Hi Mike, I have also tried this, its working on my system too. But its an ineffective way of doing this check happens after 6 hours. Also, increasing its frequency hampers the system performance.
Please try other one too for which I have provided the link in above discussion and tell me if its working or not. Thanks. Regards Sahil On Thu, Jun 21, 2012 at 7:23 PM, Mike Disley < [email protected]> wrote: > ** > Hi Sahil, > I followed the instructions on this site; > > * > http://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/ > *<http://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/> > > which worked for me. > > Cheers, Mike > ------------------------------ > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *sahil sharma > *Sent:* Thursday, June 21, 2012 1:02 AM > *To:* [email protected] > *Subject:* Re: [ossec-list] RedHat RPMS wont configure agent > > Hi > > I have extensively searched for it. I didn't get any good result for a > beginner. > http://www.ossec.net/doc/manual/monitoring/process-monitoring.html > > Here they have not clearly mentioned where exactly these changes are to be > made. > Still after extensive search I added a new folder at server as: > (1)>shared>agent_config : added > <agent_config os="windows"> > > <localfile> > <log_format>full_command</log_format> > <command>reg QUERY > HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> > </localfile></agent_config> > > These changes have pushed into client side too. > > (2)Added following to the local rules: > > <rule id="140125" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'reg QUERY</match> > <check_diff /> > <description>New USB device connected</description></rule> > > > Main problem: I got no GROUP NAME for this rule so I added this rule > inside the predefined group > <group name="local,syslog,">. Is it right thing to do? > OR i need to place it somewhere else in this file. Please help. > > Kindly tell if I need to make any other change too. > > Thanks in advance. > > > > On Thu, Jun 21, 2012 at 8:04 AM, dan (ddp) <[email protected]> wrote: > >> >> On Jun 20, 2012 10:31 PM, "sahil sharma" <[email protected]> >> wrote: >> > >> > Sorry to interrupt here. Its not related to this issue: >> >> No you aren't. >> >> > I want to detect USB when I insert USB into my windows agent. >> > >> > Where all I need to add the codes? What all changes for each file? >> >> This has been answered. Google it. >> >> > Do I need to add code only on server side? Nothing at client? >> > What is pushing of code from server? How do it manually? >> > >> > All I can get is to add: >> > 1)log collection code in agents.conf(server side) >> > 2)decoder >> > 3)rule. Also what should be group name for this newly added rule?? >> > >> > Kindly help. >> > Sorry. >> > >> > >> > On Thu, Jun 21, 2012 at 5:42 AM, dan (ddp) <[email protected]> wrote: >> >> >> >> The installer sets up the config for you. >> >> >> >> On Jun 20, 2012 8:07 PM, "Brett" <[email protected]> wrote: >> >>> >> >>> I didn't see the last part of the email. A link in the agent install >> would be a good place for that info. Since I'm not familiar with the >> software I'd have no idea to look in "ossec.conf: syntax" >> >>> >> >>> Sent from my iPhone >> >>> >> >>> On Jun 20, 2012, at 15:21, "dan (ddp)" <[email protected]> wrote: >> >>> >> >>>> It's documented. In fact in the real install the config is populated >> for you. >> >>>> >> >>>> >> http://www.ossec.net/doc/syntax/head_ossec_config.client.html#element-server-ip >> >>>> >> >>>> In /var/ossc/etc/ossec.conf >> >>>> So something like: >> >>>> <ossec_config> >> >>>> <client> >> >>>> <server-ip>192.168.23.1</server-ip> >> >>>> >> >>>> This is all supe basic stuff. What would have made it easier to find >> in the documentation? >> >>>> >> >>>> On Jun 20, 2012 6:11 PM, "Brett Y" <[email protected]> wrote: >> >>>>> >> >>>>> After installing ossec-hids-client and its dependencies, running >> /var/ossec/bin/ossec-configure, if you select agent, you are not prompted >> for the ip address of the server. And there doesn't seem to be any docs on >> how to manually set that. >> > >> > >> > >
