length Name > ---- ------------- ------ ---- > -a--- 12/06/2011 9:51 AM 388608 HijackThis.exe > -a--- 03/04/2016 2:44 PM 22908888 mbam-setup-2.2.0.1024.exe > -a--- 03/04/2016 2:46 PM 9524 hijackthis.log > > I have been attempting to get the above USB recursive file lists > into a USB detection report but have not had any success as of yet using > the above command instead of the first like below. > > > > <localfile> > <log_format>full_command</log_format> > <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter > "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive - > recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" > </command> > <frequency>300</frequency> > <alias>USBDevices</alias> > </localfile> > > > This gives me a empty C:\temp\test.txt file... > > > Any suggestions would be appreiciated... > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.