Hi, One more thing, I have an issue with windows client. Once I close the ossec agent manager, an donce again try to start/restart it : It displays "Unable to start OSSEC(check config)"
Please help. On Thu, Jul 12, 2012 at 10:46 AM, sahil sharma <[email protected]>wrote: > > > On Wed, Jul 11, 2012 at 6:13 PM, dan (ddp) <[email protected]> wrote: > >> On Wed, Jul 11, 2012 at 7:48 AM, sahil sharma <[email protected]> >> wrote: >> > Hi, >> > >> > 1) Thats output from web-interface, I have pasted. >> > >> >> Don't use that, you're using a broken version (0.3). That's why the >> output looks wrong. alerts.log.has the proper output. >> >> > Ok. > Output at alerts.log looks as follow: > ** Alert 1342069429.23337: - local,win7,process_monitor, > 2012 Jul 11 22:03:49 (win7base) 192.168.1.10->hkeyusbcheck > Rule: 530 (level 4) -> 'OSSEC process monitoring rules.' > ossec: output: 'hkeyusbcheck': > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v165w&Rev_0.00 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v210w&Rev_1100 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_6.16 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_PMAP > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_1.00 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.01 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.20 > HKEY_LOCAL_MACHINE > > > >> > 2) and I have defined command at the client's config, sorry I forgot to >> > mention that. >> > >> >> That's where. What do you have in the agent's ossec.conf for this command? >> >> > <localfile> > <log_format>full_command</log_format> > <command>reg QUERY > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> > <alias>hkeyusbcheck</alias> > </localfile> > > > >> You shouldn't have to modify 530. You can look at 533 as an example. >> >> > I tried grep on "533", it only has two reference in the ms_auth but > nowhere it is defined, > or I am unable to find it. Please help. > > > > >> > On Tue, Jul 10, 2012 at 4:12 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> How do you have the command defined? >> >> >> >> On Jul 10, 2012 6:28 AM, "sahil sharma" <[email protected]> >> wrote: >> >>> >> >>> And yes, one more issue I have in this, I get no alert unless I >> restart >> >>> the client, I guess that >> >>> is due (in ossec_rules.xml):: >> >>> >> >>> <rule id="530" level="0"> >> >>> <if_sid>500</if_sid> >> >>> >> >>> Can there be any solution to get alert w/o restarting the agent ?????? >> >>> >> >>> >> >>> >> >>> On Tue, Jul 10, 2012 at 2:40 PM, sahil sharma < >> [email protected]> >> >>> wrote: >> >>>> >> >>>> Hi, >> >>>> >> >>>> Got this one randomly searching for USB Detection. I guess I have a >> fix >> >>>> for this problem, >> >>>> but I don't have clear idea why is working ? >> >>>> >> >>> >> > >
