On Wed, Jul 11, 2012 at 6:13 PM, dan (ddp) <[email protected]> wrote:
> On Wed, Jul 11, 2012 at 7:48 AM, sahil sharma <[email protected]>
> wrote:
> > Hi,
> >
> > 1) Thats output from web-interface, I have pasted.
> >
>
> Don't use that, you're using a broken version (0.3). That's why the
> output looks wrong. alerts.log.has the proper output.
>
>
Ok.
Output at alerts.log looks as follow:
** Alert 1342069429.23337: - local,win7,process_monitor,
2012 Jul 11 22:03:49 (win7base) 192.168.1.10->hkeyusbcheck
Rule: 530 (level 4) -> 'OSSEC process monitoring rules.'
ossec: output: 'hkeyusbcheck':
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v165w&Rev_0.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v210w&Rev_1100
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_6.16
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_PMAP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_1.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.01
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.20
HKEY_LOCAL_MACHINE
> > 2) and I have defined command at the client's config, sorry I forgot to
> > mention that.
> >
>
> That's where. What do you have in the agent's ossec.conf for this command?
>
>
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<alias>hkeyusbcheck</alias>
</localfile>
> You shouldn't have to modify 530. You can look at 533 as an example.
>
>
I tried grep on "533", it only has two reference in the ms_auth but nowhere
it is defined,
or I am unable to find it. Please help.
> > On Tue, Jul 10, 2012 at 4:12 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> How do you have the command defined?
> >>
> >> On Jul 10, 2012 6:28 AM, "sahil sharma" <[email protected]>
> wrote:
> >>>
> >>> And yes, one more issue I have in this, I get no alert unless I restart
> >>> the client, I guess that
> >>> is due (in ossec_rules.xml)::
> >>>
> >>> <rule id="530" level="0">
> >>> <if_sid>500</if_sid>
> >>>
> >>> Can there be any solution to get alert w/o restarting the agent ??????
> >>>
> >>>
> >>>
> >>> On Tue, Jul 10, 2012 at 2:40 PM, sahil sharma <
> [email protected]>
> >>> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> Got this one randomly searching for USB Detection. I guess I have a
> fix
> >>>> for this problem,
> >>>> but I don't have clear idea why is working ?
> >>>>
> >>>
>
