And yes, one more issue I have in this, I get no alert unless I restart the client, I guess that is due (in ossec_rules.xml)::
<rule id="530" level="0"> <if_sid>500</if_sid> Can there be any solution to get alert w/o restarting the agent ?????? On Tue, Jul 10, 2012 at 2:40 PM, sahil sharma <[email protected]>wrote: > Hi, > > Got this one randomly searching for USB Detection. I guess I have a fix > for this problem, > but I don't have clear idea why is working ? > > https://groups.google.com/forum/?fromgroups#!topic/ossec-list/1t6dnbzMZzM > > I had a similar problem, but once I added this to local_rules.xml, > everything was worrking > fine, I was getting the alert for USB detection. > > <group name="local,win7,"> > > > <rule id="530" level="4" overwrite="yes"> > <if_sid>500</if_sid> > <match>^ossec: output: </match> > <description>OSSEC process monitoring rules.</description> > <group>process_monitor,</group> > </rule> > > <rule id="510016" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'hkeyusbcheck'</match> > <check_diff /> > <description>usb stuff has changed.</description> > </rule> > > </group> > > Nowhere, it was mentioned to overwrite rule id-530 to localfile, I just > did it randomly > and it was successful.. > > Now my PROBLEM is that alert its showing is ::::: > > 2012 Jul 10 02:04:49 Rule Id: 530 level: 4 > Location: (win7base) 192.168.1.10->hkeyusbcheck > Src IP: utput: 'hkeyusbcheck': > OSSEC process monitoring rules. > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v165w&Rev_0.00 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v210w&Rev_1100 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_6.16 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_PMAP > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_1.00 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.01 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.20 > HKEY_LOCAL_MACHINE > > > There was no mention of RULE I added in the alerts i.e. rule id="510016" > level="7" ?????????? > > Please Help. >
