On Wed, Jul 11, 2012 at 7:48 AM, sahil sharma <[email protected]> wrote: > Hi, > > 1) Thats output from web-interface, I have pasted. >
Don't use that, you're using a broken version (0.3). That's why the output looks wrong. alerts.log.has the proper output. > 2) and I have defined command at the client's config, sorry I forgot to > mention that. > That's where. What do you have in the agent's ossec.conf for this command? You shouldn't have to modify 530. You can look at 533 as an example. > On Tue, Jul 10, 2012 at 4:12 PM, dan (ddp) <[email protected]> wrote: >> >> How do you have the command defined? >> >> On Jul 10, 2012 6:28 AM, "sahil sharma" <[email protected]> wrote: >>> >>> And yes, one more issue I have in this, I get no alert unless I restart >>> the client, I guess that >>> is due (in ossec_rules.xml):: >>> >>> <rule id="530" level="0"> >>> <if_sid>500</if_sid> >>> >>> Can there be any solution to get alert w/o restarting the agent ?????? >>> >>> >>> >>> On Tue, Jul 10, 2012 at 2:40 PM, sahil sharma <[email protected]> >>> wrote: >>>> >>>> Hi, >>>> >>>> Got this one randomly searching for USB Detection. I guess I have a fix >>>> for this problem, >>>> but I don't have clear idea why is working ? >>>> >>>> >>>> https://groups.google.com/forum/?fromgroups#!topic/ossec-list/1t6dnbzMZzM >>>> >>>> I had a similar problem, but once I added this to local_rules.xml, >>>> everything was worrking >>>> fine, I was getting the alert for USB detection. >>>> >>>> <group name="local,win7,"> >>>> >>>> >>>> <rule id="530" level="4" overwrite="yes"> >>>> <if_sid>500</if_sid> >>>> <match>^ossec: output: </match> >>>> <description>OSSEC process monitoring rules.</description> >>>> <group>process_monitor,</group> >>>> </rule> >>>> >>>> <rule id="510016" level="7"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'hkeyusbcheck'</match> >>>> <check_diff /> >>>> <description>usb stuff has changed.</description> >>>> </rule> >>>> >>>> </group> >>>> >>>> >>>> Nowhere, it was mentioned to overwrite rule id-530 to localfile, I just >>>> did it randomly >>>> and it was successful.. >>>> >>>> Now my PROBLEM is that alert its showing is ::::: >>>> >>>> 2012 Jul 10 02:04:49 Rule Id: 530 level: 4 >>>> Location: (win7base) 192.168.1.10->hkeyusbcheck >>>> Src IP: utput: 'hkeyusbcheck': >>>> OSSEC process monitoring rules. >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v165w&Rev_0.00 >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v210w&Rev_1100 >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00 >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_6.16 >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00 >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_PMAP >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_1.00 >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20 >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.01 >>>> >>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.20 >>>> HKEY_LOCAL_MACHINE >>>> >>>> >>>> There was no mention of RULE I added in the alerts i.e. rule id="510016" >>>> level="7" ?????????? >>>> >>>> Please Help. >>> >>> >
