Hi, 1) Thats output from web-interface, I have pasted.
2) and I have defined command at the client's config, sorry I forgot to mention that. On Tue, Jul 10, 2012 at 4:12 PM, dan (ddp) <[email protected]> wrote: > How do you have the command defined? > On Jul 10, 2012 6:28 AM, "sahil sharma" <[email protected]> wrote: > >> And yes, one more issue I have in this, I get no alert unless I restart >> the client, I guess that >> is due (in ossec_rules.xml):: >> >> <rule id="530" level="0"> >> <if_sid>500</if_sid> >> >> Can there be any solution to get alert w/o restarting the agent ?????? >> >> >> >> On Tue, Jul 10, 2012 at 2:40 PM, sahil sharma >> <[email protected]>wrote: >> >>> Hi, >>> >>> Got this one randomly searching for USB Detection. I guess I have a fix >>> for this problem, >>> but I don't have clear idea why is working ? >>> >>> https://groups.google.com/forum/?fromgroups#!topic/ossec-list/1t6dnbzMZzM >>> >>> I had a similar problem, but once I added this to local_rules.xml, >>> everything was worrking >>> fine, I was getting the alert for USB detection. >>> >>> <group name="local,win7,"> >>> >>> >>> <rule id="530" level="4" overwrite="yes"> >>> <if_sid>500</if_sid> >>> <match>^ossec: output: </match> >>> <description>OSSEC process monitoring rules.</description> >>> <group>process_monitor,</group> >>> </rule> >>> >>> <rule id="510016" level="7"> >>> <if_sid>530</if_sid> >>> <match>ossec: output: 'hkeyusbcheck'</match> >>> <check_diff /> >>> <description>usb stuff has changed.</description> >>> </rule> >>> >>> </group> >>> >>> Nowhere, it was mentioned to overwrite rule id-530 to localfile, I just >>> did it randomly >>> and it was successful.. >>> >>> Now my PROBLEM is that alert its showing is ::::: >>> >>> 2012 Jul 10 02:04:49 Rule Id: 530 level: 4 >>> Location: (win7base) 192.168.1.10->hkeyusbcheck >>> Src IP: utput: 'hkeyusbcheck': >>> OSSEC process monitoring rules. >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v165w&Rev_0.00 >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v210w&Rev_1100 >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00 >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_6.16 >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00 >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_PMAP >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_1.00 >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20 >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.01 >>> >>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.20 >>> HKEY_LOCAL_MACHINE >>> >>> >>> There was no mention of RULE I added in the alerts i.e. rule >>> id="510016" level="7" ?????????? >>> >>> Please Help. >>> >> >>
